Cloudflare CAPTCHA replacement is missing pedestrian crossings, checkboxes, Google

Increase / CAPTCHAs are meant to prevent these kinds of browsing scenarios, not teach all of us how to better recognize vehicles and infrastructure in grainy photos.

Getty Images

Cloudflare recently made the audacious claim: We could all do something better with our lives than deciding which images contain pedestrian crossings or brake lights or clicking the “I’m not a robot” checkbox. Now, the cloud company is offering a free CAPTCHA alternative, the turnstile, available to anyone, Cloudflare customer or not, and specifically emphasizes Google’s role in the existing “prove you are human” hegemony.

Turnstile uses Cloudflare’s Managed Challenge system, which takes guidance from user behavior, browser data and, on Apple devices, private access tokens to distinguish human visitors from bots and scripts. Cloudflare says its Managed Challenge system was able to reduce 91 percent of the CAPTCHA served to visiting customers over the course of a year.

Turnstile integrations trigger “a series of small, non-interactive JavaScript challenges” to examine the visitor, including proof of work and space, polling for web APIs, and “various other challenges in detecting browser quirks and human behavior,” states the Cloudflare post. The challenges vary by visitor, and machine learning can update the model with common traits of users who have previously passed the test. The user only sees the “Verification …” widget for a moment, then “Success!”

Note the lack of grid-aligned, blurry images that give you the impression that you are helping Skynet to refine its targeting.

Note the lack of grid-aligned, blurry images that give you the impression that you are helping Skynet to refine its targeting.


Cloudflare says that besides being annoying and wasting time, CAPTCHAs (which stands for “Fully Automated Public Turing Test to say Computers and Humans Apart”) are largely controlled by Google via the reCAPTCHA service. Google’s service announced in 2017 that it would become largely invisible in newer versions, using the same browser and Cloudflare’s humanity behavior guidelines it advertises to eliminate even the non-robot checkbox. One aspect of that proof that security researchers have apparently figured out: logging into a Google account.

“Google says it doesn’t use this information for ad targeting, but at the end of the day, Google is an ad sales company,” says the Cloudflare post.

Google bought reCAPTCHA in 2009 and used it early on to troubleshoot problems such as digitizing books, house numbers in Street View, and as you can probably guess, identifying objects such as stairs, palm trees, taxis, and the like in image recognition tools. Cloudflare notes that CAPTCHA’s ubiquity is one of its strengths as it has a constant, constantly updated resolution and behavior database to rely on.

Google reCAPTCHA offers an “invisible” mode in V2 from 2017 and V3 that “will never disturb users”. Most internet users still see their fair share of photo picker grids and anti-robotic checkboxes, possibly due to sites and developers not upgrading to newer versions – or potentially appearing to be “suspect” by an unknown algorithm.

Cloudflare, originally a content delivery network that evolved into security, hosting and just about every other aspect of cloud computing, cites its mission to “help build a better internet” as the reason it is giving away a free verification service. The company, whose reverse proxy service is used by around 20 percent of all sites, has recently made headlines due to a lengthy debate about the Kiwi Farms hate site opting out of and the decision not to pull out of Russia after it invaded Ukraine.

Leave a Reply