11 votes

Turnstile: Privacy-preserving alternative to CAPTCHA by Cloudflare

6 comments

  1. mat
    Link
    I built a system along these lines sometime around 2006 or so. I thought then, as I think now, that CAPTCHAs are the wrong approach - why ask people to prove they are human when we can just detect...

    I built a system along these lines sometime around 2006 or so. I thought then, as I think now, that CAPTCHAs are the wrong approach - why ask people to prove they are human when we can just detect they are (or detect the robots) instead? Isn't that what computers are for, automating things? (as an aside, the "Completely Automated" bit of CAPTCHA has always annoyed me, it requires manual input from the user - it's not automated!)

    Mine was less portable and definitely much less sophisticated but I tested for bots and humans using various invisible to the user means, several of which were server-side and didn't require javascript - and it was incredibly effective at killing spam on my site, which had hundreds of thousands of pages with public comment forms on. There was something of an arms race against the bots but when isn't there.

    Anyway, this one looks really cool. I look forward to not having to identify any more pictures with boats in.

    11 votes
  2. [3]
    skybrian
    Link
    From the blog post: [...] [...]

    From the blog post:

    Turnstile is our smart CAPTCHA alternative. It automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session. We talked in an earlier post about how we’ve used our Managed Challenge system to reduce our use of CAPTCHA by 91%. Now anyone can take advantage of this same technology to stop using CAPTCHA on their own site.

    [...]

    In June, we announced an effort with Apple to use Private Access Tokens. Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data.

    By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. Rather than interrogating a device directly, we ask the device vendor to do it for us.

    [...]

    Rather than try to unilaterally deprecate and replace CAPTCHA with a single alternative, we built a platform to test many alternatives and rotate new challenges in and out as they become more or less effective. With Turnstile, we adapt the actual challenge outcome to the individual visitor/browser. First we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request.

    5 votes
    1. [2]
      helloworld
      Link Parent
      Sooo, devices not listed as part of PAT initiative are relegated to extra burden of proof. Not sure if I like it.

      Sooo, devices not listed as part of PAT initiative are relegated to extra burden of proof. Not sure if I like it.

      1 vote
      1. skybrian
        Link Parent
        You could frame it the other way by saying that devices with built-in support for this sort of thing don't need to use their alternative heuristics. This is sort of like what happens with new...

        You could frame it the other way by saying that devices with built-in support for this sort of thing don't need to use their alternative heuristics.

        This is sort of like what happens with new browser standards; there are sometimes "polyfills" for older browsers, but they often don't work as well as the real thing. In a world where there are lots of different browsers and devices with different levels of support, I don't see what the alternative is to doing the best you can with what you have.

        We'll see how well CloudFlare does on the long tail. Hopefully there will be increasing browser support for PAT, because whatever heuristics they pick will likely become increasingly ineffective as attackers understand them better.

        3 votes
  3. [2]
    FluffyKittens
    Link
    While I truly respect the intent, and think cloudflare’s doing a good thing here… inb4 problematic bugs, and major problems for the long tail end of users on non-standard browsers.

    While I truly respect the intent, and think cloudflare’s doing a good thing here… inb4 problematic bugs, and major problems for the long tail end of users on non-standard browsers.

    2 votes
    1. NoblePath
      Link Parent
      Surely there's a fallback?

      Surely there's a fallback?

      1 vote