Although I suspect it was supposed to be transparent, it still ended up being a disaster for many of the users, especially the non-technical ones. The web site's support forum was full of complaints from what seemed to be legitimate, long-time users and customers.

Even benign and reasonable user agent variations from the "norm" seemed to cause problems for this particular system. For example, I recall a default Chrome installation working well enough, but adjusting its configuration to harden its security or privacy seemed to confuse the web site's blocking system.

In my case, I had to keep around and use a dedicated ancient browser installation, since newer ones seemed to trigger repeated challenges for some reason I could never figure out.

The challenge page even had a report-a-problem form, but I don't know if anyone or anything actually considered the submissions.

Even the web site's administrators seemed to have trouble figuring out why legitimate users were getting flagged repeatedly by this system they were using.

I ended up just not using that web site any longer. The hassle wasn't worth it.

Where I usually get tarpitted is by Cloudflare. I'll pass the (automated) CAPTCHA, the page will reload (still as if I had passed), and … it'll be another CAPTCHA. I'm pretty sure these usually amount to a passive-aggressive demand for cookies/storage, but I just vote with my browser & go back/somewhere else.

This is definitely good question. With the “Managed Challenge” feature it seems to degrade gracefully — if you have, say, a positive profile with Cloudflare, an iOS device where it can use PAT, etc. you never see the prompt but eventually it'll fall back to the same CAPTCHA you're seeing today. It'd be useful to confirm that this is how Turnstile works as well since some fraction of real people will definitely hit that on a daily basis.

That used to be the case when using Tor; I remember having to rotate exit nodes to get recaptcha to load at all.

These days the situation is a lot better, I've been able to pass Google captchas through Tor every time I tried this month. Seems like they even fixed audio-based captchas, so you no longer get instant-blocked if you try to use them.

Of course, all this could be reverted tomorrow, and there would be absolutely nothing we could do about it...

It's still completely unusable on Tor. It hangs forever.

We need shittier solutions. That way we never feel the pain of once having a good solution to a problem and then losing it.

Erm, hello, hCAPTCHA[1] ?!?

Can't remember when they started, but I certainly jumped ship to hCAPTCHA what is now many years ago now.

Privacy protection is stated there on their homepage as their key differentiator with ReCAPTCHA.

[1] https://www.hcaptcha.com/

But yes, no one is perfect, but at end of the day i really prefer your business model that does not need break users privacy.

On the one hand, I did post a reactionary hot take yesterday in response to the "pardon me, Cisco" ad that you posted [1]. I'm sorry for that; I should have kept that immediate reaction to myself. Still, I'm apprehensive about increasing the power of one of a handful of big players by routing my company's web traffic through Cloudflare, let alone running applications themselves on the Cloudflare platform, though Workers is certainly interesting technology. And I'm certainly not going to route all of my Internet traffic through Warp, or even use 1.1.1.1 for DNS.

But in the specific case of Turnstile, it is clearly now the least bad option. So I will be happy to use it when something like a CAPTCHA is needed.

[1]: https://news.ycombinator.com/item?id=32998270

In all seriousness, I don’t see Cloudflare centralizing the web. I see them decentralizing it by empowering smaller folks with easier tools for scale.

It’s a stretch of argument / not perfect —- but I am glad the competition exists. It makes sense for Cloudflare to be big and privacy focused when competing in the big net real estate space of the modern web.

and trust me, this technology is not in the interest of the user, especially if the user wants free (as in freedom) and open internet.

> In June, we announced an effort with Apple to use Private Access Tokens. Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data.

> By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. Rather than interrogating a device directly, we ask the device vendor to do it for us.

The trick is that bot farms do not have access to correctly provisioned mobile phones (for now). Thus anyone with a valid mobile device gets a pass.