Cloudflare launches invisible, privacy-focused Captcha to take on Google

midian182

Posts: 8,314   +103
Staff member
What just happened? For all the advancements the internet and technology in general have made, there are still times when accessing a website requires you to decide if a set of traffic lights are placed inside one box or two. Captchas such as that example remain a pain, but Cloudflare has released a version that does away with these irritating tests.

With the arrival of ReCaptcha 3 in 2018, Google removed the need to pick out specific sections of pictures, decipher barely legible text, or even click a box to prove you weren't a bot, replacing them with scores based on user interactions.

Internet infrastructure company Cloudflare's version, called Turnstile, works similarly: an invisible process determining whether a site visitor is real. The system, which can be implemented via a free API, uses non-interactive JavaScript code that carries out background checks, including proof-of-work, proof-of-space, checking for web APIs, and various other challenges for detecting browser-quirks and human behavior.

The system doesn't check advertising cookies or login cookies, and Cloudflare emphasizes that although Turnstile does look at some session data, such as browser characteristics, the company doesn't store data of any kind. Researchers say reCaptcha uses Google login cookies as part of its checks to determine if someone is human, and there are concerns that the data it captures could be used for targeted advertising.

"Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast," said Cloudflare.

Detected humans will have an anonymous Private Access Token (PAT), developed alongside Apple, or tokens from Cloudflare's backend issued to their browser, so when they perform any actions on the website, the token is there to confirm they're not a bot. If Turnstile can't verify that a visitor is human, it will revert to a manual anti-bot test.

"If a person were walking down the street next to a robot, even without asking the person or robot any questions, you'd be able to observe differences between them just by watching them walk past," said Cloudflare's chief technology officer, John Graham-Cumming (via Wired). "Turnstile can do that for the signals your computer sends to the website you're accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don't get all these details right—there's usually something 'off' about the request."

Almost 98% of internet traffic uses Google's ReCaptcha. Cloudflare says Turnstile, just released in a public beta test, is more privacy-focused and offers a better overall experience, but it still faces a battle to grab significant market share in this segment.

h/t: The Reg

Permalink to story.

 

Eldritch

Posts: 497   +896
As someone with intense hatred for reCaptcha and it's annoying puzzles, I welcome this new tech of non-interaction based authentication. Cloudflare web products are normally great so Turnstile may eventually replace reCaptcha or atleast force them to use non-interactive methods.
 

Puiu

Posts: 5,875   +4,885
TechSpot Elite
As someone with intense hatred for reCaptcha and it's annoying puzzles, I welcome this new tech of non-interaction based authentication. Cloudflare web products are normally great so Turnstile may eventually replace reCaptcha or atleast force them to use non-interactive methods.
Google isn't going to wait. They most likely already have something like that.

But I've always wondered why Google was so adamant in using images and the answer I came up with is "AI training".