Cloudflare introduces invisible CAPTCHA for websites • The Register

Cloudflare has launched a public beta test of a CAPTCHA alternative that runs silently in the background to automatically determine if the webpage visitor is a real human. Its goal is to allow Internet users to avoid having to perform these tedious proof tests that you are not a robot on websites.

The widget is dubbed Turnstile and is described as “an invisible alternative” to today’s CAPTCHA challenges. That said, it will fall back to a manual test as a last resort if it can’t automatically verify that a user is human. Cloudflare claims it can do all of this while maintaining a higher level of privacy than traditional CAPTCHA systems.

The Internet Infrastructure Industry said that a Turnstile test begins with the participating website running non-interactive JavaScript code that examines the system and browser to determine if it is in an automated environment or if there is probably a human at the computer. The JS code is integrated from

This script performs a bunch of background tasks in the browser, including “proof of work, proof of space, web API lookup, and various other challenges to detect browser quirks and human behavior” , said Cloudflare.

“Turnstile also includes machine learning models that detect common characteristics of end visitors who have successfully completed a challenge before. The computational difficulty of these initial challenges may vary by visitor, but it is designed to work quickly.”

Ultimately the code uses a bunch of techniques to determine if the website is being visited by a person as opposed to a software-controlled browser that is there hoping to commit click-through fraud, register to a ton of accounts, etc. .

When a human is detected, Cloudflare’s backend system sends a token to the visitor’s browser. When that user then tries to do anything on the website – like login, search or register – the token can be presented to the site to confirm that there is no bot in play, and everything will be allowed to operate as intended. Since the bots will not receive these tokens, they may be prevented from doing anything else with the website.

Turnstile, which is said to be derived from Cloudflare’s Managed Challenge feature, is free to use on any website that wants to integrate the thing, and by anyone who doesn’t block JavaScript code, we’re told.

These not-a-bot tokens – also known as Private Access Tokens, or PATs – were developed with Apple: Apple wants its operating systems to automatically issue the tokens to websites so iOS users (and soon from macOS) can avoid having to fill in CAPTCHA.

For now, Turnstile can manage PATs or Apple tokens issued by Cloudflare’s backend. When more operating systems support tokens, they can be added to Turnstile, skipping the need for all that JavaScript polling, presumably.

“Nowadays, [PATs] are only present for iOS 16 devices,” Cloudflare Chief Product Officer Reid Tatoris told us in an email. “In the future, as more devices and customers take advantage of PATs, Turnstile will automatically use PATs wherever they are compatible.

Outside of PATs, which are meant to be anonymous, Cloudflare said Turnstile helps maintain user privacy by not using or viewing cookies. While Turnstile looks at “certain session data (like headers, user agent, and browser characteristics) to validate users without challenging them,” Cloudflare said it doesn’t store any data.

Instead, Cloudflare said it’s worked with hardware manufacturers to create device profiles that help it quickly validate hardware, letting Turnstile “abstract parts of the validation process and confirm data without actually collecting data.” , touch or store this data ourselves”.

We note that, like Turnstile, other CAPTCHA widgets rely on JavaScript.

Click on the squares that include a web goliath

Along with the downsides, Cloudflare said CAPTCHA widgets come with a privacy trade-off due to who powers 98% of the implementations: Google.

Google reCAPTCHA was previously found to favor Google users, giving them the benefit of the doubt as long as reCAPTCHA could determine that a user was logged into a Google account.

“Google says they don’t use this information for ad targeting, but ultimately Google is an ad sales company,” Cloudflare said. Google already said The register reCAPTCHA collects information about hardware and software and sends it to Google, but does not say what it does with this data.

Cloudflare used reCAPTCHA until 2020 when it discontinued the service for hCaptcha, citing customer concerns and privacy concerns over sending data to Google. These concerns matched Google saying it would start charging heavy reCAPTCHA users, like Cloudflare, to access the service. ®

PS: Cloudflare also introduced what it calls a zero-trust eSIM this week.

Comments are closed.