Cloudflare: Humanity wastes 500 years a day on captchas

Humanity wastes five hundred years a day solving captchas, claims internet company Cloudflare, which wants to offer a solution with physical security keys. Critics don't see the solution. Websites and online services use captchas (completely automated public Turing) to distinguish people from bots.

According to Cloudflare , it takes an average of 32 seconds for an internet user to resolve a captcha. There are 4.6 billion internet users who are estimated by Cloudflare to see a captcha every ten days. On this basis, the company comes to five hundred years a day. The internet company has developed a solution where internet users no longer have to solve captcha, but use a physical security key to prove that they are human. These are the same security keys that can be used to secure accounts.

Websites participating in the Cloudflare experiment offer users the option " I am human (beta) " in addition to the traditional captcha . This option prompts the user for a physical security key. The user then inserts the key into their computer or keeps it near their phone, cryptographic evidence is sent to Cloudflare and the user proves that they are not a bot. This process takes five seconds, according to the internet company.

This method protects users' privacy, according to Cloudflare, because the cryptographic evidence is not unique to the device. Each Universal 2nd Factor (U2F) device has a shared attestation key pair that is present on a minimum of 100,000 U2F devices from the same manufacturer. This should prevent uniquely identifying U2F devices ( PDF ).

Cloudflare asks users to prove that they have a public key signed by a trusted manufacturer. Manufacturers sign the attestation public key with a digital certificate. "So when Cloudflare asks you for a digital signature, it verifies whether your pubilc key is signed by a manufacturer's public key," the internet company said.

Because of this, Cloudflare still needs to know which manufacturer produced the user's security key. Information that the internet company says it does not want for privacy reasons. To overcome this problem, Cloudflare uses Zero Knowledge proofs (ZK proof). As a result, the security keys of one manufacturer can no longer be distinguished from other manufacturers. Information about this application will appear at a later time.

The "Cryptographic Attestation of Personhood" experiment will be available on a limited scale in English-speaking regions. In addition, only security keys that work via USB or NFC are currently supported.


Critics do not like Cloudflare's solution . Setting up an automated attack to bypass the solution is easy. In addition, privacy would also be at stake. FIDO states that one batch certificate is used per 100,000 keys. When a user is known to have a security key and the batch certificate is seen on a website, there is a 1 in 100,000 chance that it is the affected user.

Combined with other information that websites collect, this can be used against users. Furthermore, security keys are used for authentication, but this is not the case with the Cloudflare solution. "It only verifies the device model," says Yuriy Ackermann

Previous Post Next Post