Cloudflare dumps reCAPTCHA as Google intends to charge for its use

Internet web infrastructure company Cloudflare announced plans to drop support for Google’s reCAPTCHA service and move to a new bot detection provider named hCaptcha.

Cloudflare co-founder and CEO Matthew Prince said the move was motivated by Google’s future plans to charge for the use of the reCAPTCHA service, which would have “added millions of dollars in annual costs” for his company, costs that Cloudflare would have undoubtedly had to unload on its customers.

“That is entirely within their right,” Prince said. “Cloudflare, given our volume, no doubt imposed significant costs on the reCAPTCHA service, even for Google.”

“If the value of the image classification training did not exceed those costs, it makes perfect sense for Google to ask for payment for the service they provide,” he added.

Moving to hCaptcha

Going forward, Prince said Cloudflare would begin integrating a new anti-bot CAPTCHA system into Cloudflare products named hCaptcha, provided by California-based company Intuition Machines, Inc.

Intuition Machines usually makes money by renting access to hCaptcha to companies who want to run image classification experiments, and then pay website owners to implement its hCaptcha product.

But Cloudflare said they’ll be paying the California company instead, rather than get paid by hCaptcha. Prince said this ensures that Intuition Machines will have the resources to scale its infrastructure to meet Cloudflare’s demands.

Currently, according to W3Techs, Cloudflare is a managed DNS provider for 11.3% of all internet websites, and a reverse-proxy (firewall) provider for 12.4% of all internet sites, handling gigantic amounts of traffic on a daily basis.

Prince says that while paying for the ability to use hCaptcha does generate some additional costs for his company; the Cloudflare CEO says “those costs were a fraction of what reCAPTCHA would have [incurred].”

Cloudflare: hCaptcha is more private

Furthermore, using hCaptcha also addresses two other issues Cloudflare had to deal with while using reCAPTCHA. The first is the fact that reCAPTCHA is sometimes intermittently blocked in China, meaning Cloudflare couldn’t use it with Chinese-based websites and users.

The second issue was Google’s privacy-intrusive data collection policy, which Prince says Cloudflare doesn’t have to worry about now since hCaptcha collects much less data about users who complete its forms.

Until today, Cloudflare has used Google’s reCAPTCHA service as part of its IP Firewall and Gatebot products, where reCAPTCHA would activate itself when a Cloudflare-protected website would come under DDoS or other forms of automated attacks, asking users to complete a reCAPTCHA form before accessing the site.

Cloudflare also uses reCAPTCHA part of its Security Levels feature, allowing site administrators to enable a reCAPTCHA form for all incoming users as a rudimentary form of traffic filtering and rate-limiting, even if the website was under attack or not.

In the past, Cloudflare came under heavy criticism from users of the Tor Browser because of its reCAPTCHA support. For many years, Tor Browser users couldn’t access Cloudflare-protected sites without completing multiple rounds of reCAPTCHA forms. Cloudflare toned down its reCAPTCHA filters for Tor users in September 2018.

Hot this week

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Topics

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Why API Security Is Your Biggest Unseen Threat Right Now

APIs handle most web traffic but receive minimal security attention, creating massive unseen risks that traditional web security tools completely miss.

Security Teams Are Asking the Wrong Questions About AI

Banning AI tools is a failing strategy that creates shadow IT. Security teams must pivot to enabling safe usage through approved tools, clear guidelines, and employee training.

The Illusion of Secure by Default in Modern Cloud Services

Moving to the cloud does not automatically make you secure. Default configurations often create significant risks that organizations must actively address through proper tools and processes.
spot_img

Related Articles

Popular Categories