Cloudflare Turnstile Fingerprinting: A Growing Concern
Executive TL;DR:
- Cloudflare Turnstile requires fingerprintable WebGL, raising privacy concerns.
- Developers of minority browsers face issues with Turnstile’s fingerprinting methods.
- Users and developers call for flexibility in Turnstile’s challenge methods.
The Internet’s Verdict: 70% Hyped, 30% Skeptical
Introduction to Cloudflare Turnstile
Cloudflare Turnstile is a popular bot protection service used by many websites.
Fingerprinting Concerns
However, its fingerprinting methods have raised concerns among users and developers.
Cloudflare is known to use fingerprinting to detect scrapers For example, they use JA3 fingerprints and match them against the UA to block stuff like cURL while allowing OkHttp (Android clients) – but this can be easily be spoofed with packages such as CycleTLS.
This has led to issues with minority browsers, such as Cromite, which has constantly issues with CloudFlare Turnstile.
Developer Issues
Developers of minority browsers face issues with Turnstile’s fingerprinting methods.
I’m maintaining a minority browser and as of a couple of weeks this is affecting several of our users. While I’m currently not considering this a browser bug (one could be involved, of course), more eyes are better and any help or ideas on improving or mitigating the situation would be appreciated.
This has led to calls for flexibility in Turnstile’s challenge methods, such as falling back to proof of work (PoW) instead of blocking users.
Focus Keyword: Cloudflare Turnstile
