As much as I _despise_ modern ReCAPTCHA, I have always been able to pass the challenge eventually; it has never flatly rejected me with no recourse. If I made a mistake or was insufficiently human for it, I got a new challenge and tried again. There are apocryphal stories of Google tar-pitting users with it, but I have never seen it in action.
If this judges the browser more than the user, what do I do when the browser fails? Do I refresh the page hoping for a different batch of invisible challenges? Do I submit a ticket to CF customer support... despite not being a customer?
It 100% is true that using ReCAPTCHA on privacy-oriented browsers can make ReCAPTCHA unbearable. As a Firefox user, I relate to others who've faced CAPTCHAs where the images fade-in unbearably slow, and even after painstakingly selecting the correct images, it will fail and say "nope try again", repeating the cycle.
A couple of years ago, a web site I was using at the time started to use a relatively obscure service that appeared to inspect or fingerprint the user agent in various ways, as well as tracking browsing activity, in order to determine if the user should be locked out of the site until a captcha was completed.
Although I suspect it was supposed to be transparent, it still ended up being a disaster for many of the users, especially the non-technical ones. The web site's support forum was full of complaints from what seemed to be legitimate, long-time users and customers.
Even benign and reasonable user agent variations from the "norm" seemed to cause problems for this particular system. For example, I recall a default Chrome installation working well enough, but adjusting its configuration to harden its security or privacy seemed to confuse the web site's blocking system.
In my case, I had to keep around and use a dedicated ancient browser installation, since newer ones seemed to trigger repeated challenges for some reason I could never figure out.
The challenge page even had a report-a-problem form, but I don't know if anyone or anything actually considered the submissions.
Even the web site's administrators seemed to have trouble figuring out why legitimate users were getting flagged repeatedly by this system they were using.
I ended up just not using that web site any longer. The hassle wasn't worth it.
Where I usually get tarpitted is by Cloudflare. I'll pass the (automated) CAPTCHA, the page will reload (still as if I had passed), and … it'll be another CAPTCHA. I'm pretty sure these usually amount to a passive-aggressive demand for cookies/storage, but I just vote with my browser & go back/somewhere else.
Cloudflare deep down greatly discriminates against shared IPs. If you have a real honest-to-goodness IPv4 address that doesn't change, you'll hardly ever encounter anything.
But if you are behind any sort of carrier-grade NAT or otherwise sharing IPs, you're a second-class netizen, sucks to be you.
I'm behind your typical non-CGNAT residential NAT, for v4. (Was v4 only for the longest time, but Verizon just recently rolled out a v6… so we'll see if that changes anything, I guess.)
If you encounter it relatively often with VPN off, I would do a full scan/check of all devices (including wifi phones, etc) and update all software, as you may have a bot virus or similar. If you DO find one, clean it up and then turn your router off for a few hours or whatever is necessary to get your ISP to give you a new IP, heh.
But, haha fool you, CF now gatekeeps some unholy percentage of the web, so the "somewhere else" list is going to get smaller and smaller with no recourse, as best I can tell. Maybe disposable Firefox containers for your specific situation, but only maybe
> If this judges the browser more than the user, what do I do when the browser fails? Do I refresh the page hoping for a different batch of invisible challenges? Do I submit a ticket to CF customer support... despite not being a customer?
This is definitely good question. With the “Managed Challenge” feature it seems to degrade gracefully — if you have, say, a positive profile with Cloudflare, an iOS device where it can use PAT, etc. you never see the prompt but eventually it'll fall back to the same CAPTCHA you're seeing today. It'd be useful to confirm that this is how Turnstile works as well since some fraction of real people will definitely hit that on a daily basis.
> There are apocryphal stories of Google tar-pitting users with it, but I have never seen it in action.
That used to be the case when using Tor; I remember having to rotate exit nodes to get recaptcha to load at all.
These days the situation is a lot better, I've been able to pass Google captchas through Tor every time I tried this month. Seems like they even fixed audio-based captchas, so you no longer get instant-blocked if you try to use them.
Of course, all this could be reverted tomorrow, and there would be absolutely nothing we could do about it...
I have been personally tarpitted. It's not infinite, but it has super slow loading tiles, a comically large number of rounds you have to keep doing, and it has decided to fail you from the beginning meaning you wasted your time.
This is yet another example of Cloudflare centralizing the web. I’m tired of this. Sure the only previously viable solution was ReCAPTCHA from Google. But it’s Google. I depend on them for search. And, sure, their business model depends on them being able to track me online. But I know them. And it’s hard for me to live without them. So I’m ok with depending on them, but I worry about further centralization of the Internet if there’s an alternative. At the end of the day, I like the Internet how it is and how I’ve gotten used to it. Facebook is clearly evil, but I still check them from time to time to keep up with my friends, but a lot less than I used to. I, of course, need to use Google so even though their business is inherently about tracking me, what’s the alternative. But Cloudflare, they’re new. They disrupt what I’m used to. They add another player to the mix. So how dare they centralize the Internet?? This is total BS. I’ll stick with ReCAPTCHA.
Is anyone else worried about how Cloudflare keeps putting out great solutions day after day? They're getting too big because people are too satisfied with them. That's a bad thing, because one day in the future they might take away or change these offerings.
We need shittier solutions. That way we never feel the pain of once having a good solution to a problem and then losing it.
great solutions is maybe an overstatement. If you build a bridge that puts everyone else out of business, and later discriminate on what traffic is allowed on the bridge, and after that you put an expensive toll booth on that bridge, that's a problem for everyone else if no one else can compete. At some point, you are doing society a disservice. At some point, great solutions become meager solutions by merit of a monopoly's ownership.
The solution is to make the internet itself resilient to this mode of attack. Not to create a single company big enough to gatekeep and spy on the whole network and to just trust them to act virtuously forever.
How did anyone cross the river before the bridge was built? If the bridge falls into disrepair or they start charging people an arm and a leg to use it, what stops someone else from coming along and building a better bridge? If Bridgeflare abuses their market position to prevent anyone else from building bridges then that could be rectified with government intervention, as in any other industry. I just don't get why there is so much FUD when they haven't, as far as I've seen, done anything to warrant it.
Cloudflare is a cancer and a lot of people are expressing that same sentiment. I think maybe only non-technical people are satisfied with them because they don't have a deeper understanding of what's happening.
Ok so the reason this painfully predictable reaction every time Cloudflare is on HN is because HNers have such a deep understanding of "what's happening." Got it.
Sir, you are probable the best CEO of this universe.... On alternative reality you company has a Search Engine (count with me to help with that) and doesn't need any advertise to keep that running, also has "don't be evil" as code of conduct and actually apply that....
But yes, no one is perfect, but at end of the day i really prefer your business model that does not need break users privacy.
On the one hand, I did post a reactionary hot take yesterday in response to the "pardon me, Cisco" ad that you posted [1]. I'm sorry for that; I should have kept that immediate reaction to myself. Still, I'm apprehensive about increasing the power of one of a handful of big players by routing my company's web traffic through Cloudflare, let alone running applications themselves on the Cloudflare platform, though Workers is certainly interesting technology. And I'm certainly not going to route all of my Internet traffic through Warp, or even use 1.1.1.1 for DNS.
But in the specific case of Turnstile, it is clearly now the least bad option. So I will be happy to use it when something like a CAPTCHA is needed.
If Google or Facebook offered Cloudflare $100B they’d probably have to take it. Add a quick TOS change and we are s-o-l. Hello gigantic super revenue earning centralized ad network (!$!$!).
In all seriousness, I don’t see Cloudflare centralizing the web. I see them decentralizing it by empowering smaller folks with easier tools for scale.
It’s a stretch of argument / not perfect —- but I am glad the competition exists. It makes sense for Cloudflare to be big and privacy focused when competing in the big net real estate space of the modern web.
Decentralising where compute is running but centralising a lot in terms of technologies and actors. While the first is about efficiency, the later is about freedom and resiliency.
Cloudflare: "Cloudflare has a long track record of investing in user privacy, which we will continue with Turnstile."
Also Cloudflare: Tracks and fingerprints everyone, and blocks anyone who hardens their browser ("First we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request.").
There are no perfect solutions. In the arms race to protect against abuse, I'll take the solution that's more accessible, particularly to people that are discriminated against by CAPTCHAs, such as deafblind people.
I would actually be on-board with such things if this were against abuse but it's not -- it's preemptively assigning blame, since my copy of Firefox is not modified in any way except uBO but CF loves to captcha it. The other stories in every one of these captcha threads, and the majority of the CloudFlare announcements at all, demonstrate this isn't isolated to "oops, our bad" but a systemic problem
If I were DDoS-ing some site, I deserve every ban I get, but just browsing via the provided navigation links on the site shouldn't "pardon our interruption" or gatekeep
Interesting. I wonder what other factors you might have going against you causing CF to captcha you - I have my Firefox loaded up with almost every ad-blocking, privacy, and anti-fingerprinting extension I could think of, but I rarely get CAPTCHAs.
Yes, and that's my point: it's not action that the user can take to resolve accusations, and it's not because of abusive behavior it's just `response.status(200 if random.randbool() else 403)`
Ah yes, the classic "we care about security and privacy so much that we're going to force you to enable the biggest exploit vectors" move; classic Cloudflare:)
It's not a race when you arm both sides, as cloudflare did by hosting known abusers for years, working hard to shield them from the consequences of their actions.
What is the failure case for the Cloudflare captcha? In case browser fingerprinting fails to identify me as a human, do they fallback to a challenge that humans can solve, such as audio or image challenges?
Say what you will about Recaptcha, but they do have a way to eventually pass through the challenge.
For Cloudflare employees going through this thread, the linked "Turnstile Developer Documentation" link [1] in the Turnstile dashboard is returning a 404.
My problem with this is I want to use the CAPTCHA to deter humans from continuing. Letting them thru automatically allows spammers/attackers to just continue on, but many will actually skip pages/sites where they have to do the CAPTCHA etc.
This helps the bot problem, but doesn't solve the SPAM problem.
Cloudflare’s scheme with PATs is essentially a form of attestation, which, realistically, will only be implemented by Microsoft, Apple and Google, and if you’re a Linux or BSD user which isn’t integrated with a device manufacturer, you’d just have no other choice.
This is an unpopular opinion, but Recaptcha has never had this problem. I might face a few more captcha image screens to solve, but what’s being proposed with PATs is dangerous.
Companies will realize the majority of abuse comes from humans completing CAPTCHAs and little to none from TPM attestations. It's then a small leap to only trust TPMs and lock everyone else out. After all, every genuine user has an OS that requires a TPM.
If you read the article you realise you need a valid, unique, device
> In June, we announced an effort with Apple to use Private Access Tokens. Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data.
> By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. Rather than interrogating a device directly, we ask the device vendor to do it for us.
The trick is that bot farms do not have access to correctly provisioned mobile phones (for now). Thus anyone with a valid mobile device gets a pass.
Something about my browser trying to figure out if I'm not 'abusing' a website feels off to me. Perhaps because it's the user-agent acting in the interest of the website.
That depends on whether you can trust the browser. For example, browsers have long had flags to indicate whether they’re being driven by webdriver, but you can simply recompile the browser without those flags.
is it really just "simply recompile"? I would assume some intensive patching and learning would be necessary, especially for someone who isn't familiar with the source or the build process.
Sometimes even more simple -- there are some methods people use that are as simple as "copy and paste this javascript that overwrites some properties". There's a lot of people scraping the web, so there's somebody out there that has done the work for you already.
My point is, you don't really know what software is connecting to your web server.
If you're automating a browser, you're probably technical enough to compile a patched web browser -- or, at least, to use someone's script to compile one, or to download one that someone else has built.
you're being downvoted, but while the question you pose proposes a bad idea, it is a good question that resulted in a lot of interesting conversation, so you get my upvote.
If this judges the browser more than the user, what do I do when the browser fails? Do I refresh the page hoping for a different batch of invisible challenges? Do I submit a ticket to CF customer support... despite not being a customer?