Why we use CAPTCHAs, (Mon, May 11th)

A few months ago, I implemented Cloudflare's Turnstile CAPTCHA on some pages. The reason for implementing these CAPTCHAs is obvious: Bots make up a large percentage of traffic and affect site performance. So I figured it was a good time to look back and see how effective these CAPTCHA are. The quick number: Out of about 300 requests, only 1 passed the test. Or 99.7% of requests came from bots. And this is after we have been running this for a few months. Some bots may have stopped scanning the page. But what about false positives? One false positive I noted from the login page was people clicking Submit on the login form before the CAPTCHA test was completed. This was easily fixed with a bit of JavaScript, which enabled the button only after a test was completed. Some of the top offenders: 219.117.237.208. - resolves to 219.117.237.208.static.zoot.jp and appears to be some kind of spider 18.229.88.75 - an AWS host, also attempting to download our IP data 164.52.120.0/24 - Cloud provider in HK 2a03:2880:f806::/48 - Facebook Ireland So far, I have received only a few complaints about false positives (aside from the now fixed login page issue). Why I selected Turnstile over other CAPTCHA options: Cloudflare's turnstile implementation appears to have fewer privacy issues than others, like Google Recaptcha They are in my opinion, low impact to the user Implementing them on the site wasn't too difficult We already use Cloudflare as a CDN. They work well enough CAPTCHA can often be bypassed. The right CAPTCHA solution makes it hard enough for an attacker to bypass that the value of the data they would be getting is not worth the effort. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.