Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Evening Standard
Evening Standard
Technology
Alan Martin

OK Computer: the web-browser that knows if you are human

CAPTCHA is an effective way of weeding-out automated traffic on websites

(Picture: TfL)

There are few things more annoying online than constantly having to prove your own humanity by clicking on pictures of postboxes, buses, or (in the case of TfL’s more playful implementation) big cats.

This process is known as CAPTCHA and is a necessary evil. Without it, websites are vulnerable to fake traffic which is a waste of resources at best, and can become a structural weakness for them. This is a vital layer of protection against Distributed Denial of Service (DDoS) attacks — where malicious hackers send huge amounts of fake traffic to a website — which can take down big online sites with bots.

The good news is that Cloudflare, the internet infrastructure company responsible for millions of websites worldwide, says it has created a new solution that will let your computer or phone automatically vouch for your humanity. Yes, the irony here is delicious.

In other words, you won’t have to lift a finger to prove you are a real person, unless your computer’s automated answers leave doubt in Cloudflare’s mind or, rather, its software.

Cloudflare’s potential CAPTCHA-killer is called Turnstile. The company claims it will reduce the amount of time that a human takes to recognise, say, phone boxes or buses, from an average of 32 seconds down to a single second, all completed invisibly to the user.

The new system works by giving your web browser a “rotating suite of non-intrusive browser challenges based on telemetry and client behaviour”.

In plain English, that means it’s looking for signs of behaviour that suggests your device isn’t what it claims to be when it identifies itself. This is essentially a hygiene check that a real person is attempting to access the website rather than an automated bot.

An example of CAPTCHA in action. (TfL)

For example, if the device you are using identifies itself to the web-browser as an iPhone 12, but then completes a behind-the-scenes technical challenge in far less time than Cloudflare would expect from this Apple handset dating from 2020, that is suspicious.

In short, it’s looking for signs that something isn’t quite right about the visitor. “If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” Cloudflare CFO John Graham-Cumming explained to Wired. Put simply, it’s a sniff test.

“In the case of a machine trying to impersonate a human user, they often don’t get all these details right — there’s usually something ‘off’ about the request.”

Crucially, Cloudflare claims it can do this without invading user privacy, and it won’t look for ad or login cookies which could be used to identify a user. This in itself is different to Google’s reCAPTCHA — the dominant presence in the market — which looks for a Google login cookie as an identifier or a human user.

Google denies that this data is used for targeted advertising campaigns, but it could be done — and Turnstile should eliminate even the possibility of that occurring. And if so, that bodes well for online privacy.

So why has this solution taken so long to arrive?

“The process of checking out one’s ‘humanness’ behind the scenes would have taken multiple attempts to succeed enough to make it function and foolproof,” Jake Moore, Global Cybersecurity Advisor at ESET told the Standard. “Releasing this application too early would have made the tool fruitless, due to the fact it has to work for the vast majority of the time to make users happy.”

Of course, Cloudflare’s new system will likely now be a target for those keen to send fake traffic to websites.

“Inevitably, the next challenge will be to make sure this cannot be mimicked in any way, yet no doubt threat actors will attempt to break down the application and try to pursue rogue entries,” Moore continued.

Turnstile is available now in beta form and free to use, even if you don’t use Cloudflare’s other services. Details of how to implement the change on a website — pasting some JavaScript over your existing CAPTCHA code — can be found on the Cloudflare blog.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.