I think this community is appropriate for this topic, since this solution is being rolled out to combat AI scraping of websites.
I don’t really understand why the collective agreement is “it is better than captchas would be”, when you didn’t need to pass a captcha just to view a website in the first place. Why are people not more pissed off about every website suddenly requiring this laggy, sometimes actually a captcha anyways (checkbox to prove you are human) solution slowing down visits to websites?
And why can’t CloudFlare offer some way for us lowly non-AI’s to prove we’re human, once, for our entire web experience, versus on. every. damned. website. one. at. a. time?
I counted, and I hit this turnstile solution on 28 website visits today, and sometimes more than once on the same site. That’s minutes of my life I don’t get back, and likely hours to days over the course of a year.
There has to be a better way…
/rant
Yup. I am tired of being accosted to prove myself human only to have that labor monetized into slop.
Well, that’s recaptcha in a nutshell, but Cloudflare’s isn’t doing that, at least, not in a way that you are doing work. This Turnstile feature doesn’t have you picking traffic lights out of photos.
And why can’t CloudFlare offer some way for us lowly non-AI’s to prove we’re human, once, for our entire web experience, versus on. every. damned. website. one. at. a. time?
So like a tracking cookie? Not a great idea for privacy, we’ve been there before…
Also, the reason is that if that worked, then the scrapers would just need to use a human to pass turnstile once, and then let their scraper run wild for the rest of the day, defeating the entire purpose of it.
None of this would be issue if the AI scrapers would just actually follow robots.txt, but they won’t, so here we are :(
What’s really fun is when it gets stuck in a “verify you’re human” loop.
Well, the problem is mainly the many Ai scrapers today. As well as ddos attacks happening from across the world which tons of unique ip addresses.
It’s very hard to block such attacks or even scrapers. Since again the ddos attacks are coming from all countries, one request per ip. Seemly from legit house-hold IPs.
It’s not just cloudflare. There are also open source projects like Anubis. Using proof of work.
Anyhow, I don’t know if there is a better way. The best way is getting all those infected devices removed from the internet. And also cloud providers (AWS, GCP, alibaba etc.) should terminate accounts much faster when they are part of illegal ddos activities or illegal scrapers.
This is becoming more prevalent because of AI bots, Cloudflares services anre actually one of the good guys with tools against bots.
People’s internet bandwidth has multiplied like crazy with all the AI companies stealing everything that goes online, and things like the turnstile do work to reduce that so people can still afford bandwidth.
This is the Dead Internet theory coming true. https://arstechnica.com/information-technology/2025/04/ai-bots-strain-wikimedia-as-bandwidth-surges-50/
Cloudflare actually does have a way to avoid seeing these, using a zero-knowledge proof backed by a hardware security module (they call it Cloudflare Private Access Tokens). As far as I know, Apple is still the only one who’s implemented it and it only works in Safari on iPhones, iPads, and M-series Macs. Maybe some day other vendors will add support too!
Of course, there are already scrapers that use arrays of real phones to do scraping/app automation, so widespread adoption of PATs would just push more traffic to be proxied through physical devices instead of headless browsers in AWS somewhere…
So that is 3 years old. Did it not actually happen? I hit CF Turnstile on ios as well.
When I run into this, I often just close the tab.
Fuck em.
There’s nothing on the internet I need bad enough to deal with that bullshit, luckily. So businesses in particular can fuck right off, and I’ll close the damn window
Type in credentials and click “are you human” then I get “pick all objects that fit in a basket” after that it’s “please enter the code we just sent”
Cloudflare turnstile is just a checkbox, no “pick objects” tests
Is that new? Because I have had to pick many objects when browsing cloudflare protected sites in the past with a VPN.
Not sure, i haven’t seen it ever and I use a VPN on everything, Pi Hole at home, along with uBlock Origin and JShelter in Firefox on desktop, never been prompted with anything other than “click here”.
Looks like 2022 is when they went completely no-CAPTCHA: https://blog.cloudflare.com/end-cloudflare-captcha/
Fuck cloudfare. I mostly walk away.
