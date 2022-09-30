Think about it, How much time do you spend in a month reviewing and selecting images of bridges, boats or traffic lights, just to prove to a website that you are not “a robot”? Few things on the Internet are as hated and at the same time necessary as CAPTCHAS, an essential bot detection system on numerous websites to prevent automated bots from taking them by storm.

Not surprisingly, ‘CAPTCHA’ stands for “Completely Automated Public Turing Test to Differentiate Computers from Humans.”

Google bought reCAPTCHA in 2009, and initially used it to kill two birds with one stone: while forcing users to interact, it used the information they provided to solve problems related to the digitization of books, the detection of street view house numbers and… the identification of objects (such as -ahem- bridges, ships or traffic lights) in image recognition tools.

Being initially free, over time Google began charging websites with higher volumes of traffic. It was at that moment when Cloudflare, the largest content delivery company on the Internet, began to stop using reCAPTCHA to opt your own solution, hCAPTCHA. Now, Cloudflare has announced the availability of a new CAPTCHA technology with which it seeks to challenge Google’s leadership in this field. Your name? Turnstile.

Under the Turnstile Hood

In the eyes of the user, everything is limited to a widget inserted in the web that, for a few seconds, displays a ‘Verifying…’ message to then display a ‘Success!‘. But what is going on ‘under the hood’? What is the widget in question checking?

This new ‘human condition online demonstration technology’, as we might define it, is based on the use of Cloudflare’s Managed Challenge system, to distinguish human visitors from bots and scripts, it is dedicated to perceive and collect ‘signals’ of user behavior, from browser data and, in the case of Apple devices, private access tokens.

Turnstile implementations run “a series of small, non-interactive JavaScript challenges” to probe the visitorincluding a ‘proof of work’ (based on the same principle as bitcoin mining, though much less computationally demanding), “exploring web APIs and other challenges to detect browser quirks and human behavior.”

The challenges vary according to the visitor and, in addition, the system is capable of learning: thanks to ‘machine learning’you can update your criteria by incorporating the common characteristics of users who previously passed the test.

A nudge to Google

But is Cloudflare’s only reason for rolling out an alternative to reCAPTCHA is to prevent users from having to select photos from time to time? No, it is not (only) that. They simply do not trust Google:

“Using this tool (reCAPTCHA) is free but it actually comes at a cost to privacy: you have to provide your data to an advertising sales company. According to security researchers, one of the signals Google uses to decide whether you are malicious is to check if you have a Google cookie in your browser”. “If you have it, Google will give you a higher score. Google denies that they use this information for advertising purposes, but, Ultimately, Google is an advertising sales company.“.

And for that, Cloudflare has decided offer the option to use Turnstile to all webmasters, free of chargewhether or not they are your clients. “To replace a CAPTCHA service” from Google, they explain, “all you have to do is the following”:

Create a Cloudflare account, go to the “Turnstile” tab on the navigation bar and get a site key and a secret key.

Copy the Cloudflare JavaScript from the control panel and paste it in the space of your JavaScript CAPTCHA above.

Updates the server-side integration by replacing the URL of siteverify above by that of Cloudflare.

