Featured image of post Having Trouble Logging into Sites Protected with Cloudflare?
Security

Having Trouble Logging into Sites Protected with Cloudflare?

Exploring the frustrations and inconsistencies of Cloudflare's Turnstile, with real-world examples and potential solutions.

Introduction

Recently, I’ve encountered a recurring problem while trying to log into several sites that use Cloudflare’s Turnstile for bot protection as a replacement for CAPTCHAs. It’s a machine-learning tool they’ve developed instead. Personally, I’ve seen this on major sites like GitLab.com, ChatGPT, and even Cloudflare itself. While Turnstile aims to enhance security, it often produces false positives that can be rather frustrating.

It’s not just me experiencing these issues. I’ve seen other users complain about this in various forums, sharing workarounds that sometimes work for some but not for others. There doesn’t seem to be a universal solution that works for everyone.

The inconsistency of Turnstile is another significant issue. Despite having the same Firefox configuration on both my office desktop and my mobile laptop, which are synchronized via my Firefox account, I can log into GitLab.com on one but not the other. What does Turnstile think is different about them? I’m really not sure.

Potential Solutions

Improve Turnstile Accuracy

Cloudflare needs to continually refine its algorithms to reduce the number of false positives. This involves better distinguishing between legitimate users and bots through more advanced machine learning techniques.

Broader Browser Support

Ensuring that Turnstile operates smoothly across all major browsers and devices is crucial. Regular testing and updates can help achieve this goal. Most of the time, Firefox doesn’t work for me, but does in Chromium-based browsers (e.g. Chrome). Other users are reporting the opposite: Firefox works, but Chromium/Chrome doesn’t.

User Feedback Mechanism

Implementing a more efficient feedback mechanism where users can report issues directly can help Cloudflare identify and address specific problems more quickly. This feedback loop is essential for continuous improvement.

Adding a button for “Hey, I’m a human!” would be nice, but there would have to be a way to prevent bots from using it too. Maybe add some easy out-of-band task that only humans can do?

Streamlined UX Design

Simplifying the verification process can help maintain a positive user experience. What if you only had to do this infrequently? And only once for all of the sites you log into? If I get through, how about issuing me a token (e.g. a passkey) that works for an entire year everywhere? This brings up authentication on the Web generally, but maybe we need to bring these two discussions together.

Transparency

Let us know why we’re being blocked, and what we can do to fix it. Keeping this secret so the bots don’t adapt isn’t helpful here. And we all know that security through obscurity doesn’t work anyway.

Workarounds

What eventually worked for me on most of the sites I use is a recipe from the GitLab.com issue, thanks to Alix Brunet:

  1. Shut down your browser by quitting it.
    • Make sure every instance has been exited, and no background processes are remaining.
  2. Launch your browser on the command line with all extensions/plugins disabled.
    • On Firefox, this is firefox --safe-mode.
    • On Chromium-based browsers, this is with the --disable-extensions switch, e.g. flatpak run org.chromium.Chromium --disable-extensions if you’re using the Flatpak package.
  3. Log in to the site you’re trying to log into.
    • It should work this time.
  4. Shut down your broswser again.
    • Make sure every instance has been exited, and no background processes are remaining.
  5. Start your browser normally, without disabling extensions.
    • This should now work, assuming that you don’t clear your cookies automatically on exit.

However, for ChatGPT, I also had to disable my VPN. The above process didn’t work until I did that. My login cookies weren’t helping on their own; I kept getting the Turnstile checkbox.

Conclusion

Security is good, but if it doesn’t allow authorized parties access, what’s the point of the service? As an extreme example, blocking everything is great security, but users will go elsewhere.

Maybe this is a good example of machine learning that isn’t quite ready to leave the lab just yet.

© 2012 - 2024 Colan Schwartz on Cloud Architecture, Automation, Security & Privacy
Built with Hugo
Theme Stack designed by Jimmy