Cloudflare Turnstile requiring fingerprintable WebGL
18 points by ignaloidas
18 points by ignaloidas
To be clear, I am not in favour of fingerprinting, just interested in bot blocking tools, since that's part of my current job.
Cloudflare's supposed goal with Turnstile is to create a bot protection widget that doesn't require humans to solve captchas. Presumably fingerprinting allows them to largely allow users across different sites by monitoring behaviour, is that correct?
Is the goal of a widget that doesn't require solving captchas viable without fingerprinting? Is it viable at all? I have heard that bypassing Turnstile is not that hard :tm:. Are all bot blocking widgets necessarily just security through obscurity?
I worked in this area. Not speaking for my former employer.
Presumably fingerprinting allows them to largely allow users across different sites by monitoring behaviour, is that correct?
It probably does allow them to do this, but that's not really the point of it. The purpose of fingerprinting is to correlate a single actor's traffic across many IPs within the same website. No one really cares if you're accessing a bunch of different websites; the point is to detect if you're accessing the same website many times.
Is the goal of a widget that doesn't require solving captchas viable without fingerprinting?
Hardware attestation also works, but everyone hates it. Apple has hardware attestation, which Cloudflare uses for Safari and which is why Safari gets away with canvas randomization (contrary to this blog post, it's not that Cloudflare put in an exception for Safari).
You can also require proof-of-work if both a) you're OK with keeping out the large fraction of web users who only have a low-end Android phone and b) each individual bot action is sufficiently low-value that it's not worth the bot operator's time to do the proof of work. These circumstances sometimes attain but not for anything like a shop or bank.
Short of that, no one has a good solution.
I have heard that bypassing Turnstile is not that hard :tm:.
I dunno about Turnstile. My company's product was definitely difficult to bypass at scale; we deliberately did not make it difficult to bypass when not at scale and it would not at all surprise me if Cloudflare has done the same.
Are all bot blocking widgets necessarily just security through obscurity?
The purpose of all bot blocking widgets is to make it economically infeasible to bot websites, not to make it impossible, so it's not really the same game as other kinds of cybersecurity. As such, obscurity works pretty well: the purpose is to continue to force the adversary to do additional expensive work over time.