Cloudflare Turnstile requiring fingerprintable WebGL
Cloudflare Turnstile now requires WebGL fingerprinting, blocking WebKitGTK browsers while circumventing Firefox privacy protections.
Cloudflare's Turnstile verification system has begun requiring WebGL fingerprinting to prove humanity. The author reports that webkit-gtk browsers loop indefinitely on Turnstile, effectively banning them, because WebKit blocks device fingerprinting for privacy reasons. Cloudflare's justification states that fingerprinting tools blocking randomization make browsers look like bots. Meanwhile, Firefox's privacy.resistfingerprinting setting remains disabled by default even under "Strict" Enhanced Privacy Protection, exposing users to fingerprinting unless manually enabled. When activated, it causes Canvas Randomization detection but may fail future Turnstile checks.
What HN community is saying
Top commenters questioned the decision to deploy Turnstile at all, citing better UX than reCaptcha. Sentiment split between those resignedly accepting fingerprinting as necessary bot defense and those arguing it is unacceptable privacy violation. Concrete alternatives emerged: behavioral rate-limiting, IP reputation, queuing mechanisms, identity tying, and Dutch auctions for high-demand items like concert tickets. One commenter noted their site receives 20-25k bot hits daily but handles it without Cloudflare protections. Regulatory solutions (DMCA-style laws, GDPR enforcement) were proposed but criticized as difficult to enforce across jurisdictions.
A PSA surfaced: enabling privacy.resistfingerprinting in Firefox causes some users to fail Turnstile. No consensus emerged on whether fingerprinting is truly necessary or merely the least objectionable corporate solution.