At the end of September, Cloudflare posted an announcement of a new alternative to CAPTCHA. The new solution is called Turnstile, and according to the Cloudflare team, its goal is to decrease the number of bot attacks and, at the same time, solve the flaws of CAPTCHA, such as wasting the time of the people who are surfing the Internet and lack of privacy (caused by the monopoly of Google’s reCAPTCHA).
Turnstile uses session data, such as headers, user-agent, and browser parameters, to detect whether a real person or a bot is using the website. In addition, on Apple devices, Cloudflare’s solution uses Private Access Tokens, thus requesting Apple to validate the device.
The post received some criticism on the internet. The experts mention some possible flaws. For example, browsers using some anonymization solutions or lacking “fingerprints” (anti-tracking extensions, Tor Browser, a newly installed browser on a virtual computer) won’t pass the scan. In addition, the protection may still be vulnerable to the automation solutions added to the browser of a real user (iMacros, Selenium, and others). However, at the moment, those suggestions aren’t verified yet, so that the protection may handle such cases properly.
The solution is free and easy to install. To install it, you need to register at Cloudflare, get a site key and secret key, install a script and add the proper site verify URL to the server.