A few months ago, I implemented Cloudflare's Turnstile CAPTCHA on some pages. The reason for implementing these CAPTCHAs is obvious: Bots make up a large percentage of traffic and affect site performance.

So I figured it was a good time to look back and see how effective these CAPTCHA are. The quick number: Out of about 300 requests, only 1 passed the test. Or 99.7% of requests came from bots. And this is after we have been running this for a few months. Some bots may have stopped scanning the page.

But what about false positives? One false positive I noted from the login page was people clicking "Submit" on the login form before the CAPTCHA test was completed. This was easily fixed with a bit of JavaScript, which enabled the button only after a test was completed.

Some of the top offenders:

•  219.117.237.208. - resolves to 219.117.237.208.static.zoot.jp and appears to be some kind of spider
• 18.229.88.75 - an AWS host, also attempting to download our IP data
• 164.52.120.0/24 - Cloud provider in HK
• 2a03:2880:f806::/48 - Facebook Ireland

So far, I have received only a few complaints about false positives (aside from the now fixed login page issue). 

Why I selected "Turnstile" over other CAPTCHA options:

• Cloudflare's turnstile implementation appears to have fewer privacy issues than others, like Google Recaptcha
• They are in my opinion, low impact to the user
• Implementing them on the site wasn't too difficult
• We already use Cloudflare as a CDN.
• They work well enough

CAPTCHA can often be bypassed. The right CAPTCHA solution makes it hard enough for an attacker to bypass that the value of the data they would be getting is not worth the effort.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|