Turnstile: privacy-preserving alternative to CAPTCHA by Cloudflare

As much as I _despise_ modern ReCAPTCHA, I have always been able to pass the challenge eventually; it has never flatly rejected me with no recourse. If I made a mistake or was insufficiently human for it, I got a new challenge and tried again. There are apocryphal stories of Google tar-pitting users with it, but I have never seen it in action.<p>If this judges the browser more than the user, what do I do when the browser fails? Do I refresh the page hoping for a different batch of invisible challenges? Do I submit a ticket to CF customer support... despite not being a customer?

This is yet another example of Cloudflare centralizing the web. I’m tired of this. Sure the only previously viable solution was ReCAPTCHA from Google. But it’s Google. I depend on them for search. And, sure, their business model depends on them being able to track me online. But I know them. And it’s hard for me to live without them. So I’m ok with depending on them, but I worry about further centralization of the Internet if there’s an alternative. At the end of the day, I like the Internet how it is and how I’ve gotten used to it. Facebook is clearly evil, but I still check them from time to time to keep up with my friends, but a lot less than I used to. I, of course, need to use Google so even though their business is inherently about tracking me, what’s the alternative. But Cloudflare, they’re new. They disrupt what I’m used to. They add another player to the mix. So how dare they centralize the Internet?? This is total BS. I’ll stick with ReCAPTCHA.

Cloudflare: &quot;Cloudflare has a long track record of investing in user privacy, which we will continue with Turnstile.&quot;<p>Also Cloudflare: Tracks and fingerprints everyone, and blocks anyone who hardens their browser (&quot;First we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor&#x2F;browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request.&quot;).

What is the failure case for the Cloudflare captcha? In case browser fingerprinting fails to identify me as a human, do they fallback to a challenge that humans can solve, such as audio or image challenges?<p>Say what you will about Recaptcha, but they do have a way to eventually pass through the challenge.

For Cloudflare employees going through this thread, the linked &quot;Turnstile Developer Documentation&quot; link [1] in the Turnstile dashboard is returning a 404.<p>[1]: <a href="https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;turnstile&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;turnstile&#x2F;</a>

God, I hope this works; I do tire of the silly CAPTCHA test. I def get hit with it a lot more from outside the USA than within.

I think changing the comma to a colon and adding &quot;a&quot; before &quot;privacy-preserving&quot; would make the title clearer.

FYI: The docs link in the Dashboard [1] points to a 404.<p>[1]: <a href="https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;turnstile&#x2F;get-started&#x2F;client-side-validation&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;turnstile&#x2F;get-started&#x2F;clie...</a>

This looks great, Cloudflare will always be Better Privacy wise than Google.<p>&gt; without having to be a Cloudflare customer or sending traffic through the Cloudflare global network<p>And you don&#x27;t even need to use CF as a proxy.

Just a heads up for CF folks: Once you create a Turnstile, the link below the generated secret (&quot;Server side integration code&quot;) leads to 404.

Wait till captcha farm companies bypass this and sell solutions for a profit. I use one and its ~95% accurate which is fine for me I guess.

My problem with this is I want to use the CAPTCHA to deter <i>humans</i> from continuing. Letting them thru automatically allows spammers&#x2F;attackers to just continue on, but many will actually skip pages&#x2F;sites where they have to do the CAPTCHA etc.<p>This helps the bot problem, but doesn&#x27;t solve the SPAM problem.

Can’t CAPTCHA be integrated into the browser? Can’t the browser vouch for the user?

No mention of hcaptcha. Is this still worth it if you are hcaptcha user?

That&#x27;s awesome and it&#x27;s free, about to swap out my recaptchas

Will any of this be available on Linux or owner controlled systems?

Can anyone shine a light on this solution and GDPR compliance?