With the arrival of ReCaptcha 3 in 2018, Google removed the need to pick out specific sections of pictures, decipher barely legible text, or even click a box to prove you weren’t a bot, replacing them with scores based on user interactions. Internet infrastructure company Cloudflare’s version, called Turnstile, works similarly: an invisible process determining whether a site visitor is real. The system, which can be implemented via a free API, uses non-interactive JavaScript code that carries out background checks, including proof-of-work, proof-of-space, checking for web APIs, and various other challenges for detecting browser-quirks and human behavior. The system doesn’t check advertising cookies or login cookies, and Cloudflare emphasizes that although Turnstile does look at some session data, such as browser characteristics, the company doesn’t store data of any kind. Researchers say reCaptcha uses Google login cookies as part of its checks to determine if someone is human, and there are concerns that the data it captures could be used for targeted advertising. “Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast,” said Cloudflare.
Detected humans will have an anonymous Private Access Token (PAT), developed alongside Apple, or tokens from Cloudflare’s backend issued to their browser, so when they perform any actions on the website, the token is there to confirm they’re not a bot. If Turnstile can’t verify that a visitor is human, it will revert to a manual anti-bot test. “If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” said Cloudflare’s chief technology officer, John Graham-Cumming (via Wired). “Turnstile can do that for the signals your computer sends to the website you’re accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all these details right—there’s usually something ‘off’ about the request.” Almost 98% of internet traffic uses Google’s ReCaptcha. Cloudflare says Turnstile, just released in a public beta test, is more privacy-focused and offers a better overall experience, but it still faces a battle to grab significant market share in this segment. h/t: The Reg