By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    What is an Exploit? -Kaspersky Daily
    8 months ago
    Darkhotel APT in luxury Asian hotels
    8 months ago
    Kaspersky Lab expert Andrey Pozhogin answers questions about ransomware
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    5 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    5 days ago
    Safeguards against firmware signed with stolen MSI keys
    7 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    7 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Critical bugs found and fixed in the popular Formidable Forms WordPress plugin
    Critical bugs found and fixed in the popular Formidable Forms WordPress plugin
    8 months ago
    How to enable new animation for Settings icons on Windows 11
    8 months ago
    How to fix hard drive problems on Windows 11
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Nine years of Project Galileo and how the last year has changed it
    Nine years of Project Galileo and how the last year has changed it
    17 hours ago
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    4 days ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    5 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    5 days ago
    What is two-factor authentication | Kaspersky official blog
    1 week ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to add Vkontakte middle name?
    8 months ago
    How to prevent applications from running in the background on Windows 10?
    8 months ago
    Do you know how to reinstall Windows from a flash drive?
    8 months ago
    Latest News
    How to generate SSH keys on Windows 11
    7 hours ago
    How to enable file sharing on WSA for Windows 11
    7 hours ago
    How to add CPU, GPU, RAM widgets on Windows 11
    4 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: Cloudflare refuses to use reCAPTCHA
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
FixHow To

Cloudflare refuses to use reCAPTCHA

Tom Grant
Last updated: 13 October
Tom Grant 8 months ago
Share
12 Min Read

We recently migrated the CAPTCHA provider we use from Google’s reCAPTCHA to a service provided by the independent hCaptcha. We’re excited about this change because it helps address a privacy concern inherent to relying on a Google service that we’ve had for some time and also gives us more flexibility to customize the CAPTCHAs we show. Since this change potentially impacts all Cloudflare customers, we wanted to walk through the rationale in more detail.

Contents
CAPTCHAs at CloudflarePrivacy and Blocking ConcernsGoogle’s Changing Business ModelA Better CAPTCHAWhen do Customers Serve CAPTCHAs?Fixing Challenges

CAPTCHAs at Cloudflare

One of the services Cloudflare provides is a way to block malicious automated (ot) traffic. We use a number of techniques to accomplish that. When we are confident something is malicious bot activity we block it entirely. When we are confident it’s good human traffic (or a good bot like a search engine crawler) then we let it through. But, sometimes, when we’re not 100% sure if something is malicious or good we issue it a challenge.

We have different types of challenges, some are entirely automatic, but one requires human intervention. Those challenges are known as CAPTCHAs. That’s an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart (a few Ts are dropped otherwise it’d be CAPTTTCHA). These are the prompts to enter squiggly letters in a box or identify traffic lights or cross walks. Generally, they’re supposed to be something that’s easy for humans to do but hard for machines.

Since Cloudflare’s earliest days, we have used Google’s reCAPTCHA service. ReCAPTCHA started as a research project out of Carnegie Mellon University in 2007. Google acquired the project in 2009, around the same time that Cloudflare was first getting started. Google provided reCAPTCHA for free in exchange for data from the service being used to train its visual identification systems. When we were looking for a CAPTCHA for Cloudflare, we chose reCAPTCHA because it was effective, could scale, and was offered for free — which was important since so many of Cloudflare’s customers use our free service.

Privacy and Blocking Concerns

Since those early days, some customers have expressed concerns about using a Google service to serve CAPTCHAs. Google’s business is targeting users with advertising. Cloudflare’s is not. We have strict privacy commitments. We were able to get comfortable with the Privacy Policy around reCAPTCHA, but understood why some of our customers were concerned about feeding more data to Google.

We also had issues in some regions, such as China, where Google’s services are intermittently blocked. China alone accounts for 25 percent of all Internet users. Given that some subset of those could not access Cloudflare’s customers if they triggered a CAPTCHA was always concerning to us.

Over the years, the privacy and blocking concerns were enough to cause us to think about switching from reCAPTCHA. But, like most technology companies, it was difficult to prioritize removing something that was largely working instead of brand new features and functionality for our customers.

Google’s Changing Business Model

Earlier this year, Google informed us that they were going to begin charging for reCAPTCHA. That is entirely within their right. Cloudflare, given our volume, no doubt imposed significant costs on the reCAPTCHA service, even for Google.

Again, this is entirely rational for Google. If the value of the image classification training did not exceed those costs, it makes perfect sense for Google to ask for payment for the service they provide. In our case, that would have added millions of dollars in annual costs just to continue to use reCAPTCHA for our free users. That was finally enough of an impetus for us to look for a better alternative.

A Better CAPTCHA

We evaluated a number of CAPTCHA vendors as well as building a system ourselves. In the end, hCaptcha emerged as the best alternative to reCAPTCHA. We liked a number of things about the hCaptcha solutions: 1) they don’t sell personal data; they collect only minimum necessary personal data, they are transparent in describing the info they collect and how they use and/or disclose it, and they agreed to only use such data to provide the hCaptcha service to Cloudflare; 2) performance (both in speed and solve rates) was as good as or better than expected during our A/B testing; 3) it has a robust solution for visually impaired and other users with accessibility challenges; 4) it supported Privacy Pass to reduce the frequency of CAPTCHAs; 5) it worked in regions where Google was blocked; and 6) the hCaptcha team was nimble and responsive in a way that was refreshing.

The standard hCaptcha business model was similar to how reCAPTCHA started. They planned to charge customers that needed image classification data and pay publishers to install their CAPTCHA on their sites. Sounded great to us, but, unfortunately, while that may work well for most publishers, it doesn’t at Cloudflare’s scale.

We worked with hCaptcha in two ways. First, we are in the process of leveraging our Workers platform to bear much of the technical load of the CAPTCHAs and, in doing so, reduce their costs. And, second, we proposed that rather than them paying us we pay them. This ensured they had the resources to scale their service to meet our needs. While that has imposed some additional costs, those costs were a fraction of what reCAPTCHA would have. And, in exchange, we have a much more flexible CAPTCHA platform and a much more responsive team.

When do Customers Serve CAPTCHAs?

When we first started working on this project, the assumption was that Cloudflare Bot Management and Firewall Rules would be by far the largest consumer of CAPTCHAs. This was somewhat correct. While Firewall/Bots was the #1 consumer, it only was a bit over 50% of our CAPTCHAs served.

These are the breakdowns of when Cloudflare customers asked us to serve a CAPTCHA on their zones, by total CAPTCHAs served.

Firewall and Bot Rules

54.80%

IP Firewall

18.60%

Security Level

16.80%

DDoS

6.30%

Rate Limiting

1.70%

WAF Rules

1.50%

Other

0.30%

Our Firewall and Bot Rules are at the top and are the majority of the CAPTCHAs served by Cloudflare. These are rules written by our customers that specifically throw a CAPTCHA when the rule is matched. Examples of these include firing a Captcha if a Bot Management score is below a threshold where you believe it is likely that the connection is automated, but the score is above a threshold where you are not certain. Another common rule in this bucket is to CAPTCHA 100% of all traffic behind a site or specific endpoint. Customers may be doing this to limit connections to their origins, or to slow down automated systems from doing something like credential stuffing on a login page or polluting registration data. This leads to some sites on Cloudflare serving hundreds of millions of CAPTCHAs per day.

The second most popular is our IP Firewall. This is similar to the Firewall and Bot Rules, but much less granular at the IP, ASN, or country level. The majority of CAPTCHAs for this category are done for rules written at the ASN or country level. Presumably our customers find some level of distrust with a particular ASN (for example, why would there be supposed user traffic coming from a cloud infrastructure provider?) or are being attacked from specific countries.

Next comes Security Levels. Security levels have two distinct use cases: 1) as a blunt tool for IP address reputation and 2) I’m Under Attack Mode. While we recommend to customers that they only use I’m Under Attack Mode while under an active denial of service attack, some customers leave the feature on 100% of the time as a rudimentary form of rate limiting and filtering.

The final major use of CAPTCHA is through one of our automated systems: recently our Denial of Service protection engineering team taught Gatebot to use CAPTCHAs to mitigate small floods in specific scenarios. Gatebot can now write temporary rules that result in CAPTCHAs being shown to attackers.

Lastly, there were also some customers selecting it as an override action for their Rate Limiting or Managed WAF rulesets.

We also took a look at which types of customers were serving the CAPTCHAs. Over a week’s period of time (normalizing for attacks), our free customers configured their zones to serve roughly 40-60% of the total CAPTCHAs served by Cloudflare. Of our paying customers, there is a generally even split between our pay-as-you-go and our enterprise customers. Overall, we have measured that Cloudflare will show multiple millions of CAPTCHAs per second when one or more of our customers are under attack.

Fixing Challenges

Whenever we change any part of Cloudflare’s systems, it makes things significantly better for some, but temporarily worse for others. We and the hCaptcha team are committed to addressing any problems that come up. If you or your users see issues with the new hCaptcha implementation, please post on the forum or open a Support ticket with as much detail as possible.

Whenever possible, please include the RayID that usually appears on the footer of the CAPTCHA page so we can track down what went wrong.

Over time, we believe visual (and audio) CAPTCHAs are an imperfect answer to a number of difficult problems. Cloudflare is continuing work to minimize and hopefully eventually eliminate altogether the number of CAPTCHAs we issue and we will be excited to share the results of that work in this blog as we move along. The name of our internal chat room for the team making this change isn’t New CAPTCHA, it’s (No)CAPTCHA.

source


Translate this article

TAGGED: Apple, Cloudflare, Security
Tom Grant October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

How to generate SSH keys on Windows 11
News 10 hours ago
How to enable file sharing on WSA for Windows 11
News 10 hours ago
Nine years of Project Galileo and how the last year has changed it
Nine years of Project Galileo and how the last year has changed it
Apps 17 hours ago
Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 4 days ago
How to add CPU, GPU, RAM widgets on Windows 11
News 5 days ago

Recent Posts

  • How to generate SSH keys on Windows 11
  • How to enable file sharing on WSA for Windows 11
  • Nine years of Project Galileo and how the last year has changed it
  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11

You Might Also Like

News

How to generate SSH keys on Windows 11

10 hours ago
Nine years of Project Galileo and how the last year has changed it
Apps

Nine years of Project Galileo and how the last year has changed it

17 hours ago
Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

4 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Apps

Reduce latency and increase cache hits with Regional Tiered Cache

5 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Previous Next
Hot News
How to generate SSH keys on Windows 11
How to enable file sharing on WSA for Windows 11
Nine years of Project Galileo and how the last year has changed it
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?