Cloudflare is known to use fingerprinting to detect scrapers For example, they use JA3 fingerprints and match them against the UA to block stuff like cURL while allowing OkHttp (Android clients) - but this can be easily be spoofed with packages such as CycleTLS [1]. I don't want to defend them, because they gate away a good chunk of the internet with their "bot protection", but unless you do PoW (which is also ecologically a nightmare), probably fingerprinting is the way to go - completely destroying the privacy of everyone involved. Cromite, a privacy conscious fork of Chromium for Android, has constantly issues with CloudFlare Turnstile [2] because they (Cloudflare) try to fingerprint it in multiple ways in order to pass the challenge. The only way to get it to work would be to join the CloudFlare Browser Developer program - which requires signing an NDA. Rightfully so, the project maintainer didn't want to do it. If you want to see the extent of what CloudFlare does to fingerprint the browsers, just have a look in the issue [2] and see which flags need to be disabled in order to allow CloudFlare to pass the challenge. I understand both sides, but at least CloudFlare could be flexible enough to fall back to PoW instead of just blocking people from sending forms or accessing websites... [1]: https://github.com/Danny-Dasilva/CycleTLS [2]: https://github.com/uazo/cromite/issues/2365
痛点分析发布于 2026/05/31
痛点为 AI 基于上游原始证据的初步提炼;未包含额外中国市场检索。
痛点
用户在使用基于WebKitGTK的浏览器(如Konform)访问网站时,Cloudflare Turnstile验证会无限循环,导致无法访问大量网站。这是因为Turnstile要求WebGL指纹识别,而WebKitGTK默认阻止此类跟踪。用户原本的任务是正常浏览或提交表单,但现有流程卡在验证环节,造成网站完全不可用。对于浏览器维护者,这带来了用户报告和排查的压力,且无法通过加入Cloudflare浏览器开发者计划(需签NDA)来解决问题。用户评论指出,即使启用隐私保护设置(如Firefox的resistfingerprinting),也可能导致其他网站功能异常(如时区错误),形成两难:要么牺牲隐私允许指纹识别,要么被屏蔽或遭遇功能损坏。这种摩擦导致用户时间浪费、决策困难(选择隐私还是可用性),以及浏览器维护者的额外协作成本。
External Article
External article summary
published on 2026-05-30T23:31:51Z, last updated on 2026-05-30T23:31:52Z Since about a week, Cloudflare Turnstile (their "Verify you're human" device verification) has been looping indefinitely in my webkit-gtk based browser . Preventing access to quite few websites ( previously , but it even went worse lately). Turns out it's because Cloudflare wants to have a fingerprint of your device via WebGL, the only reason for doing this would be tracking. Their pro-tracking non-justification copied here just in case: Turnstile uses browser fingerprinting to verify you're human. Privacy tools that block or randomize fingerprinting make your browser look like a bot trying to hide its identity. Temporarily allowing fingerprinting for this site will fix the issue. Such things are blocked in WebKit, and have been for years. Meaning it's tracking so awful that even Apple would block it, and as far as I can tell it's not the kind of privacy protection you can easily disable in it. So Cloudflare just banned all WebKitGTK browsers as I guess they put an exception for Safari. As an aside, if you're wondering, Mozilla Firefox screwed up their WebGL fingerprinting protection: Bugzilla#1916271: Geck
External Article
External article source
- Article title
- Cloudflare Turnstile requiring fingerprintable WebGL
- Host
- hacktivis.me
§ Dossier
Selected HN comments
denysvitali
> Plus privacy.resistfingerprinting isn't enabled even when selecting "Strict" "Enhanced Privacy Protection" in the settings, great job there Mozilla. For good reason. I've run that setting for ages but I kept having to disable it and add workarounds because websites would break in weird ways. Timezones in scheduling websites being messed up nearly made me miss a couple of appointments. There's no way to tell the user Firefox isn't broken without displaying a permanent banner like "if websites are broken in any way or you see weird glitches or your computer's time is wrong or fonts look weird or videos don't always work right, click here to disable fingerprinting protection". Interestingly, Turnstile breaks with resistfingerprinting but works with fingerprintingProtection, I guess the latter takes this crap into account.
jeroenhd
I'm maintaining a minority browser[0] and as of a couple of weeks this is affecting several of our users[1]. While I'm currently not considering this a browser bug (one could be involved, of course), more eyes are better and any help or ideas on improving or mitigating the situation would be appreciated. [0]: https://konform-browser.codeberg.page/ [1]: Most? All? Without any telemetry, relying on user reports and our own testing here.
konform
"If they know you're spoofing, you're not spoofing hard enough." This stupid "war against bots" is going to lead to the downfall of the Internet and effectively turn it into another walled garden where only "approved" (anti-)user agents are allowed. Don't fall for the nonsense about "AI scrapers" --- it's just a way to manufacture consent.
userbinator
>> CloudFlare wall of harassment You’re right, this is a form of harassment, and it needs to be recognised as such.
schappim
源数据· Raw Archive
- source
- Hacker News
- upstream_source
- hacker_news
- upstream_item_id
- 48345840
- daily_ranking_item_id
- bd7225bc-84c7-48cb-9856-0e0c50750353
- rank_date
- 2026-06-01
- rank
- 1
- name
- Cloudflare Turnstile requiring fingerprintable WebGL
- tagline
- hacktivis.me
- votes_count
- 428
- comments_count
- 229
- created_at_on_source
- 2026-05-31T14:13:20.000Z
media / source-specific data
{
"author": "HypnoticOcelot",
"hn_item_id": 48345840,
"external_url": "https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting"
}raw_payload
{
"by": "HypnoticOcelot",
"id": 48345840,
"url": "https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting",
"kids": [
48346154,
48347466,
48348128,
48348985,
48350118,
48347729,
48349003,
48350092,
48348373,
48347200,
48346146,
48347602,
48346337,
48349661,
48346277,
48348981,
48348998,
48346772,
48348904,
48346964,
48347102,
48346749,
48345980,
48346509,
48346152,
48347929,
48347793,
48347861,
48349403,
48348401,
48346117,
48346702,
48346017,
48346624,
48346075,
48346056,
48346370
],
"time": 1780236800,
"type": "story",
"score": 428,
"title": "Cloudflare Turnstile requiring fingerprintable WebGL",
"descendants": 229
}source_raw_snapshot
{
"id": "32307475-7e0a-4760-b43c-cad6972242b4",
"daily_ranking_item_id": "bd7225bc-84c7-48cb-9856-0e0c50750353",
"source": "hacker_news",
"external_id": "48345840",
"fetched_at": "2026-05-31T22:01:12.608Z",
"story_raw": {
"by": "HypnoticOcelot",
"id": 48345840,
"url": "https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting",
"kids": [
48346154,
48347466,
48348128,
48348985,
48350118,
48347729,
48349003,
48350092,
48348373,
48347200,
48346146,
48347602,
48346337,
48349661,
48346277,
48348981,
48348998,
48346772,
48348904,
48346964,
48347102,
48346749,
48345980,
48346509,
48346152,
48347929,
48347793,
48347861,
48349403,
48348401,
48346117,
48346702,
48346017,
48346624,
48346075,
48346056,
48346370
],
"time": 1780236800,
"type": "story",
"score": 428,
"title": "Cloudflare Turnstile requiring fingerprintable WebGL",
"descendants": 229
},
"stats_raw": {
"time": 1780236800,
"score": 428,
"descendants": 229
},
"aux_raw": {
"external_url": "https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting",
"hn_comment_url": "https://news.ycombinator.com/item?id=48345840",
"normalized_text": null,
"external_article": {
"title": "Cloudflare Turnstile requiring fingerprintable WebGL",
"excerpt": "published on 2026-05-30T23:31:51Z, last updated on 2026-05-30T23:31:52Z\n\nSince about a week, Cloudflare Turnstile (their \"Verify you're human\" device verification) has been looping indefinitely in my webkit-gtk based browser . Preventing access to quite few websites ( previously , but it even went worse lately). Turns out it's because Cloudflare wants to have a fingerprint of your device via WebGL, the only reason for doing this would be tracking.\n\nTheir pro-tracking non-justification copied here just in case: Turnstile uses browser fingerprinting to verify you're human. Privacy tools that block or randomize fingerprinting make your browser look like a bot trying to hide its identity. Temporarily allowing fingerprinting for this site will fix the issue.\n\nSuch things are blocked in WebKit, and have been for years. Meaning it's tracking so awful that even Apple would block it, and as far as I can tell it's not the kind of privacy protection you can easily disable in it. So Cloudflare just banned all WebKitGTK browsers as I guess they put an exception for Safari.\n\nAs an aside, if you're wondering, Mozilla Firefox screwed up their WebGL fingerprinting protection: Bugzilla#1916271: Geck",
"final_url": "https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting",
"fetched_at": "2026-05-31T22:01:03.481Z",
"description": null
},
"selected_comments": [
{
"id": 48346154,
"raw": {
"by": "denysvitali",
"id": 48346154,
"kids": [
48347174,
48347613,
48346670,
48348933,
48347010,
48350022,
48349473,
48348351,
48346413
],
"text": "Cloudflare is known to use fingerprinting to detect scrapers For example, they use JA3 fingerprints and match them against the UA to block stuff like cURL while allowing OkHttp (Android clients) - but this can be easily be spoofed with packages such as CycleTLS [1].<p>I don't want to defend them, because they gate away a good chunk of the internet with their "bot protection", but unless you do PoW (which is also ecologically a nightmare), probably fingerprinting is the way to go - completely destroying the privacy of everyone involved.<p>Cromite, a privacy conscious fork of Chromium for Android, has constantly issues with CloudFlare Turnstile [2] because they (Cloudflare) try to fingerprint it in multiple ways in order to pass the challenge. The only way to get it to work would be to join the CloudFlare Browser Developer program - which requires signing an NDA. Rightfully so, the project maintainer didn't want to do it.<p>If you want to see the extent of what CloudFlare does to fingerprint the browsers, just have a look in the issue [2] and see which flags need to be disabled in order to allow CloudFlare to pass the challenge.<p>I understand both sides, but at least CloudFlare could be flexible enough to fall back to PoW instead of just blocking people from sending forms or accessing websites...<p>[1]: <a href=\"https://github.com/Danny-Dasilva/CycleTLS\" rel=\"nofollow\">https://github.com/Danny-Dasilva/CycleTLS</a><p>[2]: <a href=\"https://github.com/uazo/cromite/issues/2365\" rel=\"nofollow\">https://github.com/uazo/cromite/issues/2365</a>",
"time": 1780239309,
"type": "comment",
"parent": 48345840
},
"body": "Cloudflare is known to use fingerprinting to detect scrapers For example, they use JA3 fingerprints and match them against the UA to block stuff like cURL while allowing OkHttp (Android clients) - but this can be easily be spoofed with packages such as CycleTLS [1]. I don't want to defend them, because they gate away a good chunk of the internet with their \"bot protection\", but unless you do PoW (which is also ecologically a nightmare), probably fingerprinting is the way to go - completely destroying the privacy of everyone involved. Cromite, a privacy conscious fork of Chromium for Android, has constantly issues with CloudFlare Turnstile [2] because they (Cloudflare) try to fingerprint it in multiple ways in order to pass the challenge. The only way to get it to work would be to join the CloudFlare Browser Developer program - which requires signing an NDA. Rightfully so, the project maintainer didn't want to do it. If you want to see the extent of what CloudFlare does to fingerprint the browsers, just have a look in the issue [2] and see which flags need to be disabled in order to allow CloudFlare to pass the challenge. I understand both sides, but at least CloudFlare could be flexible enough to fall back to PoW instead of just blocking people from sending forms or accessing websites... [1]: https://github.com/Danny-Dasilva/CycleTLS [2]: https://github.com/uazo/cromite/issues/2365",
"is_op": false,
"author": "denysvitali",
"raw_body": "Cloudflare is known to use fingerprinting to detect scrapers For example, they use JA3 fingerprints and match them against the UA to block stuff like cURL while allowing OkHttp (Android clients) - but this can be easily be spoofed with packages such as CycleTLS [1].<p>I don't want to defend them, because they gate away a good chunk of the internet with their "bot protection", but unless you do PoW (which is also ecologically a nightmare), probably fingerprinting is the way to go - completely destroying the privacy of everyone involved.<p>Cromite, a privacy conscious fork of Chromium for Android, has constantly issues with CloudFlare Turnstile [2] because they (Cloudflare) try to fingerprint it in multiple ways in order to pass the challenge. The only way to get it to work would be to join the CloudFlare Browser Developer program - which requires signing an NDA. Rightfully so, the project maintainer didn't want to do it.<p>If you want to see the extent of what CloudFlare does to fingerprint the browsers, just have a look in the issue [2] and see which flags need to be disabled in order to allow CloudFlare to pass the challenge.<p>I understand both sides, but at least CloudFlare could be flexible enough to fall back to PoW instead of just blocking people from sending forms or accessing websites...<p>[1]: <a href=\"https://github.com/Danny-Dasilva/CycleTLS\" rel=\"nofollow\">https://github.com/Danny-Dasilva/CycleTLS</a><p>[2]: <a href=\"https://github.com/uazo/cromite/issues/2365\" rel=\"nofollow\">https://github.com/uazo/cromite/issues/2365</a>",
"created_at": 1780239309,
"reply_count": 9
},
{
"id": 48347466,
"raw": {
"by": "jeroenhd",
"id": 48347466,
"kids": [
48347534
],
"text": "> Plus privacy.resistfingerprinting isn't enabled even when selecting "Strict" "Enhanced Privacy Protection" in the settings, great job there Mozilla.<p>For good reason. I've run that setting for ages but I kept having to disable it and add workarounds because websites would break in weird ways. Timezones in scheduling websites being messed up nearly made me miss a couple of appointments. There's no way to tell the user Firefox isn't broken without displaying a permanent banner like "if websites are broken in any way or you see weird glitches or your computer's time is wrong or fonts look weird or videos don't always work right, click here to disable fingerprinting protection".<p>Interestingly, Turnstile breaks with resistfingerprinting but works with fingerprintingProtection, I guess the latter takes this crap into account.",
"time": 1780247674,
"type": "comment",
"parent": 48345840
},
"body": "> Plus privacy.resistfingerprinting isn't enabled even when selecting \"Strict\" \"Enhanced Privacy Protection\" in the settings, great job there Mozilla. For good reason. I've run that setting for ages but I kept having to disable it and add workarounds because websites would break in weird ways. Timezones in scheduling websites being messed up nearly made me miss a couple of appointments. There's no way to tell the user Firefox isn't broken without displaying a permanent banner like \"if websites are broken in any way or you see weird glitches or your computer's time is wrong or fonts look weird or videos don't always work right, click here to disable fingerprinting protection\". Interestingly, Turnstile breaks with resistfingerprinting but works with fingerprintingProtection, I guess the latter takes this crap into account.",
"is_op": false,
"author": "jeroenhd",
"raw_body": "> Plus privacy.resistfingerprinting isn't enabled even when selecting "Strict" "Enhanced Privacy Protection" in the settings, great job there Mozilla.<p>For good reason. I've run that setting for ages but I kept having to disable it and add workarounds because websites would break in weird ways. Timezones in scheduling websites being messed up nearly made me miss a couple of appointments. There's no way to tell the user Firefox isn't broken without displaying a permanent banner like "if websites are broken in any way or you see weird glitches or your computer's time is wrong or fonts look weird or videos don't always work right, click here to disable fingerprinting protection".<p>Interestingly, Turnstile breaks with resistfingerprinting but works with fingerprintingProtection, I guess the latter takes this crap into account.",
"created_at": 1780247674,
"reply_count": 1
},
{
"id": 48348128,
"raw": {
"by": "konform",
"id": 48348128,
"text": "I'm maintaining a minority browser[0] and as of a couple of weeks this is affecting several of our users[1]. While I'm currently not considering this a browser bug (one could be involved, of course), more eyes are better and any help or ideas on improving or mitigating the situation would be appreciated.<p>[0]: <a href=\"https://konform-browser.codeberg.page/\" rel=\"nofollow\">https://konform-browser.codeberg.page/</a><p>[1]: Most? All? Without any telemetry, relying on user reports and our own testing here.",
"time": 1780251298,
"type": "comment",
"parent": 48345840
},
"body": "I'm maintaining a minority browser[0] and as of a couple of weeks this is affecting several of our users[1]. While I'm currently not considering this a browser bug (one could be involved, of course), more eyes are better and any help or ideas on improving or mitigating the situation would be appreciated. [0]: https://konform-browser.codeberg.page/ [1]: Most? All? Without any telemetry, relying on user reports and our own testing here.",
"is_op": false,
"author": "konform",
"raw_body": "I'm maintaining a minority browser[0] and as of a couple of weeks this is affecting several of our users[1]. While I'm currently not considering this a browser bug (one could be involved, of course), more eyes are better and any help or ideas on improving or mitigating the situation would be appreciated.<p>[0]: <a href=\"https://konform-browser.codeberg.page/\" rel=\"nofollow\">https://konform-browser.codeberg.page/</a><p>[1]: Most? All? Without any telemetry, relying on user reports and our own testing here.",
"created_at": 1780251298,
"reply_count": 0
},
{
"id": 48348985,
"raw": {
"by": "userbinator",
"id": 48348985,
"kids": [
48349298
],
"text": ""If they know you're spoofing, you're not spoofing hard enough."<p>This stupid "war against bots" is going to lead to the downfall of the Internet and effectively turn it into another walled garden where only "approved" (anti-)user agents are allowed. Don't fall for the nonsense about "AI scrapers" --- it's just a way to manufacture consent.",
"time": 1780256299,
"type": "comment",
"parent": 48345840
},
"body": "\"If they know you're spoofing, you're not spoofing hard enough.\" This stupid \"war against bots\" is going to lead to the downfall of the Internet and effectively turn it into another walled garden where only \"approved\" (anti-)user agents are allowed. Don't fall for the nonsense about \"AI scrapers\" --- it's just a way to manufacture consent.",
"is_op": false,
"author": "userbinator",
"raw_body": ""If they know you're spoofing, you're not spoofing hard enough."<p>This stupid "war against bots" is going to lead to the downfall of the Internet and effectively turn it into another walled garden where only "approved" (anti-)user agents are allowed. Don't fall for the nonsense about "AI scrapers" --- it's just a way to manufacture consent.",
"created_at": 1780256299,
"reply_count": 1
},
{
"id": 48350118,
"raw": {
"by": "schappim",
"id": 48350118,
"text": ">> CloudFlare wall of harassment<p>You’re right, this is a form of harassment, and it needs to be recognised as such.",
"time": 1780264382,
"type": "comment",
"parent": 48345840
},
"body": ">> CloudFlare wall of harassment You’re right, this is a form of harassment, and it needs to be recognised as such.",
"is_op": false,
"author": "schappim",
"raw_body": ">> CloudFlare wall of harassment<p>You’re right, this is a form of harassment, and it needs to be recognised as such.",
"created_at": 1780264382,
"reply_count": 0
}
],
"presentation_fields": {
"title": "Cloudflare Turnstile requiring fingerprintable WebGL",
"tagline": "hacktivis.me",
"website_url": "https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting",
"canonical_url": "https://news.ycombinator.com/item?id=48345840"
},
"external_url_hostname": "hacktivis.me",
"selected_comments_raw": [
{
"by": "denysvitali",
"id": 48346154,
"kids": [
48347174,
48347613,
48346670,
48348933,
48347010,
48350022,
48349473,
48348351,
48346413
],
"text": "Cloudflare is known to use fingerprinting to detect scrapers For example, they use JA3 fingerprints and match them against the UA to block stuff like cURL while allowing OkHttp (Android clients) - but this can be easily be spoofed with packages such as CycleTLS [1].<p>I don't want to defend them, because they gate away a good chunk of the internet with their "bot protection", but unless you do PoW (which is also ecologically a nightmare), probably fingerprinting is the way to go - completely destroying the privacy of everyone involved.<p>Cromite, a privacy conscious fork of Chromium for Android, has constantly issues with CloudFlare Turnstile [2] because they (Cloudflare) try to fingerprint it in multiple ways in order to pass the challenge. The only way to get it to work would be to join the CloudFlare Browser Developer program - which requires signing an NDA. Rightfully so, the project maintainer didn't want to do it.<p>If you want to see the extent of what CloudFlare does to fingerprint the browsers, just have a look in the issue [2] and see which flags need to be disabled in order to allow CloudFlare to pass the challenge.<p>I understand both sides, but at least CloudFlare could be flexible enough to fall back to PoW instead of just blocking people from sending forms or accessing websites...<p>[1]: <a href=\"https://github.com/Danny-Dasilva/CycleTLS\" rel=\"nofollow\">https://github.com/Danny-Dasilva/CycleTLS</a><p>[2]: <a href=\"https://github.com/uazo/cromite/issues/2365\" rel=\"nofollow\">https://github.com/uazo/cromite/issues/2365</a>",
"time": 1780239309,
"type": "comment",
"parent": 48345840
},
{
"by": "jeroenhd",
"id": 48347466,
"kids": [
48347534
],
"text": "> Plus privacy.resistfingerprinting isn't enabled even when selecting "Strict" "Enhanced Privacy Protection" in the settings, great job there Mozilla.<p>For good reason. I've run that setting for ages but I kept having to disable it and add workarounds because websites would break in weird ways. Timezones in scheduling websites being messed up nearly made me miss a couple of appointments. There's no way to tell the user Firefox isn't broken without displaying a permanent banner like "if websites are broken in any way or you see weird glitches or your computer's time is wrong or fonts look weird or videos don't always work right, click here to disable fingerprinting protection".<p>Interestingly, Turnstile breaks with resistfingerprinting but works with fingerprintingProtection, I guess the latter takes this crap into account.",
"time": 1780247674,
"type": "comment",
"parent": 48345840
},
{
"by": "konform",
"id": 48348128,
"text": "I'm maintaining a minority browser[0] and as of a couple of weeks this is affecting several of our users[1]. While I'm currently not considering this a browser bug (one could be involved, of course), more eyes are better and any help or ideas on improving or mitigating the situation would be appreciated.<p>[0]: <a href=\"https://konform-browser.codeberg.page/\" rel=\"nofollow\">https://konform-browser.codeberg.page/</a><p>[1]: Most? All? Without any telemetry, relying on user reports and our own testing here.",
"time": 1780251298,
"type": "comment",
"parent": 48345840
},
{
"by": "userbinator",
"id": 48348985,
"kids": [
48349298
],
"text": ""If they know you're spoofing, you're not spoofing hard enough."<p>This stupid "war against bots" is going to lead to the downfall of the Internet and effectively turn it into another walled garden where only "approved" (anti-)user agents are allowed. Don't fall for the nonsense about "AI scrapers" --- it's just a way to manufacture consent.",
"time": 1780256299,
"type": "comment",
"parent": 48345840
},
{
"by": "schappim",
"id": 48350118,
"text": ">> CloudFlare wall of harassment<p>You’re right, this is a form of harassment, and it needs to be recognised as such.",
"time": 1780264382,
"type": "comment",
"parent": 48345840
}
]
},
"selection_meta": {
"discussion_depth": "top_comments_v1",
"external_article": {
"status": "ok",
"final_url": "https://hacktivis.me/articles/cloudflare-turnstile-webgl-fingerprinting",
"status_code": 200,
"content_type": "text/html; charset=utf-8",
"failure_reason": null
},
"snapshot_version": "hn_story_v3",
"selected_comments_count": 5,
"external_article_resolved": true,
"text_normalization_applied": false
},
"created_at": "2026-05-31T22:01:12.664Z",
"updated_at": "2026-05-31T22:01:12.664Z"
}