How CloudFlare and reCaptcha are ruining the net (and what to do)

Everyone has suffered that annoying moment when CloudFlare serves them a Google reCaptcha. Often, the captcha can be a little tricky — resulting in failure and multiple attempts. If you are particularly unlucky, you could be asked to click images of traffic lights, street signs, or zebra crossings — up to five times — before Google’s reCaptcha finally accepts that you are human. This is totally infuriating and a massive waste of time. And, believe it or not, it may actually be being imposed on people unnecessarily to help train up Google’s machine learning systems.

What is a CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Captcha systems were originally proposed in 1997 to spot malicious online bots. The internet is full of bots (automated systems) that attempt to access websites and services, primarily to malevolent ends.

Bots help spread malware, carry out DDoS attacks, send bucketloads of spam, steal people’s credentials, log into services to make fraudulent purchases and perform many other nefarious online activities.

reCaptcha was acquired by Google in 2009 and has gone on to become the most popular flavor of the bot-busting captcha system.

CloudFlare and reCaptcha — why the pain?

CloudFlare is a content delivery network (CDN) that provides services for around 7% of websites around the world. It is the largest global CDN and its network has the largest number of connections to Internet exchange points. CloudFlare’s primary job is to speed up how long it takes for websites to load.

However, CloudFlare also performs DDoS protection (and other website security services) by flagging up IP addresses that it believes are bots. When an IP address is flagged up as a potential bot, people using that particular IP are forced to fill in a reCaptcha.

Under certain circumstances consumers are forced to fill in a reCaptcha multiple times; sometimes for several minutes at a time. So why is this the case? And, is Google’s reCaptcha broken?

The answer to this question is quite complex. But, in a nutshell, when you fill in Google’s reCaptcha you aren’t just having to jump through hoops to help stop bad robots — you are also helping train Google’s machine learning algorithms (and saving Google a ton of money by becoming a temporary Google employee).

Why am I being singled-out to fill in a reCaptcha?

If you are using the internet at home and you aren’t doing anything out of the ordinary, you shouldn’t need to fill in a reCaptcha very often. Most people are only prompted with a captcha when they attempt to buy something. This stops bots from brute-forcing passwords or committing fraudulent purchases (or multiple purchases). What’s more, most of the time a captcha should be as easy as clicking on “I’m not a robot”.

However, people who use public WiFi in hotels and coffee shops may find that they are served a reCaptcha much more often. This is due to the large number of people using the internet from that specific location — sometimes leading to an IP address being blacklisted by CloudFlare for problematic behaviors.

If an internet user’s activities cause CloudFlare to flag a public WiFi IP, everyone using that WiFi hotspot will suddenly find themselves having to fill in a lot of reCaptcha requests. The system is temperamental and most internet users agree that CloudFlare has overly aggressive firewall rules (that trip the reCaptcha).

In some places, it is not uncommon for huge blocks of IP addresses to become blacklisted. The result for people in those places? Regularly having to complete a reCaptcha. This has happened, for example, to consumers in SouthEast Asia who have complained bitterly about CloudFlare’s aggressive Firewall rules(sometimes even choosing to boycott websites that force them to fill in a reCaptcha due to CloudFlare).

Why does CloudFlare let this happen?

Considering that CloudFlare’s job is to speed up page load times, it seems fair to question why the world’s largest CDN is letting Google ruin the internet in this way.

To its credit, CloudFlare’s use of reCaptcha is not particularly suspicious. reCaptcha is considered “the leading CAPTCHA service,” because, nowadays, reCaptcha is meant to work in an “invisible” manner.

In practice, this isn’t always the case. With so many people experiencing frustration and problems due to reCaptcha, one would hope that CloudFlare would use its considerable influence to kick up more of a fuss (especially considering that CloudFlare’s CEO knows Google’s CEO personally).

This becomes all the more urgent, if internet users are being (unfairly) made to jump through extra hoops to help Google train up its automated systems. CloudFlare, please do something, for goodness’ sake!

The reCaptcha solution: A VPN

People who are sick of encountering CloudFlare’s implementation of reCaptcha can use a Virtual Private Network (VPN) to combat the problem. A VPN allows anybody to conceal their real IP address in order to stop CloudFlare detecting their blacklisted IP address.

If you are wondering whether the IP address you are using is blacklisted, you can check it by:

If the IP address says something like: “The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker”, a VPN could indeed help. Another option is to ask for it to be whitelisted.

I am using a VPN but I’m still experiencing problems

One problem is that CloudFlare sometimes blacklists IP addresses belonging to VPNs, proxies, and Tor exit nodes. This means some people using a VPN may actually encounter reCaptcha requests more often, rather than less.

If you are not using a VPN and are experiencing a lot of reCaptcha requests, the best thing to do is to subscribe to a well-known premium VPN service. All of the VPNs recommended in our best VPN services article are known to help solve the annoying CloudFlare reCaptcha problem.

If you are currently using a VPN, but are still experiencing a lot of reCaptcha requests, it is worth trying to connect to a different server. This is because it is probable that only that one VPN server is affected. If the problem persists, please contact your VPN provider. If your VPN provider can’t help, you may need to switch to one of our recommended providers.

Why are VPN servers blacklisted by CloudFlare?

The majority of the time, CloudFlare will have blacklisted an IP address belonging to a VPN because one of the VPN’s customers has used the IP address to spam people or perform some other blacklisted activity.

VPNs have rules in place that ask their subscribers not to perform malicious activities. However, sometimes subscribers take advantage of the VPN’s zero-logs policy by performing activities that are against the terms of service.

Is CloudFlare blocking VPNs on purpose?

It is worth noting that CloudFlare has launched its own VPN service called CloudFlare Access. This VPN is in direct competition with other commercial and corporate VPNs. It would therefore not be surprising if CloudFlare began blacklisting VPN IP addresses to encourage people to subscribe to its proprietary service instead.

Whether this is already occurring is not clear, but there have been reports of specific VPN users (such as Private Internet Access subscribers) being served a reCaptcha on a regular basis when their VPN is connected. Only time will tell, but, for now, CloudFlare doesn’t seem particularly motivated to save the day.