Cloudflare’s Turnstile Project Aims to Replace CAPTCHA

If you’re fed up with clicking pictures of traffic lights and boats when trying to visit a website, Cloudflare might have the solution.

The content delivery giant announced a new project this week called Turnstile, which it hopes will provide the same level of website security without the hassle.

Turnstile is described as a “user-friendly, privacy preserving alternative” to CAPTCHA. It will remove the interactive challenges that individuals are asked to perform to verify that they are real people and not bots, a process that Cloudflare says takes an average of 32 seconds.

Is this all about saving time?

CAPTCHAs are an annoying but necessary part of modern web browsing. They are designed as a bottleneck for web traffic, protecting the site from an influx of visitors that could knock a site offline.

This can occur if there is an unexpected spike in traffic, such as when a page goes viral, but it’s more likely to happen during a coordinated cyber attack – specifically DDoS (distributed denial-of-service) attacks.

In these incidents, cyber criminals use a bot network to flood a target website with traffic, eventually overloading it and causing it to crash.

CAPTCHAs have evolved over the years, with most modern designs asking site visitors to click on specific images in a grid.

Unlike most cyber crime techniques, DDoS attacks aren’t designed to steal sensitive information or to compromise the victim’s internal systems in any way. They are, purely and simply, a nuisance – although they can have significant consequences.

With an organization’s website offline, prospective visitors won’t be able to interact with the site as they usually would. This could mean they are unable to access services, and for e-commerce sites, they won’t be able to make purchases.

CAPTCHAs help mitigate these risks, with the interactive challenge slowing traffic and preventing the flood of traffic. Although some bots can complete CAPTCHAs – and criminal hackers can also employ low-paid workers to complete them on behalf of the bot – the mechanism is dissuasive enough to all but eradicate the risk.

As with most web security risks, the goal of these challenges isn’t necessarily to create an iron-clad defense. That’s simply not possible given the sophisticated and ever-evolving techniques at cyber criminals’ disposal.

Rather, the goal is to make your systems secure enough that it isn’t worth cyber criminals’ time to target you. There are hundreds of thousands of organizations that criminal hackers can go after, and in most cases they will target whichever organization is easiest to break into.

In the words of the author Jim Butcher: “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.”

CAPTCHA if you can

Despite the success of CAPTCHAs over the years, there has been growing frustration with the mechanism. Security researchers have discovered bugs in various CAPTCHAs, while cyber criminals are becoming increasingly adept at finding holes in the system.

Several websites offer human- and AI-backed services that enable cyber criminals to solve the interactive challenges for as little as 50¢ per thousand solved CAPTCHAs.

Cloudflare was among the most frustrated. The organization’s chief technology officer, John Graham-Cumming, told TechCrunch: “The biggest issue with CAPTCHA is that user experience is terrible. As computers have gotten better at solving them, the user experience has only gotten worse.”

He also noted that people with visual disabilities struggle to complete the challenges, while the system tends to have a cultural bias, with CAPTCHAs often assuming that people are familiar with U.S taxis, buses and so on.

Cloudflare previously tried to solve these problems with a service called hCaptcha. It posed challenges such as asking users to enter their name, state whether they preferred eggplants or carrots, then click every one of 27 images showing a train.

The mechanism was met with mixed reviews, and led to some CAPTCHA services imposing fees, forcing Cloudflare back to the drawing board. Its answer, several years later, is Turnstile.

How will Turnstile improve things?

Instead of presenting a visual puzzle to the website visitor, Turnstile applies one of many browser tasks that become increasingly difficult if it detects “non-human behaviors.”

Explaining how Turnstile works, TechCrunch writes: “Turnstile uses JavaScript-based challenges that read the web browser environment for signals that indicate there’s a person entering the site, cycling through tests like proof of work, proof of space, and probing for web APIs.

“It also utilizes machine learning models to compare previously successful challenges with new ones, speeding up the passing process.”

Cloudflare believes that Turnstile is just as secure as CAPTCHA, and notes that it uses features such as private access tokens to minimize the amount of data that’s collected.

Turnstile is available now in beta form and is free to use. Organizations don’t need to have other Cloudflare services to enable it.