What just happened? For all the advancements the internet and technology in general have made, there are still times when accessing a website requires you to decide if a set of traffic lights are placed inside one box or two. Captchas such as that example remain a pain, but Cloudflare has released a version that does away with these irritating tests.
With the arrival of ReCaptcha 3 in 2018, Google removed the need to pick out specific sections of pictures, decipher barely legible text, or even click a box to prove you weren't a bot, replacing them with scores based on user interactions.
The system doesn't check advertising cookies or login cookies, and Cloudflare emphasizes that although Turnstile does look at some session data, such as browser characteristics, the company doesn't store data of any kind. Researchers say reCaptcha uses Google login cookies as part of its checks to determine if someone is human, and there are concerns that the data it captures could be used for targeted advertising.
"Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast," said Cloudflare.
Detected humans will have an anonymous Private Access Token (PAT), developed alongside Apple, or tokens from Cloudflare's backend issued to their browser, so when they perform any actions on the website, the token is there to confirm they're not a bot. If Turnstile can't verify that a visitor is human, it will revert to a manual anti-bot test.
"If a person were walking down the street next to a robot, even without asking the person or robot any questions, you'd be able to observe differences between them just by watching them walk past," said Cloudflare's chief technology officer, John Graham-Cumming (via Wired). "Turnstile can do that for the signals your computer sends to the website you're accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don't get all these details right—there's usually something 'off' about the request."
Almost 98% of internet traffic uses Google's ReCaptcha. Cloudflare says Turnstile, just released in a public beta test, is more privacy-focused and offers a better overall experience, but it still faces a battle to grab significant market share in this segment.
h/t: The Reg