The Lede
Cloudflare Turnstile, a bot-detection method used by various websites to verify users, has started requiring WebGL-based browser fingerprinting. This approach, however, breaks WebKitGTK browsers, including those used by Apple devices, and raises concerns about user privacy. The company's own explanation confirms that fingerprinting is used to verify users, effectively banning non-Safari WebKit browsers.
Background & Context
Cloudflare Turnstile is a bot-detection method designed to verify users and prevent automated traffic. However, its reliance on WebGL-based fingerprinting has raised concerns about user privacy. WebGL fingerprinting, which involves collecting information about a user's browser and device, can be used to track users across multiple websites. This approach is not effective for bot detection, as it can be easily bypassed by users who know how to manipulate their browser settings.
Deep Dive
Cloudflare's own explanation of Turnstile confirms that fingerprinting is used to verify users. The company also acknowledges that this approach may not be effective for bot detection, as it can be easily bypassed by users who know how to manipulate their browser settings. Furthermore, the use of WebGL-based fingerprinting has been criticized for its potential to track users across multiple websites. Firefox, for example, has a built-in feature called 'Canvas Randomization' that can block WebGL fingerprinting, but it is not enabled by default.
Expert Angle
Security researcher and developer, 'lanodan', notes that the use of WebGL-based fingerprinting is 'broken' in Firefox and that 'privacy-conscious users might not be able to pass Cloudflare's device verification in the future.' Additionally, 'Scrapfly Blog' suggests that users can bypass the challenge by using a stealth browser or by enabling WebGL fingerprinting protection in their browser settings.
What Comes Next
As Cloudflare Turnstile continues to rely on WebGL-based fingerprinting, users can expect to see more challenges to their user experience. Websites that use Turnstile may start to block users who do not meet the fingerprinting requirements, potentially leading to a decrease in user engagement and revenue. On the other hand, users who value their privacy can take steps to bypass the challenge by using a stealth browser or by enabling WebGL fingerprinting protection in their browser settings.