Back to Blog
Research

hCaptcha vs. Turnstile

December 8, 2022

Share
Recently, our friends at Cloudflare introduced a bot defense product called Turnstile. How does it compare to hCaptcha? Read this post to find out.

Last updated: November 5th, 2023


hCaptcha has grown in popularity over the past half decade, and is now the #1 privacy-focused humanity verification service online.

While a large number of customers directly integrate our free, Pro, or Enterprise service, hCaptcha is also a popular choice for many CDNs and WAFs ("Web Application Firewalls") to embed into their services.

A common use case is on interstitial challenge pages, and hCaptcha appears on millions of sites that use these services. The integrator decides which hCaptcha configuration to use, whether active, 99.9% passive, or entirely passive.

One example WAF customer of hCaptcha is Cloudflare, a security CDN. Like many of our CDN and WAF integrators, Cloudflare also offers bot detection and mitigation products.

In 2022 Cloudflare introduced Turnstile, a limited bot mitigation tool with an interface similar to reCAPTCHA v2 but a passive user experience more like reCAPTCHA v3 or hCaptcha Passive mode, where a user is not actively challenged for proof of humanity.

How does Turnstile work?

Turnstile relies primarily on "direct" bot detections, running JavaScript on the page in an attempt to detect common automation frameworks, along with some network-level traffic pattern analysis.

On compatible hardware, primarily recent iPhones, Turnstile (like hCaptcha) will also attempt "hardware attestation" to validate that a real iPhone made the request. This requires the user's device to contact Apple's servers for a token, which is then sent to Turnstile.

When a bot is detected, Turnstile uses "proof of work" to instruct the browser to waste computer resources, for example by executing useless code on the CPU or filling up memory in an attempt to reduce the number of requests emitted per second by each physical machine running a bot.

What are the limitations of Turnstile?

The goal is solely to prevent high volume attacks like credential stuffing, which is only one of many bot mitigation scenarios.

Direct detection of bots and network-based anomaly approaches are both very limited in the kinds of threats they can spot.

Lower speed or more sophisticated attackers will not be impeded by Turnstile, and may not even notice it's running.

Large numbers of "clean" IPs are also easily acquired at low or zero marginal cost, limiting the utility of network traffic analysis.

Finally, hardware attestation is only available for a small percentage of users and at best only proves a device exists, not that a person is operating that device. It has historically been rapidly broken and widely abused in the wild, and is better suited for use as one signal among many.


What are the risks of Turnstile?

Cloudflare's non-core products tend to launch without the level of reliability or testing delivered by more focused providers like hCaptcha, and indeed Turnstile has repeatedly failed closed in 2023, i.e. blocked 100% of requests that relied on it, for up to 30 minutes at a time.

As a more recently launched product, Turnstile has shown a spotty reliability record over the past two years and offers no SLA, unlike hCaptcha Enterprise's 99.99% standard SLA.

This is related to organizational practices at Cloudflare, as they acknowledged in a recent postmortem from their multi-day November 2023 outage.

Its focus on direct detection also means it has virtually no chance of stopping the more sophisticated distributed attacks that are now common, and indeed we have heard complaints about many missed detections from former Turnstile users who switched to hCaptcha Enterprise for better protection.

How does Turnstile differ from hCaptcha?

Selective humanity verification remains the single best tool to detect and prevent automated attacks: this is something hCaptcha supports, but Turnstile does not.

hCaptcha humanity verification features increase both the accuracy of hCaptcha bot detection and the cost of circumvention to attackers, giving it a large advantage in both detection and mitigation of threats.

While hCaptcha has included both direct bot detection and proof of work challenges for many years, neither approach is sufficient on its own to deal with more sophisticated or larger scale attacks.

Why doesn't "direct detection" of bots work reliably?

Direct detection of automation frameworks has had limited success in recent years, and in our tests, Turnstile is easily bypassed by several common "cloaked" automation frameworks.

Google, the largest maker of browsers via Chrome, has spent years removing or obfuscating signals useful for bot detection. This is likely a byproduct of their attempts to privilege Google's ad network and reduce competition in both the ad and security space.

By privacy-washing this practice they have so far avoided most regulatory scrutiny, but it has made legacy anti-bot vendors relying primarily on direct detection increasingly irrelevant.

All top-performing bot mitigation platforms continue to rely on CAPTCHAs for more robust detection and mitigation, with many integrating hCaptcha directly.

Why doesn't "proof of work" stop many attacks?

hCaptcha has for many years used proof of work challenges as part of our endpoint protection systems, but this tool alone is not sufficient for bot mitigation.

The primary benefit of proof of work systems is to increase the cost and decrease the speed of large scale Layer 7 DDoS attacks.

At the speed of a normal credential stuffing attack, the large botnets used by many cybercriminals will not be greatly affected even if Turnstile detects them and slows the request by several seconds: each physical machine is making a relatively small number of requests per hour.

And because cybercriminals are often not paying for the compute capacity, memory, or energy wasted by these attacks, these costs are effectively externalized to the users running malware.

We do not think buying carbon credits fully offsets the environmental harm and waste of this approach, and thus reserve it for limited use cases.

By contrast, humanity verification creates a direct cost to attackers that cannot be easily circumvented or offloaded, and at the same time acts as an efficient rate limiter due to the limited number of "clickfarmers" employed to attempt to solve these challenges.

Are there third-party measurements of Turnstile's accuracy?

Yes: in our research, paid services offered by cybercriminals charge less to bypass Turnstile than to "solve" a CAPTCHA or to bypass reCAPTCHA v3, and can do so at a much higher speed.

This indicates that as of December 2022, Turnstile currently offers weaker bot mitigation than modern humanity verification challenges or other passive alternatives.

Why do larger services use hCaptcha Enterprise?

hCaptcha Enterprise goes far beyond simple tools like Turnstile, offering a complete fraud and abuse detection and mitigation platform.

It has become the most-used service of its kind by category leaders in every industry. Unique privacy-preserving machine learning powers features like:

• Risk scores for fraud, abuse, automation and more

• Custom threat models

• Sophisticated clickfarm detection

• Advanced persistent threat detection and mitigation to address the most sophisticated adversaries

• Intrinsically compliant global approach to privacy, including Zero PII, Secure Enclaves, local data processing, and more.

Clickfarm operator. These phones all pass direct detection and hardware attestation tests.

Thanks for reading!

We hope this helped to elucidate some of the differences between hCaptcha and purely passive tools like Turnstile.

Subscribe to our newsletter

Stay up to date on the latest trends in cyber security. No spam, promise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Back to blog