Cloudflare’s CAPTCHA Replacement Misses Crosswalks, Checkboxes, Google

Cloudflare recently made a bold claim: we could all do something better with our lives than deciding which images contain crosswalks or stop lights or clicking an “I’m not a robot” checkbox. Now the cloud services company is offering a free CAPTCHA alternative, Turnstile, available to anyone, Cloudflare customer or not, and specifically calling out Google’s role in the existing hegemony “prove you’re human.”

Turnstile uses Cloudflare’s Managed Challenge system, which draws on user behavior, browser data and, on Apple devices, private access tokens, to distinguish human visitors from bots and scripts. Cloudflare claims that its Managed Challenge system was able to reduce CAPTCHAs served to its customers’ visitors by 91% over one year.

Turnstile integrations run “a series of small, non-interactive JavaScript challenges” to investigate the visitor, including proof-of-work and space, web API lookup, and “various other challenges to detect browser quirks and human behavior,” Cloudflare’s post reads. Challenges vary between visitors, and machine learning can update the model with common characteristics of visitors who have already passed a test. The user only sees a “Verifying…” widget for a moment, then “Success!”

Cloudflare claims that beyond the inconvenience and wasted time, CAPTCHAs (which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”) are largely controlled by Google through its reCAPTCHA service. Google’s service had announced in 2017 that it would go largely invisible in newer versions, using the same browser and humanity behavior hints that Cloudflare touts to eliminate even the non-robot checkbox. One aspect of this proof that security researchers seemed to understand: being logged into a Google account.

“Google says they don’t use this information for ad targeting, but ultimately Google is an ad sales company,” Cloudflare’s post reads.

Google bought reCAPTCHA in 2009 and used it early on to solve problems like scanning books, street view house numbers, and, as you probably guessed, identifying objects like stairs. , palm trees, taxis, etc. in image recognition tools. Cloudflare notes that the ubiquity of CAPTCHA is one of its strengths, as it has a stable and constantly updated base of resolution and behavior data to build upon.

Google’s reCAPTCHA offers since 2017 an “invisible” mode in V2 and a V3 that “will never interrupt your users”. Most internet users still see their fair share of photo selection grids and anti-robot checkboxes, likely due to sites and developers not upgrading to newer versions or, potentially, seem “suspicious” of an unknown algorithm.

Cloudflare, originally a content delivery network that has grown into security, hosting and nearly every other aspect of cloud computing, cites its mission to “help build a better Internet” as the reason for which it offers a free verification service. The company, whose reverse proxy services are used by nearly 20% of all sites, recently made headlines for its long-running debate over abandoning the hate site Kiwi Farms and its decision not to opt out. Russia after invading Ukraine.