If this judges the browser more than the user, what do I do when the browser fails? Do I refresh the page hoping for a different batch of invisible challenges? Do I submit a ticket to CF customer support... despite not being a customer?
However, the honest truth is that nothing that comes out of Cloudflare should be trusted as "privacy oriented".
Although I suspect it was supposed to be transparent, it still ended up being a disaster for many of the users, especially the non-technical ones. The web site's support forum was full of complaints from what seemed to be legitimate, long-time users and customers.
Even benign and reasonable user agent variations from the "norm" seemed to cause problems for this particular system. For example, I recall a default Chrome installation working well enough, but adjusting its configuration to harden its security or privacy seemed to confuse the web site's blocking system.
In my case, I had to keep around and use a dedicated ancient browser installation, since newer ones seemed to trigger repeated challenges for some reason I could never figure out.
The challenge page even had a report-a-problem form, but I don't know if anyone or anything actually considered the submissions.
Even the web site's administrators seemed to have trouble figuring out why legitimate users were getting flagged repeatedly by this system they were using.
I ended up just not using that web site any longer. The hassle wasn't worth it.
Where I usually get tarpitted is by Cloudflare. I'll pass the (automated) CAPTCHA, the page will reload (still as if I had passed), and … it'll be another CAPTCHA. I'm pretty sure these usually amount to a passive-aggressive demand for cookies/storage, but I just vote with my browser & go back/somewhere else.
But if you are behind any sort of carrier-grade NAT or otherwise sharing IPs, you're a second-class netizen, sucks to be you.
But, haha fool you, CF now gatekeeps some unholy percentage of the web, so the "somewhere else" list is going to get smaller and smaller with no recourse, as best I can tell. Maybe disposable Firefox containers for your specific situation, but only maybe
This is definitely good question. With the “Managed Challenge” feature it seems to degrade gracefully — if you have, say, a positive profile with Cloudflare, an iOS device where it can use PAT, etc. you never see the prompt but eventually it'll fall back to the same CAPTCHA you're seeing today. It'd be useful to confirm that this is how Turnstile works as well since some fraction of real people will definitely hit that on a daily basis.
That used to be the case when using Tor; I remember having to rotate exit nodes to get recaptcha to load at all.
These days the situation is a lot better, I've been able to pass Google captchas through Tor every time I tried this month. Seems like they even fixed audio-based captchas, so you no longer get instant-blocked if you try to use them.
Of course, all this could be reverted tomorrow, and there would be absolutely nothing we could do about it...
It's still completely unusable on Tor. It hangs forever.
We need shittier solutions. That way we never feel the pain of once having a good solution to a problem and then losing it.
The solution is to make the internet itself resilient to this mode of attack. Not to create a single company big enough to gatekeep and spy on the whole network and to just trust them to act virtuously forever.
Erm, hello, hCAPTCHA[1] ?!?
Can't remember when they started, but I certainly jumped ship to hCAPTCHA what is now many years ago now.
Privacy protection is stated there on their homepage as their key differentiator with ReCAPTCHA.
But yes, no one is perfect, but at end of the day i really prefer your business model that does not need break users privacy.
On the one hand, I did post a reactionary hot take yesterday in response to the "pardon me, Cisco" ad that you posted [1]. I'm sorry for that; I should have kept that immediate reaction to myself. Still, I'm apprehensive about increasing the power of one of a handful of big players by routing my company's web traffic through Cloudflare, let alone running applications themselves on the Cloudflare platform, though Workers is certainly interesting technology. And I'm certainly not going to route all of my Internet traffic through Warp, or even use 1.1.1.1 for DNS.
But in the specific case of Turnstile, it is clearly now the least bad option. So I will be happy to use it when something like a CAPTCHA is needed.
In all seriousness, I don’t see Cloudflare centralizing the web. I see them decentralizing it by empowering smaller folks with easier tools for scale.
It’s a stretch of argument / not perfect —- but I am glad the competition exists. It makes sense for Cloudflare to be big and privacy focused when competing in the big net real estate space of the modern web.
Also Cloudflare: Tracks and fingerprints everyone, and blocks anyone who hardens their browser ("First we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request.").
I would actually be on-board with such things if this were against abuse but it's not -- it's preemptively assigning blame, since my copy of Firefox is not modified in any way except uBO but CF loves to captcha it. The other stories in every one of these captcha threads, and the majority of the CloudFlare announcements at all, demonstrate this isn't isolated to "oops, our bad" but a systemic problem
If I were DDoS-ing some site, I deserve every ban I get, but just browsing via the provided navigation links on the site shouldn't "pardon our interruption" or gatekeep
Say what you will about Recaptcha, but they do have a way to eventually pass through the challenge.
[1]: https://developers.cloudflare.com/turnstile/get-started/clie...
> without having to be a Cloudflare customer or sending traffic through the Cloudflare global network
And you don't even need to use CF as a proxy.
This helps the bot problem, but doesn't solve the SPAM problem.
and trust me, this technology is not in the interest of the user, especially if the user wants free (as in freedom) and open internet.
> In June, we announced an effort with Apple to use Private Access Tokens. Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data.
> By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. Rather than interrogating a device directly, we ask the device vendor to do it for us.
The trick is that bot farms do not have access to correctly provisioned mobile phones (for now). Thus anyone with a valid mobile device gets a pass.
