@johan_andersson Though you're likely correct that it could make some users uncomfortable, bots or artificial users invading my server would make my users more uncomfortable, and hCaptcha is more and more vulnerable to AI vision models.

In this case (and since Mastodon moderation is still horrendous) choosing to carry the big rock or close your instance to registration are the two options you don't want to have to use, but here we are.

@steve I'm a happy customer of Cloudflare. It is true that Turnstile reads client signals and hardened browsers can hit false positives. However, it is not as simple as "CF blocks schools"... AFAIK what breaks on filtered school networks is the filter's own TLS inspection rewriting the connection, so the challenge can't validate. That sits with the school's IT, not Cloudflare.

On privacy, the alternative most sites reach for is reCAPTCHA, which feeds Google, or hCaptcha that is actually built to core and equally calls home to hcaptcha.com.

Turnstile keeps signals at CF with no cross-site profile. "Most educational filters can't pass" is also a big claim that I find hard to believe.

We don't have completely open sign-ups anyway, for good reason. If any legitimate user runs into this roadblock, I'd much rather send them an invite link than argue about extreme privacy stances or let the constant registration spam continue.