Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
IT Technology

Cloudflare Wants To Replace CAPTCHAs With Turnstile (techcrunch.com) 35

Ahead of its Connect conference in October, Cloudflare this week announced an ambitious new project called Turnstile, which seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are. From a report: Available to site owners at no charge, Cloudflare customers or no, Turnstile chooses from a rotating suite of "browser challenges" to check that visitors to a webpage aren't, in fact, bots. CAPTCHAs, the challenge-response tests most of us have encountered when filling out forms, have been around for decades, and they've been relatively successfully at keeping bot traffic at bay. But the rise of cheap labor, bugs in various CAPTCHA flavors and automated solvers have begun to poke holes in the system. Several websites offer human- and AI-backed CAPTCHA-solving services for as low as $0.50 per thousand solved CAPTCHAs, and some researchers claim AI-based attacks can successfully solve CAPTCHAs used by the world's most popular websites.

Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it -- if Cloudflare's public rallying cries hadn't made that clear. In a conversation with TechCrunch, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibility (visual disabilities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume familiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobile data plans. [...] Turnstile automatically chooses a browser challenge based on "telemetry and client behavior exhibited during a session," Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who've passed a challenge before, Turnstile fine-tunes the difficulty of the challenge to the specific request -- avoiding having users solve a puzzle.

This discussion has been archived. No new comments can be posted.

Cloudflare Wants To Replace CAPTCHAs With Turnstile

Comments Filter:
  • by nadass ( 3963991 ) on Wednesday September 28, 2022 @12:31PM (#62921591)
    The summary hints at Turnstile is an identification/authentication system, but that's entirely different than an on-page human-or-bots challenge (CAPTCHA).

    Overall, it's rather sad that the entire Internet will adopt only official CAPTCHA/reCAPTCHA or TURNSTILE implementations. There should be a litany of bots challenge options out there, forcing challenge-defeating bots to not obtain blanket access (carte blanche) to any/all challenge-protected content.

    Of course, in fuddy old age, I don't think we should be manually browsing the Internet anymore. Everything should be API-based and accessible in native/mixed-reality devices leveraging whatever UI one chooses -- without any measurable concern for pay walls (on a content-access basis). Information should be free.
    • Information should be free.

      Someone has to pay for that information. TANSTAAFL.

    • Overall, it's rather sad that the entire Internet will adopt only official CAPTCHA/reCAPTCHA or TURNSTILE implementations. There should be a litany of bots challenge options out there, forcing challenge-defeating bots to not obtain blanket access (carte blanche) to any/all challenge-protected content.

      There are two ways. Implement your own which will likely be easily crackable and hope no one targets you specifically or use a hardened and tested version that your hope is uncrackable and again hope that no one targets you specifically before they come out with an update. If you are in an arms race, it's much better to have an entire army working on improving your side than going it alone.

  • by Kunedog ( 1033226 ) on Wednesday September 28, 2022 @12:34PM (#62921603)

    seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are

    No, CAPTCHAs are used to verify that any person at all is there. It's not an internet ID.

    TFS makes Turnstile sound like glorified browser fingerprinting.

    • From the description, it sounds more like browser _and_ user fingerprinting. Which is a bit disturbing, because it's another step away from casual anonymity.
    • by AmiMoJo ( 196126 )

      Having read the actual blog post and tried the new TURNSTILE out, it does appear to simply be verifying that the browser is operated by a human. TFA seems to be a little bit confused.

      Even with my extensive privacy enhancing add-ons, limited settings, and VPN, it passed by right away. That's much better than other systems that make me select images.

      Much better for website operators too. A CAPTCHA is a good way to make me close your website and go somewhere else.

  • by bradley13 ( 1118935 ) on Wednesday September 28, 2022 @12:41PM (#62921635) Homepage

    based on "telemetry and client behavior exhibited during a session

    Details are missing, but I don't like the sound of this...

    • by DarkOx ( 621550 ) on Wednesday September 28, 2022 @02:15PM (#62921987) Journal

      Its not new; F5 Shape, Akamai Bot Manager, nudata, and few others are doing this pretty much for every retail, and financial services sector website of any size already.

      Most of those places are configured with CAPTCHA fallback if you don't bass the hidden I am not a bot test. If you are using any plug-ins that block JS and you get slammed with CAPTCHAs on every friggin login form in those sectors, that is probably why.

      The short version is they send down a obfuscated JS that implements its on little VM and some behavior checking code, to run. It looks at a bunch of things, display size, pointer movements, scroll bar position, color depths, usually some timing and checking other scripts loaded, of course the good old user-agent, and comparing with other navigator properties to see if it all jives, hardwareConcurrency. In a lot cases it collects what would otherwise be duplicate telemetry as anti tampering control - so you can't as easily spot 1080 and think that is a screen height and tweak it. The bottle all this telemetry up into a blob, obfuscate it and send it to the backend. Its scored based on some customer tune-ables, and some action is taken - permit, log, CAPTCHA challenge, deny, black-list IP...etc.

    • by kmoser ( 1469707 )
      Your aberrant behavior has been noted and reported to the proper authorities. Prepare to report to mandatory re-education camp.
  • by Arnonyrnous Covvard ( 7286638 ) on Wednesday September 28, 2022 @12:50PM (#62921665)
    Browse the web via Tor. Doing so will show you two things: 1) How many web sites terminate TLS at Cloudflare, not their own servers, and 2) how much Cloudflare's idea of verifying the client sucks.
  • I've noticed that running ad blockers and java script blockers will result in more or more difficult challenges.

    • by jhecht ( 143058 )
      Ad blockers cause more difficult challenges because tracking information is used to identify you. If you block their identification system, they put up CAPTCHAS that are almost impossible to solve.
      • I've encountered this, and also often just clicked to another website rather than bother to captcha.
      • because tracking information is used to identify you

        CAPTCHAs aren't just about weeding out the 'bots. They are also about getting tracking cookies (and other identifying information) on a user's system. As well as a punishment for disabling JavaScript.

      • That is interesting. Over the last year or so ebay+paypal have become crazy-inconvenient, it's so much work to log in and buy a little thing, jumping through numerous hoops of captcha and verification codes. I wonder if it's because ublock is breaking some of the heuristics they would otherwise use to establish my identity.
        • I run uBlock Origin, and it hasn't had any effect on PayPal or eBay.Are you running the original uBlock?

        • by narcc ( 412956 )

          I also run uBlock Origin, but I've never had a problem with ebay or paypal. I didn't know they even did anything special.

      • I've had google give me ones that are literally impossible to solve. A whole bunch, in a row.

  • This article is shit, as Kyle Wiggers of Techcrunch clearly has no fucking idea what the product does or how it works either:

    Turnstile automatically chooses a browser challenge based on âoetelemetry and client behavior exhibited during a session,â Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors whoâ(TM)ve passed a challeng

  • Captchas are nasty, but replacing them by a fingerprinting system looks like another privacy nightmare.

  • Haven't we learned from email spam, SMS spam, forum spam, robocalling, Zoom bombing, etc. that a sufficiently motivated bad-faith actor is going to be able to thwart your automated trapping every time?

    We've been doing this for decades and we have the same problems still, because amoral people will continue to be amoral. There are people that are going to work around whatever you put in place, because there is sufficient motivation to do so - money.

    Only by attacking the source of this problem - the people t

    • by ksw_92 ( 5249207 )

      Only by attacking the source of this problem - the people that are ultimately trying to sell you shit through the spam, will we ever see the volume of spam decrease. Sending unwanted bulk emails / messages without a legitimate way to opt out? Fine them $10 per message sent. The first time one of these guys is bankrupted out of existence by fines, the rest will get the message.

      We'll get on that just as soon as that singular legal jurisdiction that covers the entirety of the internet is operational.

      Seriously, if we can't build a winning prosecution percentage against the really bad internet actors like Ransomware groups, infrastructure hackers and Meta then getting UCE turds to pay $10/email is just a pipe dream.

    • because there is sufficient motivation to do so - money.

      Only by attacking the source of this problem - the people [sending spam] will we ever see the volume of spam decrease. The first time one of these guys is bankrupted out of existence by fines, the rest will get the message.

      CAN-SPAM is a U.S. Federal Law with a fine of up to $46,517 per message/violation. Has that stopped spammers? Nope.

  • Have these idiots never been to a subway and seen people hopping over the turnstile?

  • It was through repeatedly âoeI am not a robotâ captchas that I came to conclude that I must, in fact, be a robot.
  • by Gabest ( 852807 ) on Wednesday September 28, 2022 @06:54PM (#62922665)

    What's the difference me trying to download a page with wget vs Chrome? Both were initiated by me, I'm not a bot, but wget will be rejected.

  • I just got used to fooling them AI system that the every plane was a boat.
    I guess the AI error rate will go down significantly in the near future.

  • Captchas were said to be "impossible" to crack. Now they're cracked.
    This too will be cracked eventually.

  • Because apparently captchas weren't annoying enough, so after great research, we have found something that will surely end up far more annoying.

If money can't buy happiness, I guess you'll just have to rent it.

Working...