back to article Cloudflare's invisible CAPTCHA works by probing browsers with JavaScript

Cloudflare has begun a public beta test of a CAPTCHA alternative that runs quietly in the background to automatically determine if the webpage visitor is an actual human. Its goal is to allow netizens to avoid having to complete those tedious prove-you're-not-a-bot tests on websites. The widget is dubbed Turnstile, and is …

  1. Anonymous Coward
    Anonymous Coward

    To the extent that Turnstile is using methods that are an invasion of privacy, one would hope for a browser that does not allow such methods anyway, as they are a privacy risk regardless of Turnstile.

    1. DS999 Silver badge

      So long as it runs on the device and only the token is returned to Cloudflare that's fine. If it is sending a bunch of information for them to determine whether you're a human or not this is no better than CAPTCHAs that turn humans into Google's slaves forcing them to work on their image recognition.

      It looks like it might be OK, and PAT is an open source standard so could be adopted by others but I'd like to learn more about it because the devil is in the details. Here's what I found so far:

      It adds more points of communication so it would slow things down, but at least this is something that is only done once and most sites won't care about it at all (i.e. only for stuff where they are currently using CAPTCHAs)

  2. Anonymous Coward
    Anonymous Coward

    While I trust Cloudflare much more than Google

    This isn't a good long term solution, and will not be immune to spoofing, false positives, false negatives, and all of the problems that plague CAPTCHAs and browser fingerprinting. The description of how it operates also makes me want to hate it. I have seen pages using the more intrusive versions of Cloudflares screening scripts, and they can delay page loads by seconds.

    Every version of this idea has been a plague to users that run a tightened up browser config, use a cookie manager, or have their browser set to dump the cache on reloads. In addition, it's going to mean hassles for users on VMs and other platforms that the ad fraud gangs use, and that list will just expand as the fraudsters realize they are blocked and adapt.

    Architecturally there is nothing here that will block them from making a counter move, so it's just another twist in the endless game of whack-a-mole.

    1. Hubert Cumberdale Silver badge

      Re: While I trust Cloudflare much more than Google

      It'll always fall back to something else for me, what with NoScript. If a website doesn't have a fallback, then it can f#ck off, just as a matter of principle.

  3. Anonymous Coward
    Anonymous Coward

    If it means

    that I never have to see another recaptcha with those shitty grainy to the point of almost illegibility, quit talking about it and just bring it on.

    As for privacy, your'e on the internet, no matter what you do, the privacy invaders will always be one step in front.

  4. Snake Silver badge

    The source

    "The JS code is embedded from"

    Excellent! Now it's easy to block ;-)

    1. IGotOut Silver badge

      Re: The source

      And then you'll be presented with a cap ha and all the crap that goes with that.

    2. Anonymous Coward
      Anonymous Coward

      Re: The source

      I'm thinking the mention of the hosting sitename is acknowledgement that people are concerned about what code runs on their browsers. I appreciate them saying is what to block or not block. It lends hope that they are aiming to run above board.

    3. Anonymous Coward
      Anonymous Coward

      Re: The source

      Don't block it. Replace it.

  5. Kevin McMurtrie Silver badge

    Cloudflare's choices of awareness

    Serving a fake postal site asking for your credit card? Don't care. Serving stores selling fake or illegal drugs? Don't care. Spam click-through loggers, key loggers, PI loggers, credit card loggers, command and control systems... Don't care. They're not the Internet police!

    A bot viewing an advertisement? A bot polluting a credit card logger? Throws all resources at blocking and policing those data patterns. Deploys invasive checkpoints for visitors. Adds tracking cookies for monitoring access patterns.

  6. An_Old_Dog Silver badge

    xCAPTCHA and Turnstile Over-Use, Turnstile CPU Load?

    I can understand requiring some sort of evidence you're human before allowing you to sign up for an account ("When that user subsequently tries to do anything on the website – such as log in, search, or sign-up – the token can be presented to the site to confirm there isn't a bot at play"), but less-so for logins, and not for searches.

    For any given user, signing-up is a relatively rare event; I don't mind the occasional xCAPTCHA. How much CPU does this new method use? Many people browse from low-CPU-power devices.

    1. ThatOne Silver badge

      Re: xCAPTCHA and Turnstile Over-Use, Turnstile CPU Load?

      > but less-so for logins

      Indeed, if I have created an account (and probably proven at that time I'm not a bot) I don't see why any further interaction with that site should entail a CAPTCHA of any kind.

      Website developers remember, creating an account is not just a marketing data harvesting operation, it's actually supposed to henceforth indicate you're a known, identified person.

  7. steelpillow Silver badge

    maintaining a higher level of privacy than traditional CAPTCHA systems

    So it'll never catch on, then.

  8. Gene Cash Silver badge

    And what if you block JS?

    So they block your access?

    1. diodesign (Written by Reg staff) Silver badge

      Re: And what if you block JS?

      Same if you tried another JS CAPTCHA widget and there was no fall back. You'll get told to turn on JavaScript or you can't verify you're a human.


      1. b0llchit Silver badge

        Re: And what if you block JS?

        Good. That confirms it then. I am not a human. I do not enable JS. I always knew something about me was artificial. Now I know for sure. I am a Robot.

        Dear world, I present to you the first completely sentient and functional Robot: me.

        1. ChoHag Silver badge

          Re: And what if you block JS?

          The irony of being rejected by a bot for not proving my humanity never ceases to amuse.

          I work on the assumption that the spammers et al will continue to work around these new obstacles within days of their being erected and so it's clearly the explicit *intention* of those who put them up to annoy their legitimate customers.

          It's basically like how, whenever you walk into a supermarket, the security guard jumps up and slams a hood over your face until you've been probed and formally identified. And confirmed that you like it.

        2. Anonymous Coward
          Anonymous Coward

          Re: And what if you block JS?

          @b0llchit Sounds like exactly the kind of thing a bot would be programmed to say :-)

        3. iron Silver badge

          Re: And what if you block JS?

          That depends, Google and Cloudfare are often convinced I'm a robot so which one of us has the earlier incept date?

      2. Hubert Cumberdale Silver badge

        Re: And what if you block JS?

        "You'll get told to turn on JavaScript or you can't verify you're a human."

        ...and they'll get told I'm going elsewhere (the internet is a big place).

        1. Colin Bull 1

          Re: And what if you block JS?

          (the internet is a big place).

          Cornwall council tell me that I MUST verify voting information every year and they give a convenient link to do this. Stupidly not only do I need to enter password and keyphrase I must also do a captcha with US based themes. I have told them this is stupid as they are sending this request to a verified email address.

          What are trying to guard against? A bot that registers 50 new voters.

          1. Hubert Cumberdale Silver badge

            Re: And what if you block JS?

            (Where I live, there's still an option to do this on paper... for now.)

      3. Steve Graham

        Re: And what if you block JS?

        In practice, I find that most sites with CAPTCHA simply let me in when I won't let the JS execute.

  9. Claverhouse Silver badge


    Since bots won't be issued these tokens, they can be stopped from doing anything further with the website.

    Maybe some kind philanthropists can donate tokens to these poor bots beforehand.

  10. Gene Cash Silver badge

    Stopped me from one website

    I've stopped shopping at a motorcycle website where I've already spent a fair wedge. They hit me with this (or something like it) when I tried to buy something, and it wouldn't let me through.

    So I bought my birthday/Christmas present (a $900 helmet) elsewhere.

    1. Hubert Cumberdale Silver badge

      Re: Stopped me from one website

      "So I bought my birthday/Christmas present (a $900 helmet) elsewhere."

      I'm really hoping it looked like this.

      1. Jan 0 Silver badge

        Re: Stopped me from one website

        Nah, that's last years model. It doesn't have the live scorpions.

  11. Kevin McMurtrie Silver badge

    CAPTCHA for hosters

    How about a Chromium feature where Cloudflare sites are globally blocked until each site owner passes a test proving that it's a legitimate business or individual?

    (Sorry to post twice in one article, but SMS spam for Cloudflare sites keeps flowing.)

  12. Anonymous Coward
    Anonymous Coward

    So, if I understand this correctly...

    step 1. fingerprint browser

    step 2. issue unique token 'not a cookie, nope'

    step 3. Cloudflare builds nice database about browsing habits, laughs at Google

  13. iron Silver badge

    So if iDevices and later others will issue a token automatically how does this prove the user is human?

    I could defeat this check using Firebase, Amazon Device Farm or countless other automated mobile testing solutions.

  14. Anonymous Coward
    Anonymous Coward


    Cloudflare have been doing this for years

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like