Cloudflare’s CAPTCHA replacement lacks crosswalks, checkboxes, Google

September 28, 2022:

CAPTCHAs are meant to prevent these kinds of browsing scenarios, not train us all to better recognize vehicles and infrastructure in grainy photos.
Enlarge / CAPTCHAs are meant to prevent these kinds of browsing scenarios, not train us all to better recognize vehicles and infrastructure in grainy photos.

Getty Images

Cloudflare has recently made an audacious claim: We could all be doing something better with our lives than deciding which images contain crosswalks or stop lights or clicking an “I’m not a robot” checkbox. Now the cloud services company is offering up a free CAPTCHA alternative, Turnstile, available to anyone, Cloudflare customer or not, and specifically calling out Google’s role in the existing “prove you’re a human” hegemony.

Turnstile utilizes Cloudflare’s Managed Challenge system, which takes cues from user behavior, browser data, and, on Apple devices, Private Access Tokens, to distinguish human visitors from bots and scripts. Cloudflare claims that its Managed Challenge system was able to reduce 91 percent of CAPTCHAs served to its customers’ visitors over a year.

Turnstile integrations run “a series of small non-interactive JavaScript challenges” to investigate the visitor, including proof of work and space, probing for web APIs, and “various other challenges for detecting browser-quirks and human behavior,” Cloudflare’s post states. The challenges vary by visitor, and machine learning can update the model with the common features of visitors who previously passed a test. The user only sees a “Verifying …” widget for a moment, then “Success!”

Note the lack of grid-aligned blurry images that make you feel like you're helping Skynet refine its targeting.

Note the lack of grid-aligned blurry images that make you feel like you’re helping Skynet refine its targeting.

Cloudflare

Cloudflare claims that beyond annoyance and time-wasting, CAPTCHAs (which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”) are largely controlled by Google through its reCAPTCHA service. Google’s service had announced in 2017 that it would largely become invisible in newer versions, using the same browser and behavior hints about human-ness Cloudflare is touting to eliminate even the not-robot checkbox. One aspect of that proof that security researchers seemed to suss out: being logged in to a Google account.

“Google says they don’t use this information for ad targeting, but at the end of the day, Google is an ad sales company,” Cloudflare’s post states.

Google bought reCAPTCHA in 2009 and used it early on to solve problems like book digitization, Street View house numbers, and, as you’ve likely guessed, identifying objects like stairs, palm trees, taxis, and the like in image recognition tools. Cloudflare notes that CAPTCHA’s ubiquity is one of its strengths, as it has a steady, constantly updated base of solving and behavior data to lean on.

Google’s reCAPTCHA has offered an “invisible” mode in V2 since 2017 and a V3 that “will never interrupt your users.” Most Internet users still see their fair share of photo-picking grids and anti-robot checkboxes, likely due to sites and developers who haven’t upgraded to newer versions—or, potentially, seeming “suspicious” of an unknowable algorithm.

Cloudflare, originally a content-delivery network that has grown into security, hosting, and nearly every other aspect of cloud computing, cites its mission of “helping build a better Internet” as the reason it’s giving away a free verification service. The company, whose reverse proxy services are used by something close to 20 percent of all sites, has been in the news recently for its long debate on dropping hate site Kiwi Farms and deciding not to pull out of Russia after it invaded Ukraine.

Source link