> Second, we find that a few privacy-focused users often ask their browsers to go beyond standard practices to preserve their anonymity. This includes changing their user-agent
> those users can immediately understand the issue and make a conscientious choice about whether they want to allow their browser to pass a challenge.
So they will block privacy-focused users. I guess VPNs will be blocked too. It seems they have just removed the captcha part of their system and are spinning it as a good thing to block certain users.
> and make a conscientious choice about whether they want to allow their browser to pass a challenge.
I don't know how to vocalize this exactly, but this wording really gets under my skin. It shifts the entire responsibility of being blocked over to the user; it's not Cloudflare blocking privacy configs from browsers, it's not Cloudflare circumventing the notion that user agents have agency to present how they want, it's not Cloudflare blocking people from changing their user-agents: no, it's the user who just decided that they don't want their browser to pass the challenge.
It also trivializes the impact, there's something about this phrasing that's like: "oh, it's no big deal, some users have just decided they don't want to allow their browser to pass a challenge."
I am not the person who decides whether or not my browser passes a check that Cloudflare invented. Phrasing it this way has some real, "everyone has a choice whether to give me their wallet, but people also have the freedom to decide whether or not they're going to allow me let them go without shooting them" vibes.
Bullcrap.
And this is a huge deviation away from the idea of purely clientside checks like Privacy Pass (not that those methods are perfect, but they were at least headed somewhat in the right direction). Cloudflare is basically admitting that they are going to focus on verifying hardware and restricting software configurations, and they want to phrase it like a good thing. It's soft DRM because they can't go all-in on hardware attestation yet, Cloudflare is openly saying, "we're going to restrict hardware categories and software from accessing the Open Internet."
Oh sorry, I should rephrase that. They're going to give users the power to decide whether or not they want their devices they own to be allowed by Cloudflare to access the Open web.
Whenever one of those Turnstile checkboxes show up I'm unable to get past it. It's been that way on most of my computers for over a year. I check it and it just reloads with a blank checkbox again. It's an eternal loop of death.
My Firefox installations are not even Arkenfoxed. I just use couple of privacy oriented add-ons and a few about:config tweaks.
> Cloudflare verifications are destroying the web.
This line of thinking assumes that without captchas, things that were captcha-walled would remain but be unprotected. I think the actual counter-factual is that those things would either require a nominal payment or some other harder-to-spoof-at-scale action first.
I run a service that provides arbitrary compute (Jupyter notebooks) on demand. Without a captcha, there was a period where it would have been overwhelmed by crypto miners to the point that it wouldn’t be available to anyone else.
Let's start with the low-hanging fruit though. How many people have their personal blog behind cloudflare? A lot of things really don't need it, aside from being told by cloudflare that they need their protection.
Generously offering free services that incur costs for the hoster are much harder to solve, no doubt about that. You essentially can't have anonymity because, if you did, any normal user will look indistinguishable from a cryptobro. You'll need to either have them cover the costs or have pseudonymity at best.
But in instances where anonymity is fine, I share the experience from the person you're responding to: just to read resources, to browse read-only material like a normal person, cloudflare is a barrier to the open web.
> A lot of things really don't need it, aside from being told by cloudflare that they need their protection.
Anything that has a dynamic backend of any kind (or, let's be real, even stuff that's static-built) will get relentlessly hounded by hackers the very same second it's online on the Internet. Be it spammers trying to sell you dick enlargement pills or questionable supplements, pedos looking for a place they can use to host their shit, botnet operators looking for good connectivity to abuse in DDoS attacks or whatever, targeted attacks against your site by extortion gangs (very common in business), or (particularly if you're active in the gamer/streamer scene) pseudo-"trolls" that just want to cause you harm for the lulz.
The problem is, as I've written multiple times here, that our governments are doing nothing against the bad actors, their ISPs and the countries that allow them to operate. That needs to be fixed, and then we won't have to rely on Cloudflare and friends any more.
I run so many dynamic things of many different kinds and cannot confirm this in the slightest.
There's the obvious things like public forums or contact forms where spammers submit messages, but "anything that has a dynamic backend of any kind" is just not true. Most things don't lend themselves for making money.
I do agree that we could do better about tackling the abuse that does happen, both by law enforcement and by sysadmins simply banning IP ranges whose abuse center doesn't make any attempt to solve the problem.
As someone who works for the government and whose team is doing nothing but fighting against bad actors, I don't think that's true. We're not doing nothing, that very unfair assessment.
It's like saying "we shouldn't have to lock our doors, but the governments are doing nothing to stop the robberies". And the internet is much more wild than the real world, IMO. The biggest obstacles to the safe internet I see are:
* Globality. Aspiring Russian cybercriminal can hack from their own basement with no OPSEC and VPN without any fear of repercussions as long as they don't bother anyone in Russia (and neighboring countries). Before COVID we used to have literal "wanted posters" (as a joke) in our office with names, addresses and photos of known cybercriminals that we could nothing to arrest, because they resided in another (usually Russian-speaking) country. Even in Europe it's not trivial, because Europol has relatively high requirements to start an international investigation and extradition, and "regular" cybercrime doesn't qualify - so one can send malware across the border as long as they want without any (real) fear.
* Velocity: there is no such thing like "bad actor ISP". I mean ok, there are so called bulletproof hostings, but in general the bad actors buy things like anyone else. The typical phishing campaign starts with criminal buying a domain (using fake data), cheap (or usually free/demo) hosting account, getting a letsencrypt certificate, uploading some fake login form HTML, now just send a few hundred thousand emails/SMS and you're done. Next day tweak some things and do the same, just with a different domain. The typical phishing campaign is live only for a few hours. There's no way a lawful country can make a proper legal decision in a few hours. And this is assuming no international cooperation - usually the server and domain are hosted by another country than the attacked country, so we're talking about contacting another country to make a legal decision in a few hours timeframe.
* Censorship fears: Ok, so a proper timely expropriation is not possible. What we have in practice is a list of more and less formal blacklists, like Google safe browsing, (extremely annoying and opaque) spam blacklists, and many lists of unsafe domains (my country provides one). In most cases the lists are DNS based, and they work great. In my country, our list is also applied by some ISPs automatically (so home users are protected as long as they don't change theit default DNS). It would work even better if every ISP applied it, and blocked malicious plaintext DNS requests on the wire, but I can already feel HN readers becoming tense as they read this (I don't like it too). We all hate censoring the internet, and want to preserve the right of normal people to be scammed by visiting a phishing website.
* Money: Having a dedicated abuse team cost money and brings no revenue. Just look at how google does it, and they are drowning in money. Imagine how responsive are smaller providers. In many cases you could as well try to contact /dev/null.
* Privacy: This rant is getting a bit long. I'll just mention that one of my colleagues (frustrated when a known criminal managed to turn off his computer and was let free later, since his disks were encrypted and there were no strong enough evidence to jail him) said "law abiding people have no reason to encrypt their disks". Of course I strongly disagree, but I share the frustration. With god-mode on the internet (the ability to read all the communication, get into any server and take down any domain) I could do so much more to help people in my country. I guess that's also what drives NSA and similar agencies to get more and more power. Unfortunately, we live in a democracy, so we have to make compromises, and I think the compromises we make (i.e. that my powers as someone fighting cybercrime are reasonably restricted) are good ones.
Personally, I think a big issue is that there are no legal repercussions for ISPs/hostings that repeatedly host malware/phishing. Even if they respond to abuse and take down something (maybe even block the account - the horror!), the same happens few days later and there's nothing that can be done. I think financial fines for gross negligence would really help to align the incentives here.
> As someone who works for the government and whose team is doing nothing but fighting against bad actors, I don't think that's true. We're not doing nothing, that very unfair assessment.
I'm just looking at the dozens of billions of dollars lost to scams in the US alone each year [1]. And that's just scams, not the other forms of cybercrime. And Europe isn't much better off.
(I won't copy your points for a quote since they're too long)
> Globality
Agreed. But Western governments, united, could mandate their ISPs and phone traffic to cut off all traffic from these countries. Most international carriers are based in the US and Europe. Guess how long India would take to dismantle their scam callcenters if cut off? A week tops. Russia wouldn't cave, but I see no reason for this country to be connected to the Internet at all, at least not as long as they are invading Ukraine. And China? They've been running rampant with espionage campaigns for years. It's time to accept this declaration of war and retaliate.
> Velocity
Oh hell yes there are bad actors. Phone providers providing connectivity to scammers and spammers, residential ISPs not acting against abuse reports and thus allowing compromised residential devices (e.g. cheap IoT crap) to continue to attack infrastructure... if I had anything to say, I'd mandate that three credible abuse reports should yield in the disconnection of any Internet participant, and that ISPs were to assist their customers in cleaning their devices. As for domain providers: mandate verification of domain names, and boot off providers that repeatedly violate this requirement. The only thing that reverses profit incentives is serious sanctions.
> Money
See above. Fine providers that don't respond to abuse requests similar to GPDR, up to 10% of yearly worldwide revenue. If they don't comply and show no credible efforts to become a good citizen of the net, cut them off.
Yes, I agree with you there. I think having static content be captcha-walled is generally dumb. Arguably cloudflare makes it too easy to do this (I think it’s on by default if you use them for DNS?) so I can see blaming them for it.
Just to add another reason why captchas are useful - a platform I operate was recently targeted by stolen CC testers that registered thousands of accounts to make the cheapest possible purchase on our site. I had to deal with the fallout, taking dozens of calls from angry people, refunding the transactions (of course you lose the transaction fee) etc. The only way to effectively stop them was a captcha on the checkout, and this is also what our payment processor, PayPal, required we do to reinstate our account.
There's no other signal that can be used, user agent was random, IP was random etc.
You don't even need Firefox or anything privacy-oriented. These checkboxes were forever hit-or-miss for me on a Chrome with the default settings (!). My ISP is using IPoE tunneling which has a side-effect of a shared IPv4 address among bunch of households and surprise-surprise no one in Cloudflare is aware that countries beyond US exist.
At this point I'd honestly take CAPTCHA over this bullshit.
> Cloudflare verifications are destroying the web.
Seconded.
At least for me, on Tor.
A lot of sites are behind Cloudflare.
The other killer problem of course are cookie-consent banners, and the considerable proportion of sites which have taken to emitting full-page modal dialogs the instant you view the site, or after you scroll down, or when you move the pointer upwards to pick another tab.
The amount of stuff you have to wade through to get to or use a site has reached the point where casual browsing isn't viable, not with Tor, not for me.
Cloudflare exposes Tor as a country that can be blocked, so a website operator could choose to block Tor for their website just as they could block any other country.
However, on my phone I cannot get past it. It's just an endless loop. The phone is an older model for the Indian market and the Firefox lags behind. So what, it's perfectly usable on 90% of the sites I want to visit. (Which excludes everything full of ads) I hate today's wasteful computing à la Android.
Edit: The article says there would be a report problem form. I have never seen that.
Yes. Not sure that these checks are always the result of a conscious choice though. They just come with the Cloudflare package.
I wonder what percentage of collateral damage they're expecting. I know I'm not alone.
They're saying 15% of people don't even attempt to complete the captchas. I wonder how many false positives are they getting with Turnstile. Hopefully less than 15%…
Only that most website operators are not in the know about the issues they will cause, if the use cloudflare or any third party hosting that in turn makes use of cloudflare.
I wonder how many site operators are aware of the underlying issue with leasing your site to CF, how much false positives and false negatives Cloudflare has, and if there are any alternatives.
I am curious to see how this works in practice. When I went to their Turnstile sign-up page [0], that is itself protected, I had no problems passing the test despite a slew of privacy-focused features enabled in my browser.
The captcha on this page takes a few seconds then says "Failure", with no message, then restarts itself, when using Tor Browser on the Safer mode.
edit: Was able to get a mix of a few successes and a few failures upon multiple browser restarts. Maybe I was lucky to avoid a discriminated exit node? I'm not sure if IP address is a factor here.
Interestingly, although my Firefox ESR passed the test, that page immediately made my laptop's fan spin up (normally only does that on media-heavy pages) - possibly thr "proof of work" test they mention in the article?
Trying to get past their captchas was futile anyway, so just being blocked without a false sense of hope is an improvement. I learned to make no attempt on them and to just close the tab immediately.
I wish they also included the report link on the failed attempts, so I can let them know when Turnstile stops me from seeing websites on my mobile about every other week. I know other people are annoyed by captchas for good reasons, but this system also sucks unfortunately.
Just a rant / modern web sucks / CloudFlare effective monopoly sucks. There are other providers - please give them a go to diversify the web a bit.
Yup. I run into this a lot with Firefox and it's super frustrating when some website's homepage just gives you a cloudflare error and a message that says "bummer bro, you're not allowed to see this. Here's a Ray ID that won't actually help you fix the issue"
I've let airlines and other companies know that Cloudflare isn't letting me buy their products but unsurprisingly they don't care (or tell me to clear my cookies)
I'd be interested in other DDoS mitigation providers for any site in the sub-$100/month price category. The only other ones I know are Amazon and Microsoft, and those tie you to their clouds.
https://www.x4b.net/protection/prices is on the cheap side, but I've not used them yet. Amazon you can use without hosting in their cloud by proxying all the CloudFront traffic to your external host. It may not be the best option long term, but with low traffic it should work fine.
Ovh and Hetzner provide their own solutions. Opinions are mixed there, but they both have big pipes at their disposal.
Hopefully this is an all-around improvement over the last year, and I'll see how it goes, but I've gotten a little concerned about all the blind dependence that a lot of sites now have on Cloudflare.
For one reason, I recently spent months with Cloudflare blocking my Firefox ESR from many sites, including 2 key paid ones for work.
When both companies showed zero interest in trying to figure out why Cloudflare was doing that, even if they lost a customer, I had the thought that this is probably what it's going to be like with a lot more things.
We all know some of the key huge companies that do the math about how many users they're willing to lose/screw, to gain some other advantage or to reduce some cost.
But Cloudflare might be one way that small companies will have no choice but to lose/screw users in an uncaring way, like they were those uncaring huge companies. That might hurt the companies eventually, but it will tend to hurt many users first.
Fingers crossed that at least Cloudflare is rising to the challenge to not become a resented Kafkaesque institution.
The normal response from privacy advocates to this bullcrap is to just complain about it and tell Cloudflare that they should do better. More and more I feel like we need to take a page from pirates and attackers and treat Cloudflare systems like Turnstile like what they are: malware that circumvents device control. And we should encourage people to break the systems and to come up with ways to fool the systems, we should encourage pooling information about clients in a way that makes it easier to lie to these checks and give them the responses to APIs that they expect to get.
We need to stop treating this like it's a civil conversation and put more energy into decompiling and breaking Captchas and other attestation methods, and normalize the idea that breaking these systems is good and should be accessible to normal people.
Because increasingly, breaking the systems is going to be the only way to run really privacy-focused software. It's like adblocking, you don't make progress by negotiating with advertisers, you block ads. We have no negotiating power with Cloudflare and no way to force companies to care about user privacy or freedom unless we have ways to circumvent these systems.
----
I'm tired of trying of entering into a relationship with Cloudflare where they break everything and we send them a bunch of bug reports begging to be let back in. Nah, we need to start decompiling their crap and circumventing it.
Great, then we'll keep using Privacy Pass, picture/audio CAPTCHAs, and proof of work, since you think those existing solutions are good?
----
People have a tendency to lean into whatever outcome they want as if it's the default outcome that everyone else needs to disprove. But the reality is, Turnstile is a new system that is being newly developed as a response to changing conditions around traditional CAPTCHA methods, and it's not any privacy advocate's fault that robots now know how to do OCR.
And "I don't need to figure out how to preserve your privacy" should give you some clarity into why privacy advocates are not very sympathetic when you say "well, we have to start doing fingerprinting now because the robots broke everything, what is the alternative?"
Nah, we don't have to find you an alternative if you have no interest in actually working with us to meet everyone's needs equally. It stinks that robots broke your audio CAPTCHAs, but that's not Firefox's fault and it's not a privacy advocate's job to fix. Particularly not in the situation where you're unwilling to advocate for our needs alongside your own.
> I'm not the one complaining about the existing solutions not being good.
So you are complaining that the existing solutions aren't good?
I mean, I'm perfectly fine sticking with existing CAPTCHA audio systems or proof of work. They're problematic but workable; over time we can push for systems like privacy pass that improve them for everyone. But if you want to propose that we go all-in on fingerprinting and capability testing, then what's your plan to mitigate the new privacy risks from that?
Right, and what I'm saying is that when a solution is proposed that stinks, it doesn't just magically get the default seal of approval, it doesn't suddenly become everyone else's problem to find an alternative.
Clouflare is proposing a solution with a negative impact on privacy rights and user autonomy. And you're kind of jumping right to, "well, unless you can perfectly solve the problem then we'll go with what they propose." That's not really how solutions or negotiations or anything works.
If your solution to "how do we distinguish bots" is that we'll stop caring about privacy, then I don't see why it's any less of a solution to say, "the way we'll preserve privacy is to stop caring about bots" -- other than that you've arbitrarily decided that the solution to this problem has to prioritize bot filtering over privacy.
The situation we're in is that CAPTCHAs are easier to defeat now than they used to be. Cloudflare is proposing that we get rid of privacy rights and user autonomy to solve that problem. The rest of us are saying, "sorry, it's a nice idea but privacy rights are non-negotiable."
It is not our responsibility to solve Cloudflare's problem, it is Cloudflare's responsibility to come up with a solution that isn't terrible. They're the ones who are saying that existing CAPTCHAs aren't good enough anymore, privacy advocates are fine sticking with status quo.
No, I'm saying "'your solution sucks' isn't constructive criticism". There are many solutions you can choose from, and you're welcome to choose any of them. The fact that this has privacy issues doesn't invalidate it as a solution, it just makes it unsuitable for people who want privacy. Those people will choose something else.
It's not Cloudflare's responsibility to do anything, really. They could just as well not have released this. As a service owner, I want to be able to distinguish legitimate users from bots. If I can't do that, there's a real possibility that I will stop offering a subset of my service. If someone can find a privacy-preserving solution to distinguishing legitimate users and bots, amazing, but, until then, users will have to choose between the existing solutions and not accessing my service at all.
I don't see how this could be any other way, and complaining about Cloudflare's implementation of a CAPTCHA doesn't do anything constructive, as far as I can see. The problem still remains, and no amount of "your solution isn't good, do better" is helping.
> No, I'm saying "'your solution sucks' isn't constructive criticism".
I don't think privacy advocates are trying to be constructive, we're trying to tell Cloudflare that their solution is bad. We're not offering them advice about how to write a novel and this isn't a support group for their developers; we're telling people who are refusing to prioritize privacy that we're not going to prioritize their needs either if they're not willing to care about ours.
> It's not Cloudflare's responsibility to do anything, really. They could just as well not have released this.
Great, I'm on board, let's do it :D
> If someone can find a privacy-preserving solution to distinguishing legitimate users and bots, amazing, but, until then, users will have to choose between the existing solutions and not accessing my service at all.
I don't see what this has to do with Cloudflare independently offering an attestation service. Again, you're jumping right to the assumption that it's our responsibility to solve your problem. It's not.
If you can come up with a privacy-preserving solution to distinguish legitimate users and bots, fantastic. But until then, you'll have to choose between not releasing your service or dealing with bots. We don't want to change the nature of the Internet to accommodate you. If that means you can't launch your service, I do have sympathy but... what are the alternatives? Privacy advocates aren't just going to be OK with having their privacy violated just because it makes it easier for business owners. We built a system around user agency and autonomy, and if you want to make changes to that system, if that existing system as it is today doesn't work for you then it's your job to figure out how to make the changes you need without breaking everything.
> and complaining about Cloudflare's implementation of a CAPTCHA doesn't do anything constructive, as far as I can see
It discourages Cloudflare from launching the service.
> The problem still remains, and no amount of "your solution isn't good, do better" is helping.
Again, I would flip this back on you. Complaining that existing CAPTCHAs aren't effective enough doesn't change anything about the privacy problems and restrictive nature of attestation, and no amount of "but how will we block bots otherwise" is going to help move that conversation forward. It's not any more constructive than telling business owners that they'll have to tolerate bots.
I feel a bit like: I'm sorry, but I don't know what you want me to say. I'm sorry that existing CAPTCHA methods today aren't good enough for you, but it doesn't sound like you have a suggestion about how to improve them without putting people's privacy at risk, and that's kind of a nonstarter. Let us know if you come up with an idea, but I don't know what to tell you in the meantime; you're the one who's saying that audio/image CAPTCHAs that exist today aren't suitable for businesses.
If you're worried about botnets, Cloudflare's solution won't save you either because normal unmodified browsers can be automated through extensions or remote debugging just fine.
Headless Chromium with some tweaks is already good enough that it's practically impossible to distinguish from regular Chromium, and Google knows it. That's why they were pushing for WEI (even though they were claiming it wouldn't impact browser extensions or debugging protocols). Google knows that environment browser/fingerprinting isn't an effective solution to stop automated requests, because normal user browsers out of the box allow sending automated requests.
Basically the only reason why botters don't already run full browsers is because of computer power, and botnets get around that problem. When attacks aren't limited by IP or compute power, attackers can just run regular browsers and bypass all of these checks. Even that isn't always necessary, a Raspberry Pi 5 is going to be perfectly capable of running a full Chrome instance to send automated requests through.
At least IP rate limits require actual work to circumvent, you need to acquire a botnet or a lot of IPs. Browser capability testing is comparatively easier to get around, you just run a full browser.
Great idea, let's tell Stripe, @pc, and all the financial companies to remove CAPTCHAs and hopefully automated fraud, card testing and disputes won't increase at all.
CAPTCHA is pain in the ass. In a project I am working on, I have two forms I needed to protect - sign up and sign in. Sign up form does not do anything beside storing credentials in cache and waits for confirmation email link to be used. Sign in form uses various authentication methods but resource-wise, it will load user object and compare data at most. I decided to not use any captcha and let rate limiting do the heavy lifting if I get caught in some bot's eye. There really is no need for captcha because you can rate limit any page or form and once bot passes the threshold, nothing can happen since it is not a real user. All this captcha usage are remnants from a decade ago when all was new on the internet. But today, it's entirely archaic concept and serves only to mine personal data, just like all those "free" CDNs and fonts and whatnot that bigtech uses to literally map the entire internet.
A few years ago I had a newsletter subscription form where one day some bot started subscribing with real email addresses. These real users started marking confirmation email as spam, which in turn affected domain reputation. I don't remember anymore if it used proxies with different IPs or not, but I added CAPTCHA fix this ... CAPTCHA for newsletter subscription...
DoSing the users they are signing up would be my guess. Many sites do not even do a validation step and will immediately add any submitted email to the mailing list. Your email box is then filled with tons of emails and manually unsubscribing takes a lot of effort and still only reduces the volume of incoming emails
This could just be used on its own as a way to annoy someone. Or it could be used to try to hide some legitimate email that you will receive, like if they are compromising your account somewhere that will notify you of the new login and hope you don't notice in the sea of spam.
You definitely didn't say that, that's true. What do you think is the reason that a company might choose to deploy a CAPTCHA and alienate a percentage of their users, rather than make their backend run more efficiently?
Rate limits are not going to help if you get targeted by somebody halfway serious. They’ll have plenty of nice residential IP addresses to bypass your rate limiting with.
if i allow one sign up/in request per ip per second, i have no fear of bots. i could implement additional "rate limit" per ip per request if i needed and ban ips if they exceed it manually. it's very easy to do. humans don't send more than one request per handler per second anyway.
That sucks, but it's also just a business decision. If 97%(I made that up, but I wouldn't be surprised if it was that high) of purchases through Tor are fraudulent, then it makes a lot of sense to just not allow it. Take your money elsewhere.
There was a report posted on HN months ago showing the proportion of fraudulent vs legitimate activities on Tor vs non-Tor across a pool of websites. Tor users were (slightly, IIRC) more likely to be malicious, but they represented a drop in the bucket against all malicious users. Maybe some sites that do block Tor might be seeing different proportions, I'd wager most of them do it because Tor == bad for most people.
How well does this work in practice? Does it block users who have relatively mundane settings like Firefox with "resist fingerprinting" on, or only extreme edge cases like someone's hand-compiled version of some obscure browser on HURD for Itanium with an extension that blocks all third party cookies and half of the JavaScript APIs in the browser?
I had issues using Apple private relay and an ad blocker on my iPhone, so this is probably the usual bullshit “we’re for the users!” then in reality it blocks anyone who doesn’t want to get fingerprinted. I’m not a fan.
The infinite turnstile loop is a real hassle for me. I only spoof my user agent because multiple websites block me if I don't pretend firefox is chrome. Now it's spoof on for those sites, spoof off for turnstile sites. When the two intersect, I guess I'll have to install chromium or switch banks/cell provider/etc.
It’s good to see Cloudlfare finally admit that they have been blocking human users. I’m one of the people that gets the infinite reloading cycle that Cloudflare claimed can’t happen in previous hacker news threads. In this post they finally admit they have been blocking human users they didn’t know about before. Gaslighting over, hopefully?
Can anyone explain why Cloudflare thinks it's their job to force CAPTCHAs or "Turnstile" on users? Why is bot traffic so bad for them? And in case it's about preventing DDoS attacks, can't they wait for an actual attack until they activate the check for a site?
>Audio CAPTCHAs are often much worse than even visual CAPTCHAs for humans to solve, with only 31.2% of audio challenges resulting in a three-person agreement on what the correct solution actually is
The goal of CAPTCHAs is for users to prove they are human. It's okay for a CAPTCHA to have multiple solutions that are human like to accept. Is giving up on audio and visual captchas an admission that bot owners have won and they are allowed to freely roam people's sites?
I don't understand how this can work though. Lets say someone tries to password stuff on your site. These CAPTCHAs don't do anything to stop the attacker. The attacker can just automate clicking the box if they get the challenge.
Wouldn’t be surprised if corporate browser vendors start clamping down on this over time.
I wonder which competing/opposing interests could provide counter-pressure to this trend, because let’s face it: caring for user interests is a legacy goal for big tech browser vendors.
> We don’t rely on tracking user data, like what other websites someone has visited, to determine if a user is a human or robot. Our business is protecting websites, not selling ads, so operators can deploy Turnstile knowing that their users’ data is safe.
In few lines they have positioned their product in a much more competitive way than Google reCAPTCHA, highlighting Google privacy pain point.
While there are several new concerns brought about by this, which I agree with and are highlighted in other comments... I wanted to celebrate the good news part which is seeing fewer captchas. I hope other operators can follow suit and replace their solutions with something more universally human friendly. Browsing the web should not be a harrowing experience for the people it was made for.
It's quite typical in our industry to churn something out quickly, which isn't always suitable, but sticks around for a very long time, before something better comes along. I hope captcha can be relegated to a historic footnote some day.
Any plans for a pay-as-you-go (self-service) plan?
I emailed you and asked you to take my money, but your sales team disqualified us because we wasn't big enough (reasonable, sales people are expensive).
But I think many smaller firms would like to pay a fair price for it, and have more configurability (logo removal, etc).
Haven’t dug in their code, but my best guess is to get the user to trigger a “trusted” event which is needed for access to certain browser APIs such as clipboard or audio.
Probably some fingerprinting trick.
The same is done by shady news websites which load a single sentence and ask you nonsensically to “Click to expand Article”.
My hot take for a while has been that trusted events are bad UX design. Highlighting text on a page can be treated as a trusted event to trigger things like audio autoplay.
It's a tricky problem to solve, and I guess it's technically better than nothing, but we really should be focusing on surfacing these permissions in a more user-understandable way. There's friction there -- we want to be able to go to Youtube and click a single button and have a video play. But stuff like video autoplay does not make sense to hide behind a user click that can be anywhere on the page or a keypress that can be basically anything at all.
It's too easy of a bar to cross imo; it breaks certain applications and makes them less reliable, but also makes it far too easy to just have a popup banner with an X, and poof, now you have all the permissions you need.
It checks lots of browser APIs and makes a proof-of-work calculation in the background. I guess we are getting close to paying for entry with computation.
I took it from the article: "We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser." but yes, not yet.
The way you move your mouse, the timing of the click button down/button up events, all those things go into some algo to determine if you're a bot or not
No, not at all. The click is not important / needed, what matters is that by moving the mouse you're granting Cloudflare's JS permission to execute functions in the background that can't run without user interaction.
The article stated that this has nothing to do with it and the click would technically not even be necessary. It is just a way to start the procedure where Turnstile verifies your browser.
Wait... finally noscript/basic (x)html proper support? That said, with my noscrit/basic (x)html browsers, I have not seen a cloudflare captcha in months.
But... I stay alert, because that could come back in a whim.
OfT: I don't know what it is but I never get that site to load. Like I see people using it to archive things but I can never go there or read the links.
The slowdown is the browser NOT responding. I am not talking about completing it. There is an impact on the performance of the browser/page, which recovers after being navigated away
Generally, you shouldn't block fingerprinting from inside the browser, it is only a fool's errand that provides a false sense of security while being open to exploits, new techniques, bypasses and broken sites.
If you want to be safe from tracking, run your browser sessions in separate ephemeral containers or even VMs and trash them regularly for example. Qubes OS is at one of the extreme ends of this, but Chrome profiles are sufficient for the vast majority of use cases.
it's only a good thing as it will be maybe one less plugin to deal with
but i'd argue its a bad thing overall; if we cannot use curl/lynx/ect to hit a website to view somebody's squabbling on their blog, to not see the url to an image/video without loading it when you want to, something is amiss.
IMO, JS and other newer components are trying to make a general purpose OS out of the browser, and its a bit too much; which yes leads to needing to handle fingerprinting outside the browser; but really all this to stop the adtech from tracking our asses?
I do totally agree to regularly trashing of profiles; though the accessibility for more folks needs to be there, IE: the local-system automation of retaining plugin block profiles and a few others. just takes time and energy - but in an era where we uselessly burn energy and call it a currency and folks cling to it, well, it's just another wave to drown in
Can you please elaborate, how exactly running from fresh container would stop tracking?
As I see it, once you get fingerprinted, running from the same environment keeps your fingerprint (excluding (super)cookies, which you could clear inside your browser as well), thus not preventing tracking.
I wrote multiple times to cloudflare about not being able to verify as human (especially on chatgpt) but with no success. Technology working as intended /s
> those users can immediately understand the issue and make a conscientious choice about whether they want to allow their browser to pass a challenge.
So they will block privacy-focused users. I guess VPNs will be blocked too. It seems they have just removed the captcha part of their system and are spinning it as a good thing to block certain users.