ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

How CloudFlare and ReCaptcha are ruining the net (and what to do)

Everyone has suffered that annoying moment when CloudFlare serves them a Google ReCaptcha. Often, the captcha can be a little tricky - resulting in failure and multiple attempts. If you are particularly unlucky, you could be asked to click images of traffic lights, street signs, or zebra crossings - up to five times - before Google’s ReCaptcha finally accepts that you are human. This is totally infuriating and a massive waste of time. And, believe it or not, it may actually be being imposed on people unnecessarily to help train up Google’s machine learning systems.

recaptcha

What is a CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Captcha systems were originally proposed in 1997 to spot malicious online bots. The internet is full of bots (automated systems) that attempt to access websites and services, primarily to malevolent ends. 

Bots help spread malware, carry out DDoS attacks, send bucketloads of spam, steal people’s credentials, log into services to make fraudulent purchases and perform many other nefarious online activities. 

reCaptcha was acquired by Google in 2009 and has gone on to become the most popular flavor of the bot-busting captcha system.

CloudFlare and ReCaptcha - why the pain?

CloudFlare is a content delivery network (CDN) that provides services for around 7% of websites around the world. It is one of the largest global CDN and its network has a massive number of connections to Internet exchange points. CloudFlare’s primary job is to speed up how long it takes for websites to load. 

However, CloudFlare also performs DDoS protection (and other website security services) by flagging up IP addresses that it believes are bots. When an IP address is flagged up as a potential bot, people using that particular IP are forced to fill in a ReCaptcha. 

Pulling hair out stress

Under certain circumstances consumers are forced to fill in a ReCaptcha multiple times; sometimes for several minutes at a time. So why is this the case? And, is Google’s ReCaptcha broken?

The answer to this question is quite complex. But, in a nutshell, when you fill in Google’s ReCaptcha you aren’t just having to jump through hoops to help stop bad robots - you are also helping train Google’s machine learning algorithms (and saving Google a ton of money by becoming a temporary Google employee). 

Why am I being singled-out to fill in a reCaptcha?

If you are using the internet at home and you aren’t doing anything out of the ordinary, you shouldn't need to fill in a reCaptcha very often. Most people are only prompted with a captcha when they attempt to buy something. This stops bots from brute-forcing passwords or committing fraudulent purchases (or multiple purchases). What’s more, most of the time a captcha should be as easy as clicking on "I’m not a robot”. 

However, people who use public WiFi in hotels and coffee shops may find that they are served a ReCaptcha much more often. This is due to the large number of people using the internet from that specific location - sometimes leading to an IP address being blacklisted by CloudFlare for problematic behaviours.

If an internet user’s activities cause CloudFlare to flag a public WiFi IP, everyone using that WiFi hotspot will suddenly find themselves having to fill in a lot of ReCaptcha requests. The system is temperamental and most internet users agree that CloudFlare has overly aggressive firewall rules (that trip the ReCaptcha). 

In some places, it is not uncommon for huge blocks of IP addresses to become blacklisted. The result for people in those places? Regularly having to complete a ReCaptcha. This has happened, for example, to consumers in SouthEast Asia who have complained bitterly about CloudFlare’s aggressive Firewall rules (sometimes even choosing to boycott websites that force them to fill in a ReCaptcha due to CloudFlare).

recaptcha

Why does CloudFlare let this happen?

Considering that CloudFlare’s job is to speed up page load times, it seems fair to question why the world’s largest CDN is letting Google ruin the internet in this way. 

To its credit, CloudFlare’s use of reCaptcha is not particularly suspicious. ReCaptcha is considered "the leading CAPTCHA service,” because, nowadays, reCaptcha is meant to work in an "invisible” manner.

In practice, this isn’t always the case. With so many people experiencing frustration and problems due to ReCaptcha, one would hope that CloudFlare would use its considerable influence to kick up more of a fuss (especially considering that CloudFlare’s CEO knows Google’s CEO personally). 

This becomes all the more urgent, if internet users are being (unfairly) made to jump through extra hoops to help Google train up its automated systems. CloudFlare, please do something, for goodness’ sake!

VPN with servers in background

 The reCaptcha solution: A VPN

People who are sick of encountering CloudFlare's implementation of reCaptcha can use a Virtual Private Netork (VPN) to combat the problem. A VPN allows anybody to conceal their real IP address in order to stop CloudFlare detecting their blacklisted IP address.

If you are wondering whether the IP address you are using is blacklisted, you can check it by:

  1. Finding out your IP address by visiting this website

  2. Visit Project Honey Pot and enter the IP address to find out its status. 

If the IP address says something like: "The Project Honey Pot system has detected behavior from the IP address consistent with that of a dictionary attacker”, a  VPN could indeed help. Another option is to ask for it to be whitelisted.

I am using a VPN but I’m still experiencing problems

One problem is that CloudFlare sometimes blacklists IP addresses belonging to VPNs, proxies, and Tor exit nodes. This means some people using a VPN may actually encounter reCaptcha requests more often, rather than less.

If you are not using a VPN and are experiencing a lot of reCaptcha requests, the best thing to do is to subscribe to a well-known premium VPN service. All of the recommended VPNs are known to help solve the annoying CloudFlare reCaptcha problem.

If you are currently using a VPN, but are still experiencing a lot of reCaptcha requests, it is worth trying to connect to a different server. This is because it is probable that only that one VPN server is affected. If the problem persists, please contact your VPN provider. If your VPN provider can’t help, you may need to switch to one of our recommended providers.

Question marks

Why are VPN servers blacklisted by CloudFlare?

The majority of the time, CloudFlare will have blacklisted an IP address belonging to a VPN because one of the VPN’s customers has used the IP address to spam people or perform some other blacklisted activity. 

VPNs have rules in place that ask their subscribers not to perform malicious activities. However, sometimes subscribers take advantage of the VPN’s zero-logs policy by performing activities that are against the terms of service. 

Is CloudFlare blocking VPNs on purpose?

It is worth noting that CloudFlare has launched its own VPN service called CloudFlare Access. This VPN is in direct competition with other commercial and corporate VPNs. It would therefore not be surprising if CloudFlare began blacklisting VPN IP addresses to encourage people to subscribe to its proprietary service instead. 

Whether this is already occurring is not clear, but there have been reports of specific VPN users (such as Private Internet Access subscribers) being served a reCaptcha on a regular basis when their VPN is connected. Only time will tell, but, for now, CloudFlare doesn’t seem particularly motivated to save the day.


Image credits: Maridav/Shutterstock.com, Funtap/Shutterstock.com, Nikolaeva/Shutterstock.com

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

8 Comments

Anon
on October 26, 2021
I like how you manage this website; this is the good example how true web developer should do! About cloudflare, I must be honest but I am about to erupt because of its annoyance, and I bet it also p*ss other people off until they may actually decide to attack. Cloudflare and all catpcha should be wiped out from face of the Earth
KAT
on September 15, 2021
What's ironic is that, accessing this article, I was forced to do a Captcha by Cloudflare. I was using Protonmail's VPN.
Irma Dalakanitzkova
on January 22, 2019
Unfortunately, Using proxy servers, The Onion Browser (TOR) or a VPN will NOT DIMINISH but INCREASE the number of CloudFlare's reCaptchas! It was an utterly stupid idea of TOR's management to publish a list of their exit nodes: while there are other ways to come to the conclusion that a user browses the Internet with TOR, they require at least some more knowledge, insight and effort, whereas a simple comparison of IP addresses is easy to do and spells a curse of doom for users of the TOR browser: one gets bombarded with that reCaptcha crap first to access the site, then to view links, later to post a comment, SEVERAL TIMES on the same page. Furthermore, it's not just two or three pages of stamp-sized grainy pictures, but up to a dozen per set. Even if the checkmark is placed, after clicking the button, it may very well disappear and the same harassment begins again, up to three to five times. My personal record so far were 27 pages of «try again» crosswalks, traffic lights, parking meters ... and the time can be up to 10 - 15 min., because each individual little square on each page of a sequence of pages takes a painstakingly slow 3 - 5 sec. to change from one picture to the next. The same goes for proxy servers and VPNs: CloudFlare goes to great lengths to make life for their users impossible, under the pretext of «bad things are usually being done using proxies or VPNs». Guess what, idiots, somebody who has really devious intentions will go through the hassle anyway, but for hundreds of millions of ordinary users, this bullshit is a curse. CloudFlare's & Google's unholy alliance, forcing educated grown-ups to waste hours per week clicking on hardly decipherable, grainy, tiny thumbnails, is a perfect example of a cure that's worse than the disease. Especially for merely passive use of websites (reading, following a link, looking at graphics/pictures, ...), that pest makes no sense, and for posting comments, there are other ways of keeping spam in check. That being said, one can browse over a hundred spam messages or click the 'delete'/'report' button far quicker and more conveniently than what having to deal with the f...g time-waster of reCaptchas costs in hours of one's lifetime that one will never get back. It would be nice if proxies, TOR or VPNs would remedy or at least alleviate the problem, but in practice, it's the other way round. The operators/programmers/administrators of proxy servers, TOR and VPNs need to pay more attention to this problem and go to far greater lengths to make identifying their services more difficult, i.e. to become indistinguishable from direct connections with ordinary browsers. Furthermore, the respective companies/NGOs/projects and consumer organisations should form an alliance and sue CloudFlare and Google for the economic damage (loss of working hours) and inconvenience (loss of precious spare time, RSI caused by unnecessary clicking orgies) that these two bullying companies cause.
Huntsman
on November 15, 2018
Hi Ray, I know of at least one web/domain owner who uses Cloudflare to block VPN users. Specifically NordVPN IS BEING BLOCKED. To add insult to injury, they block paying customers for both the Web/Domain owner AND a long term 2 year NordVPN paying customer. Requests to both the web/domain owner and NordVPN all fall on deaf ears !! So as far as I am concerned, using a VPN does not bypass or unblock these Cloudflare blocking problems. I was using the Cloudflare DNS 1.1.1.1 server, but that was no help, so I no longer use it or any of Cloudflare offerings. I will continue to use NordVPN (it's a good service) until my subscription runs out. If this problem isn't resolved by then, I will be forced to look for an alternative VPN provider who isn't using Cloudflare.. A sad state of affairs !

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service