HN
Today

Cloudflare Turnstile requiring fingerprintable WebGL

Cloudflare's Turnstile bot verification service is reportedly using WebGL fingerprinting, causing issues for privacy-focused browsers that block such practices. This move has sparked outrage among privacy advocates, who see it as unacceptable tracking and a barrier to a truly open web. Hacker News commenters are debating the balance between bot prevention and user privacy, while some challenge the article's core assertions about Cloudflare's methods.

94
Score
41
Comments
#1
Highest Rank
3h
on Front Page
First Seen
May 31, 3:00 PM
Last Seen
May 31, 5:00 PM
Rank Over Time
142

The Lowdown

The article highlights a recent change in Cloudflare's Turnstile, its "Verify you're human" service, which now appears to rely on WebGL fingerprinting. This has led to indefinite looping and access denial for users of WebKitGTK-based browsers like Badwolf, which block such privacy-invasive techniques.

  • Cloudflare explicitly states that Turnstile "uses browser fingerprinting to verify you're human" and that privacy tools blocking this make browsers "look like a bot."
  • The author argues that WebKit has long blocked such "awful" tracking, suggesting Cloudflare has effectively banned WebKitGTK browsers while potentially making exceptions for Safari.
  • The article also points out that Mozilla Firefox's privacy.resistfingerprinting setting, even when manually enabled, doesn't fully hide WebGL fingerprinting, leading to detection of "Canvas Randomization."
  • The implication is that users prioritizing privacy may face increasing difficulties accessing websites protected by Cloudflare Turnstile, as their privacy-enhancing settings are interpreted as suspicious bot-like behavior.

Ultimately, the piece positions Cloudflare's Turnstile as a privacy-eroding technology that actively punishes users who attempt to mitigate tracking, raising significant concerns about the future of web privacy and accessibility for non-mainstream browsers.

The Gossip

Cloudflare Controversy & Privacy Predicaments

Many commenters expressed strong disapproval of Cloudflare's WebGL fingerprinting, viewing it as an invasive tracking method that undermines user privacy and makes access difficult for non-standard browsers. There's a sense of betrayal among some who previously saw Cloudflare as a "good guy," with calls to abandon Turnstile or petition for regulation against such practices.

The Bot Blocker's Dilemma

A central theme revolved around the challenge of effectively blocking bots while preserving user privacy, especially with the rise of AI. Commenters debated whether fingerprinting is a necessary evil or if better, more privacy-preserving alternatives exist. Suggestions included Proof-of-Work systems, improved browser-side resistance, or even regulation, acknowledging that no perfect solution seems readily available.

Accuracy and Assumption Scrutiny

Some users challenged the article's assertions, particularly regarding Cloudflare's intent and the blanket blocking of WebGL fingerprinting by WebKit. One commenter provided examples where Turnstile passed even with strong privacy settings and WebGL disabled, suggesting the article's conclusions might be based on false assumptions about Cloudflare's aggressiveness or the extent of browser blocking.