Cloudflare Wants To Replace CAPTCHAs With Turnstile (techcrunch.com) 35
Ahead of its Connect conference in October, Cloudflare this week announced an ambitious new project called Turnstile, which seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are. From a report: Available to site owners at no charge, Cloudflare customers or no, Turnstile chooses from a rotating suite of "browser challenges" to check that visitors to a webpage aren't, in fact, bots. CAPTCHAs, the challenge-response tests most of us have encountered when filling out forms, have been around for decades, and they've been relatively successfully at keeping bot traffic at bay. But the rise of cheap labor, bugs in various CAPTCHA flavors and automated solvers have begun to poke holes in the system. Several websites offer human- and AI-backed CAPTCHA-solving services for as low as $0.50 per thousand solved CAPTCHAs, and some researchers claim AI-based attacks can successfully solve CAPTCHAs used by the world's most popular websites.
Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it -- if Cloudflare's public rallying cries hadn't made that clear. In a conversation with TechCrunch, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibility (visual disabilities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume familiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobile data plans. [...] Turnstile automatically chooses a browser challenge based on "telemetry and client behavior exhibited during a session," Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who've passed a challenge before, Turnstile fine-tunes the difficulty of the challenge to the specific request -- avoiding having users solve a puzzle.
Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it -- if Cloudflare's public rallying cries hadn't made that clear. In a conversation with TechCrunch, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibility (visual disabilities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume familiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobile data plans. [...] Turnstile automatically chooses a browser challenge based on "telemetry and client behavior exhibited during a session," Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who've passed a challenge before, Turnstile fine-tunes the difficulty of the challenge to the specific request -- avoiding having users solve a puzzle.
Summary hints at personal ID but tool is for bots (Score:3)
Overall, it's rather sad that the entire Internet will adopt only official CAPTCHA/reCAPTCHA or TURNSTILE implementations. There should be a litany of bots challenge options out there, forcing challenge-defeating bots to not obtain blanket access (carte blanche) to any/all challenge-protected content.
Of course, in fuddy old age, I don't think we should be manually browsing the Internet anymore. Everything should be API-based and accessible in native/mixed-reality devices leveraging whatever UI one chooses -- without any measurable concern for pay walls (on a content-access basis). Information should be free.
Re: (Score:3)
Information should be free.
Someone has to pay for that information. TANSTAAFL.
Re: (Score:2)
Overall, it's rather sad that the entire Internet will adopt only official CAPTCHA/reCAPTCHA or TURNSTILE implementations. There should be a litany of bots challenge options out there, forcing challenge-defeating bots to not obtain blanket access (carte blanche) to any/all challenge-protected content.
There are two ways. Implement your own which will likely be easily crackable and hope no one targets you specifically or use a hardened and tested version that your hope is uncrackable and again hope that no one targets you specifically before they come out with an update. If you are in an arms race, it's much better to have an entire army working on improving your side than going it alone.
Re: (Score:1)
So many websites don't even realize the amount of traffic they're missing out on because people like me just leave because their stupid protection is broken. Fuck 'em. It's better to let some bots through than to block even one legitimate user.
And Cloudflare is one of the worst. I have encountered a lot of websites "Protected By Cloudflare" that won't let me access anything because their silly bullshit is completely broken.
CAPTCHAs are useless bullshit that do absolutely nothing of value. It is Security Theater at its worst. Turnstile is just another slightly different flavor of shit.
Re:Except when it doesn't work (Score:4, Informative)
So many websites don't even realize the amount of traffic they're missing out on because people like me just leave because their stupid protection is broken. Fuck 'em.
CAPTCHAs worked well in the beginning. Humans could easily read them but bots could not. Then AI started getting better, improving the ability of bots to read them orders of magnitude faster than evolution improved people's ability to read CAPTCHAs that were continually being amped up to fool the better bots.
The bots have won. They can read today's CATPCHAs while humans vainly click away at tiny fuzzy pictures of traffic signals, locked out.
Not the Purpose of CAPTCHAs (Score:4, Insightful)
seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are
No, CAPTCHAs are used to verify that any person at all is there. It's not an internet ID.
TFS makes Turnstile sound like glorified browser fingerprinting.
Re: (Score:1)
Re: (Score:3)
Having read the actual blog post and tried the new TURNSTILE out, it does appear to simply be verifying that the browser is operated by a human. TFA seems to be a little bit confused.
Even with my extensive privacy enhancing add-ons, limited settings, and VPN, it passed by right away. That's much better than other systems that make me select images.
Much better for website operators too. A CAPTCHA is a good way to make me close your website and go somewhere else.
Based on telemetry (Score:4, Funny)
based on "telemetry and client behavior exhibited during a session
Details are missing, but I don't like the sound of this...
Re:Based on telemetry (Score:5, Informative)
Its not new; F5 Shape, Akamai Bot Manager, nudata, and few others are doing this pretty much for every retail, and financial services sector website of any size already.
Most of those places are configured with CAPTCHA fallback if you don't bass the hidden I am not a bot test. If you are using any plug-ins that block JS and you get slammed with CAPTCHAs on every friggin login form in those sectors, that is probably why.
The short version is they send down a obfuscated JS that implements its on little VM and some behavior checking code, to run. It looks at a bunch of things, display size, pointer movements, scroll bar position, color depths, usually some timing and checking other scripts loaded, of course the good old user-agent, and comparing with other navigator properties to see if it all jives, hardwareConcurrency. In a lot cases it collects what would otherwise be duplicate telemetry as anti tampering control - so you can't as easily spot 1080 and think that is a screen height and tweak it. The bottle all this telemetry up into a blob, obfuscate it and send it to the backend. Its scored based on some customer tune-ables, and some action is taken - permit, log, CAPTCHA challenge, deny, black-list IP...etc.
Re: (Score:2)
If you want a glimpse why that is a terrible idea (Score:5, Insightful)
Ad blockers (Score:2)
I've noticed that running ad blockers and java script blockers will result in more or more difficult challenges.
Re: (Score:3)
Re: Ad blockers (Score:2)
They've learned from Google (Score:3)
because tracking information is used to identify you
CAPTCHAs aren't just about weeding out the 'bots. They are also about getting tracking cookies (and other identifying information) on a user's system. As well as a punishment for disabling JavaScript.
Re: (Score:2)
Re: (Score:2)
I run uBlock Origin, and it hasn't had any effect on PayPal or eBay.Are you running the original uBlock?
Re: (Score:2)
I also run uBlock Origin, but I've never had a problem with ebay or paypal. I didn't know they even did anything special.
Re: (Score:2)
I've had google give me ones that are literally impossible to solve. A whole bunch, in a row.
OK, so what the fuck does it actually do? (Score:1)
This article is shit, as Kyle Wiggers of Techcrunch clearly has no fucking idea what the product does or how it works either:
Re: (Score:2)
Sounds privacy invasive (Score:2)
Captchas are nasty, but replacing them by a fingerprinting system looks like another privacy nightmare.
Cat and mouse. (Score:2, Insightful)
Haven't we learned from email spam, SMS spam, forum spam, robocalling, Zoom bombing, etc. that a sufficiently motivated bad-faith actor is going to be able to thwart your automated trapping every time?
We've been doing this for decades and we have the same problems still, because amoral people will continue to be amoral. There are people that are going to work around whatever you put in place, because there is sufficient motivation to do so - money.
Only by attacking the source of this problem - the people t
Re: (Score:2)
Only by attacking the source of this problem - the people that are ultimately trying to sell you shit through the spam, will we ever see the volume of spam decrease. Sending unwanted bulk emails / messages without a legitimate way to opt out? Fine them $10 per message sent. The first time one of these guys is bankrupted out of existence by fines, the rest will get the message.
We'll get on that just as soon as that singular legal jurisdiction that covers the entirety of the internet is operational.
Seriously, if we can't build a winning prosecution percentage against the really bad internet actors like Ransomware groups, infrastructure hackers and Meta then getting UCE turds to pay $10/email is just a pipe dream.
Re: (Score:3)
because there is sufficient motivation to do so - money.
Only by attacking the source of this problem - the people [sending spam] will we ever see the volume of spam decrease. The first time one of these guys is bankrupted out of existence by fines, the rest will get the message.
CAN-SPAM is a U.S. Federal Law with a fine of up to $46,517 per message/violation. Has that stopped spammers? Nope.
Turnstiles (Score:2, Funny)
Have these idiots never been to a subway and seen people hopping over the turnstile?
I am a robot (Score:2)
Bots vs trusted browsers (Score:3)
What's the difference me trying to download a page with wget vs Chrome? Both were initiated by me, I'm not a bot, but wget will be rejected.
No more clicking boats and planes? (Score:2)
I just got used to fooling them AI system that the every plane was a boat.
I guess the AI error rate will go down significantly in the near future.
Will be cracked eventually (Score:2)
Captchas were said to be "impossible" to crack. Now they're cracked.
This too will be cracked eventually.
Because... (Score:2)
Because apparently captchas weren't annoying enough, so after great research, we have found something that will surely end up far more annoying.