Cloudflare Turnstile Requires WebGL Fingerprinting for Verification
Original: Cloudflare Turnstile requiring fingerprintable WebGL
Why This Matters
Highlights growing conflict between web security measures and user privacy protection
Cloudflare's Turnstile verification system now requires WebGL fingerprinting to verify human users, blocking WebKitGTK browsers that protect against such tracking. The system loops indefinitely on privacy-focused browsers that spoof WebGL data.
A security researcher discovered that Cloudflare Turnstile, the company's human verification system, now mandates WebGL fingerprinting for device verification. The system fails on WebKitGTK-based browsers that block fingerprinting by default, displaying "WebGL renderer info is spoofed" errors. Cloudflare justifies this requirement stating "Turnstile uses browser fingerprinting to verify you're human" and that privacy tools make browsers "look like a bot trying to hide its identity." The change affects websites using Turnstile verification. WebKit has blocked such fingerprinting for years due to privacy concerns. Firefox currently passes verification but may face issues if users enable privacy.resistfingerprinting settings, which aren't activated by default even in strict privacy mode.