Cloudflare launches invisible, privacy-focused Captcha to take on Google

What just happened? Despite all the advances made by the internet and technology in general, there are still times when accessing a website requires you to decide whether a set of traffic lights fit in a box or two. Captchas like this example are still annoying, but Cloudflare has released a version that removes those irritating tests.

With the arrival of ReCaptcha 3 in 2018, Google removed the need to select specific sections of images, decipher barely readable text, or even click a box to prove you weren’t a bot, by replacing them with scores based on user interactions.

Internet infrastructure company Cloudflare’s version, called Turnstile, works the same way: an invisible process that determines whether a site visitor is real. The system, which can be implemented via a free API, uses non-interactive JavaScript code that performs background checks, including proof-of-work, proof-of-space, web API verification, and miscellaneous other challenges to detect browser- quirks and human behavior.

The system does not check for advertising cookies or login cookies, and Cloudflare points out that while Turnstile does review some session data, such as browser characteristics, the company does not store any data. Researchers say reCaptcha uses Google login cookies as part of its checks to determine if someone is human, and there are concerns that the data it captures could be used for targeted advertising.

“Turnstile also includes machine learning models that detect common characteristics of end visitors who have successfully completed a challenge before. The computational difficulty of these initial challenges may vary by visitor, but it is designed to run quickly,” Cloudflare said.

Detected humans will have an anonymous Private Access Token (PAT), developed alongside Apple, or tokens from Cloudflare’s backend issued to their browser, so when they perform actions on the website, the token is there to confirm that they are not a bot. If Turnstile cannot verify that a visitor is human, it will revert to a manual bot test.

“If a person was walking down the street next to a robot, even without asking the person or the robot questions, you could observe the differences between them just by watching them pass,” said Cloudflare’s chief technology officer. , John Graham. -Cumming (via wired). “Turnstile may do this for signals your computer sends to the website you are accessing, which includes the web browser you are using or the device it is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all those details right – there’s usually something ‘wrong’ in the request.”

Nearly 98% of internet traffic uses ReCaptcha from Google. Cloudflare says Turnstile, which was just released in a public beta test, is more privacy-focused and offers a better overall experience, but it still faces a battle to capture significant market share in this segment.

h/t: The Reg

About Nereida Nystrom

Check Also

LambdaTest launches support for macOS Ventura on its cloud-based continuous testing platform The company is one of the first cloud testing platforms to release support for …