Jun 01, 2026 20:00:00

Cloudflare Turnstile, which checks whether a user is 'actually human,' is encountering problems with WebGL information, leading to numerous environments failing to comply with fingerprinting countermeasures.

Haelwen Monier, who develops the privacy-focused web browser 'BadWolf' using the WebKit-based browser engine WebKitGTK, has reported that Cloudflare Turnstile's 'Verify you're human' authentication has caused an infinite loop in WebKitGTK-based browsers, preventing access to multiple websites.

Cloudflare Turnstile requiring fingerprintable WebGL - lanodan's cyber-home

https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting

Many people have likely seen a small authentication screen on a website that asks 'whether you are really human.' Instead of the traditional CAPTCHA where users select traffic lights or crosswalks from a set of images, recent years have seen an increase in systems that automatically determine security on the browser side, eliminating the need for users to perform tedious tasks.

Cloudflare's 'Turnstile' is another CAPTCHA alternative service. According to Cloudflare, Turnstile is an authentication widget that can be embedded in websites. Instead of displaying CAPTCHA images or other CAPTCHA-like prompts to the user, it performs a small JavaScript challenge within the browser to gather signals about the visitor and their browser environment. In most cases, authentication is completed without any action from the user, and a checkbox is displayed only if necessary.

Cloudflare releases 'Turnstile' as an alternative to CAPTCHA: How does it test the browser, not the user, to determine if it's a bot? - GIGAZINE

The signals referred to here are criteria such as 'whether the browser can execute JavaScript,' 'whether the Web API responds normally,' and 'whether the browser's behavior is not that of an automated tool.' To protect their sites from malicious bots that create a large number of accounts, post spam, and scrape data, website operators use detection tools such as Turnstile to distinguish between access that appears to be from a 'normal human browser' and 'automated access.'

However, Turnstile's determination uses fingerprinting, a technique that attempts to identify the user's environment by combining information such as the OS, browser, screen size, language settings, fonts, GPU information, and rendering results, which has been criticized by users who value privacy.

Of particular interest this time is WebGL, which allows 3D graphics to be handled in web browsers. With WebGL, browsers can access information such as the type of GPU and the rendering results. While WebGL's original purpose is rendering 3D games, maps, and visualization tools, differences in GPUs and drivers are reflected in the rendering results, so it can also be used as a way to distinguish between devices. The information used for identification by WebGL is sometimes called a 'WebGL fingerprint.'

When Mr. Monier accessed Turnstile's compatibility test page using the BadWolf browser, which is designed to prevent WebGL fingerprinting, he received a message indicating that 'WebGL renderer information has been spoofed.' If the browser does not return detailed GPU information, or if it generalizes the information it returns, Turnstile may judge it as 'suspicious spoofing' rather than privacy protection.

Generalizing GPU information is not necessarily illegal, and browsers and extensions with privacy features sometimes hide or round off device-specific information to make it harder for users to be tracked. However, from the perspective of bot detection, a 'browser that hides information' can also appear as a 'bot trying to hide its identity,' creating a conflict between privacy protection and bot countermeasures. This issue can be seen as a manifestation of this conflict between privacy protection and bot countermeasures over WebGL information.

The issue has also been widely discussed on

Hacker News , a news sharing site for engineers. Reports indicate that the problem is occurring in other browsers as well, and one comment pointed out that Cloudflare is detecting scrapers using multiple methods, including 'JA3 fingerprinting,' a technique that identifies client characteristics from the combination of cipher suites and extensions used during TLS connections. In other words, 'normal browser behavior' is being observed not only within the browser screen but also at the point of communication.

On the other hand, some website operators have posted about the situation where they are forced to use Cloudflare or Turnstile due to a surge in access from AI crawlers and spam bots. Websites with forms, login screens, and user submission fields are particularly vulnerable to attacks such as fraudulent postings, account creation, and card testing.

As authentication services like Turnstile become more widespread, concerns are rising that access to websites will become concentrated in the hands of a few large corporations. Users with browsers or settings that cannot pass Cloudflare authentication may be locked out, even if the site operator does not intend it.

Furthermore, while Firefox has a setting called 'privacy.resistFingerprinting,' Monier noted that even when Firefox's enhanced tracking protection is set to 'strict,' privacy.resistFingerprinting is not enabled and bypasses Turnstile, leading him to point out that 'protection from fingerprinting is failing.'

Furthermore, a comment on Hacker News pointed out that enabling 'privacy.resistFingerprinting' can cause website time zones and display issues, making it difficult to enable by default.

In short, browser developers are caught in a dilemma: the more privacy protection they offer, the more vulnerable they become to certain websites, while prioritizing website compatibility increases the amount of material available for fingerprinting. Browser developers are required to achieve both 'difficulty in tracking' and 'websites working normally.' From the user's perspective, the troublesome aspect is that simply enabling privacy protection could potentially lead to being treated as 'not human.'

As a way to reduce reliance on fingerprinting, Hacker News is discussing a method that brings proof-of-work more to the forefront. Proof-of-work is a mechanism that has browsers perform short computational tasks, placing little burden on a few people and imposing a high cost on bots that make large-scale accesses. However, it can be burdensome on mobile devices and low-performance devices, and may not be a sufficient deterrent against attackers targeting high-value data.

Some argue that browser permission dialogs should appear before using features that are easily used for identification, such as WebGL, WebGPU, and WebRTC. However, requiring permission for every WebGL use would significantly impair the normal web experience, including 3D rendering, maps, and games. Furthermore, if the authentication service displays a message saying 'Please press Allow to access,' users will ultimately have no choice but to press it. This could lead to the same kind of meaningless behavior seen with cookie consent banners.

Older CAPTCHA systems would ask users to 'select a traffic light' or 'select a crosswalk.' However, newer authentication systems like Turnstile verify the browser and device environment, rather than the user themselves.

The increasing number of AI crawlers and automated bots has heightened the need for websites to distinguish between humans and bots, but at the same time, there are growing instances where hiding device information for privacy reasons is deemed 'inhuman.' Monier argued that the reliance on WebGL fingerprinting is causing problems and that the defense of tracking cannot be justified.