As asked
Cloudflare Turnstile is a CAPTCHA replacement that validates users are human without showing puzzles. What signals does a system like Turnstile collect to distinguish bots from humans, and what are the privacy and evasion trade-offs compared to reCAPTCHA?
Sample answer outline
Turnstile collects passive signals: browser fingerprint (Canvas, WebGL, font metrics), JavaScript environment consistency checks (VM artifacts, headless browser indicators), network characteristics, interaction patterns (mouse movement, timing), and PoW challenges. It does not collect cross-site behavioral data, unlike Google's reCAPTCHA which leverages Google's browsing history tracking. Evasion trade-offs: sophisticated bots can fake mouse movements and use real browsers via Playwright, so Turnstile combines multiple signals and rotating challenge types. The privacy advantage is that Cloudflare does not build a cross-site profile of the user.
Expect these follow-ups
- How would an adversary using a real browser controlled by Selenium evade Turnstile, and how does Turnstile try to detect that?
- What is a cryptographic Proof-of-Work challenge and how does it add friction for bots at scale?