alt.hn

2/27/2026 at 10:00:29 PM

The most-seen UI on the internet? Redesigning turnstile and challenge pages

https://blog.cloudflare.com/the-most-seen-ui-on-the-internet-redesigning-turnstile-and-challenge-pages/

by corvad

2/27/2026 at 11:20:41 PM

> Designing a product with billions of eyeballs on it isn't just challenging — it requires a fundamentally different approach.

I'm not reading this.

by Starlevel004

2/27/2026 at 11:35:51 PM

Their design approach wasn’t particularly unusual, so I’m not sure what that sentence means.

I do miss the days when technical reports were clear and concise. This one has some interesting information, but it’s buried under a mountain of empty AI-written bloat.

by thorum

2/28/2026 at 10:50:29 AM

It doesn't mean anything. It is just there to be there and catch low-hanging RL reward granting eyeballs.

by hexaga

2/27/2026 at 11:47:40 PM

It's annoying because it is a super common widget and it is interesting work, the first draft or literally even prompt they gave the AI probably would've been a great post, all they had to do was not ensloppify it...

by dematz

2/28/2026 at 1:49:51 PM

I agree this thing went on forever and seemed to have multiple summaries of the same concepts.

by jgalt212

2/28/2026 at 4:12:55 AM

To CloudFlare employees: This is a super interesting topic, but next time we'd rather hear from you, grammar mistakes and all, not from AI.

If I want AI slop, I'll gladly have a chat with my paid $20 bucks Gemini account.

by cocoa19

2/27/2026 at 11:22:50 PM

Did you base the AI use on the emdash or is this an a common AI phrase (or both)?

by upmind

2/27/2026 at 11:25:13 PM

"Not just X -- it's Y" is one of the more irritatingly common signs, especially for sentences like that one which absolutely do not need it.

The Wikipedia article on detecting AI writing is a big help if you need to calibrate your sensors: https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing

by Starlevel004

2/27/2026 at 11:32:29 PM

Yeah it’s basically the prose equivalent of getting too much radio play - hilarious how the breakthrough of LLM content has ‘ruined’ “it’s not X—it’s Y” for so many of us now

Maybe, like overplayed pop songs, in 20 years or so we’ll come around to viewing the phrase fondly.

by mock-possum

2/28/2026 at 1:45:36 PM

Thanks for the Wikipedia tip.

by wappieslurkz

2/27/2026 at 11:26:40 PM

I see, thx for the article too!

by upmind

2/27/2026 at 11:28:15 PM

I think I'll actually post the article here, quite useful

by upmind

2/28/2026 at 12:07:10 AM

> "Not just X -- it's Y" is one of the more irritatingly common signs ...

It's a bit of a "Karen AI" telltale sign. It's probably been trained on a lot of "I-know-it-all-Karen" posts and as a result we're bombarded with Karen-slop.

by TacticalCoder

2/27/2026 at 11:26:46 PM

It's not just overused phrasing — it's the hallmark of LLM prose.

by Retr0id

2/27/2026 at 11:24:29 PM

“It’s not X, it’s Y” is an absolutely ubiquitous AI pattern. Throw in an em-dash and it’s basically ai;dr

by iamacyborg

2/27/2026 at 11:26:44 PM

Thx!

by upmind

2/27/2026 at 11:35:01 PM

It's also just an utterly meaningless statement. Filler words with no value whatsoever.

by mostlysimilar

2/28/2026 at 12:11:23 AM

"Let's be honest" is another extremely strong tell.

by mh2266

2/27/2026 at 11:25:12 PM

[dead]

by BolsunBacset

2/27/2026 at 11:31:33 PM

Yet again [0] quality standards seem to have slipped on the cloudflare blog. I'm not able to point at a cause, but it's not painting a pretty picture.

[0]: https://news.ycombinator.com/item?id=46781516

by JadedBlueEyes

2/27/2026 at 11:58:23 PM

It kinda looks like employees need to make a blog post about something twice a month.

by CapsAdmin

2/27/2026 at 11:52:37 PM

I remember back I think around 2011, CF was new and I was testing it on some vbulletin forum, all the email communication were with the cofounder if I recall correctly, the UI had only the dns settings back then. Now they make a whole article on some text redesign, time flies.

by tamimio

2/27/2026 at 11:50:03 PM

That's why I say most AI content isn't just slop—it's fundamentally about deception. It's about tricking someone into believing that a text was written by a human, or that a photo or video is a true recording of a real event.

Like this, its purpose is to fly under the radar unless your figurative ears are pricked up and primed to detect the telltale signs. Fuck this shit.

by andrepd

2/28/2026 at 5:02:52 AM

Can’t tell if the “it’s not X — it’s Y” as your first sentence is intentional irony or not lol

by holden_nelson

2/28/2026 at 5:52:06 PM

You're absolutely right!

by andrepd

2/27/2026 at 11:20:30 PM

Am I reading it right, the widget is seen 5B times per day, and they recruited 8 people for testing to make sure their “redesign would work for everyone”…?

by christina97

2/27/2026 at 11:33:50 PM

With a bit of A/B testing they could’ve recruited billions of people sounds like…

by mock-possum

2/27/2026 at 11:39:34 PM

This! The comment I was angrily about to write.

by KolmogorovComp

2/27/2026 at 11:44:21 PM

Why? Genuinely, who cares? Is some demographic group not caught in the 8 going to be offended by basic checkbox screen? Is someone with a niche form of colorblindness going to have difficulty navigating the UI?

by jazzpush2

2/27/2026 at 11:52:55 PM

How can you seriously pretend to do any study with only eight people involved? Especially when your company is worth billion. It just calls for bad press and criticism of amateurism.

by KolmogorovComp

2/27/2026 at 11:54:38 PM

I mean, yes? A very broad spectrum of people need to use the internet, and cloudflare has inserted themselves in the middle of it.

I don't necessarily find a problem with them, but its weird how they boasted about massive scale and importance of this, but then only just went with 8 tests.

by madeofpalk

2/27/2026 at 11:51:31 PM

The process described in the article is literally just checking the boxes blindly for what passes for a design process these days. The guru's say interview customers so they have done just that without really understanding why. Given it's AI it's also possible the whole thing is entirely made up and someone just tweaked the design over an afternoon and shipped it.

by kingkongjaffa

2/27/2026 at 10:56:50 PM

As a user of an unsigned Firefox fork, Turnstile has ruined a moderate portion of the Internet for me. The way Cloudflare doesn’t think twice about eroding user freedoms, for the sake of a gate that can be trivially bypassed with solvarr or similar, is deeply disturbing. They are no longer a force for good on the web.

by noplacelikehome

2/27/2026 at 11:01:29 PM

As bad as cloudflare is there is a reason people use it.

If you try and run a site that has content that LLMs want or expensive calls that require a lot of compute and can exhaust resources if they are over used the attack is relentless. It can be a full time job trying to stop people who are dedicated to scrapping the shit out of your site.

Even CF doesnt even really stop it any more. The agent run browsers seem to bypass it with relative ease.

by tempest_

2/27/2026 at 11:14:19 PM

Vast majority of websites today can and should be static, which makes even the aggressive llm scrapping non-issue.

by neoromantique

2/27/2026 at 11:18:21 PM

One of the things that a lot of LLM scrapers are fetching are git repositories. They could just use git clone to fetch everything at once. But instead, they fetch them commit by commit. That's about as static as you can get, and it is absolutely NOT a non-issue.

by PaulDavisThe1st

2/27/2026 at 11:29:26 PM

No... Basically all git servers have to generate the file contents, diffs etc. on-demand because they don't store static pages for every single possible combination of view parameters. Git repositories also typically don't store full copies of all versions of a file that have ever existed either; they're incremental. You could pre-render everything statically, but that could take up gigabytes or more for any repo of non-trivial size.

by LoganDark

2/27/2026 at 11:40:58 PM

> Git repositories also typically don't store full copies of all versions of a file that have ever existed either; they're incremental

This is wrong. Git does store full copies.

by KolmogorovComp

2/28/2026 at 12:21:37 AM

git stores files as objects, which are stored as full copies, unless those objects are stored in packfiles and are deltified, in which case they're stored as deltas. https://codewords.recurse.com/issues/three/unpacking-git-pac...

by meatmanek

2/28/2026 at 10:37:52 AM

Thank you for the insights.

by KolmogorovComp

2/28/2026 at 3:39:25 PM

... which, in the context that is being discussed, is unusual.

by PaulDavisThe1st

2/27/2026 at 11:38:58 PM

that's a pretty niche issue, but fairly easy to solve.

Prebuild statically the most common commits (last XX) and heavily rate limit deeper ones

by neoromantique

2/28/2026 at 3:40:29 PM

1. that doesn't appear to match the fetching patterns of the scrapers at all

2. 1M independent IPs hitting random commits from across a 25 year history is not, in fact, "easy to solve". It is addressable, but not easy ...

3. why should I have to do anything at all to deal with these scrapers? why is the onus not on them to do the right thing?

by PaulDavisThe1st

3/1/2026 at 8:37:33 PM

I did not imply that it does, I meant to have a budget allocated for 'unauthenticated deep history queries', when it's over it's over and you only handle dynamic fetching for authorized users until cooldown.

Is it pretty? No, but it also is a pretty niche thing overall (git repo storage).

by neoromantique

2/28/2026 at 10:49:53 AM

Granted, but there are open source alternatives that don’t have the same obsession with meaningless digital signatures. Turnstile is just a terrible product.

by noplacelikehome

2/28/2026 at 6:25:31 PM

What are the open source options? Turnstile is a replacement for Recaptcha after google moved it from a free product to a paid one.

The main advantage of Turnstile is that is benefits from CFs ubiquity to help judge legitimate vs illegitimate requests.

I would love to know what other options are available in this space aside from Turnstile, Recaptcha and HCaptcha.

by tempest_

3/1/2026 at 1:01:29 AM

Anubis is the new hotness, specifically billing itself as an "AI firewall". If you've had an animé waifu check you're human you've even used it.

by noplacelikehome

2/27/2026 at 11:09:08 PM

I see people saying that a lot, but I use Zen which is a fork of Firefox and I don't think I've ever had an issue with Turnstile, at least not noticeably more than I had on mobile Chrome.

by flexagoon

2/27/2026 at 11:18:26 PM

Zen has been signed for close to a year.

by pchew

2/27/2026 at 11:21:14 PM

Isn't it the opposite? They allow you to still use it when it would almost certainly be better for cloudflare and the website behind then to just block you.

by tick_tock_tick

2/27/2026 at 11:46:48 PM

How does Cloudflare know you are using the fork? Can you not just set the user agent to match firefox's (or even chrome's for that matter)

by sebzim4500

2/28/2026 at 10:54:43 AM

Quite likely fingerprinting detection, which is remaining firmly enabled.

by noplacelikehome

2/28/2026 at 11:49:48 AM

How does that work technically? Presumably a fork of firefox is almost indistinguishable from firefox from Cloudflare's perspective?

by sebzim4500

2/28/2026 at 5:50:05 PM

[dead]

by noplacelikehome

2/27/2026 at 11:47:49 PM

Will this also be accompanied by a global Turnstile outage like all the other Cloudflare services that get touched? If they end up vibeslopping the redesign like they did with this article, it may just happen.

by diath

2/27/2026 at 11:24:58 PM

Their final design looks incredibly visually unbalanced, the icon on the left does not have enough breathing room on the left and right.

by Retr0id

2/28/2026 at 12:24:45 AM

This. I kept scrolling to find the new version, and couldnt believe that's where they landed on.

It doesnt .. look very new?

by bitpush

2/28/2026 at 4:53:55 AM

Honestly the entire "redesign" just feels uninspired and poorly executed.

Another problem I have with it - they state that the red text was such a huge problem, but then their solution is to... Keep only using red? Why not, for example, make certain non-failure notifications yellow or some other color? Surely using other colors should at least be tested as a solution, right? The whole process seems bizarre to me

by connorshinn

2/28/2026 at 5:49:20 PM

"Our Turnstile widget and Challenge Pages are served 7.67 billion times every single day. That's not a typo. Billions. This might just be the most-seen user interface on the Internet."

Or it might not

The majority of the traffic on the internet is from so-called "bots"

If a "bot" hits this "interface" does that count as being "seen"

The web's failing, its inability (unwillingness) to accept non-interactive use (no good for advertising), is Cloudflare's success

A strange thing to celebrate. MITM'ing the majority of the web for "security". Could there be a better way

Another source of amusement is the "You've been blocked" Cloudflare page showing the user's IP address and suggesting contacting the site operator might solve the problem

The truth is that sending an acceptable user-agent header value solves the problem

"You" are not being blocked (Cloudflare does not who "you" are), your IP address is not being blocked, the _request_ you sent was blocked because of crude heuristics

If a site operator wants a certain header value (why) then it should publish the list of acceptable values

Send another request with an acceptable header value and the requests succeeds. It appears "you" are not blocked, same IP address, same living, breathing, thinking person sending the request

by 1vuio0pswjnm7

2/28/2026 at 10:30:31 AM

I'm not to fire people usually but this long report shows that there are probably too many persons too well paid with nothing to do at Cloud flare.

Because that is a lot of energy spent too have done advance research for an UI that is basic (just a checkbox), not particularly great and common before and after cloudflare...

And a personal rant, I don't understand how they can be proud of themselves when you see the wasted time and energy supported by users to browse the pages that are being Cloudflare.

Imagine this billions of "click-wait" uselessely done by users everyday worldwide

by greatgib

2/28/2026 at 1:34:20 AM

It’s a checkbox with a loader, and some bike shedding.

by jiehong

2/27/2026 at 11:43:53 PM

Remember when we used to care about sub 100ms page loading time and now we have introduced a best case 5 second blocker all over the place.

by jdprgm

2/28/2026 at 8:59:25 AM

Conversation I heard recently:

We needed a new account on $MAJORSITE and we just could not get trough the captcha - I know, it's getting insane - In the end, we gave up, and just told $AI to make the account for us.

Something is going seriously wrong on the internet.

by hyperman1

2/27/2026 at 11:18:50 PM

37 em dashes :(

by stevebmark

2/27/2026 at 11:25:27 PM

If this truly was written with AI it's really quite poor. Some of the employees at Cloudflare seem to be negligent tbh based off the fact they've been down so many times recently

by upmind

2/27/2026 at 11:34:26 PM

That’d make a good tongue in cheek band name for AI music

by mock-possum

2/27/2026 at 11:31:13 PM

I like em dashes—and sometimes overuse them—but 37 times is absurd in that amount of text.

by DavidVoid

2/28/2026 at 2:00:29 AM

In a row?

by swills

2/27/2026 at 11:36:34 PM

LLM-ass written content about this widget nobody wants but is necessary due to bots. Fuck off and write the post yourself.

by furyofantares

2/27/2026 at 11:43:23 PM

CloudFlare might be good for site owners, but many times their page makes me click back to search results.

I can't be the only one.

It's slow and annoying, AI overview is good enough for me most of the times so that added time I bet makes websites lose a lot of visits.

by altern8

2/28/2026 at 12:21:34 AM

Infinity captchas left a bad taste in my mouth. I hate AI but hate captchas more.

by hsbauauvhabzb

2/27/2026 at 11:49:40 PM

> We recruited 8 participants across 8 different countries, deliberately seeking diversity in age, digital savviness, and cultural background.

> 5 out of 8 points versus just 3 for "I am human." For the verifying state, it was even more dramatic — 7.5 versus 0.5.

n × p >= 5? (Sample size and margins of errors. Is 5:3 even meaningful or is this rather random personal preference?) Apparent splitting of missing or inconclusive data points? (7.5 vs. 0.5 out of a total of 8 subjects.) What kind of (social) research is this supposed to be?

by masswerk

2/27/2026 at 11:35:57 PM

I really hate the way this article is written, feels so fake

by cyanureworld

2/28/2026 at 1:19:50 PM

I'm very vastly in a minority here, but I can't help but feel uncomfortable that the general internet is converging towards explicity verifying humanity and addressing everyone as human. I liked it a lot better when everything was agnostic - I'd verify "I'm not a robot", I'd interact with other "users", etc... "On the Internet, nobody knows you're a ribbon dog."

Now, websites ask me to verify "I'm human", networks and services are starting to address their users as specifically "humans", and discourse is almost always about whether something or other is written by a "human" instead of just not slop.

I get that reality is what it is, but it just feels icky.

by LoganDark

2/28/2026 at 12:10:20 AM

[dead]

by fleroviumna