
CloudFlare is ruining the internet for me (2016) - luu
https://www.slashgeek.net/2016/05/17/cloudflare-is-ruining-the-internet-for-me/
======
buro9
> Not to mention their free tier doesn’t cover the complex DDOS attacks that
> you really should be concerned about

This wasn't true in 2016 and isn't true in 2019 either.

Whilst the system was named and blogged about in Sep 2017
[https://blog.cloudflare.com/meet-gatebot-a-bot-that-
allows-u...](https://blog.cloudflare.com/meet-gatebot-a-bot-that-allows-us-to-
sleep/) the internal repo has the first working code drop in Feb 2015.

The (D)DoS protection systems and team, which I am the Engineering Manager
for, treat all attacks equally according to the nature of the attack rather
than the target of the attack.

To address other parts of the blog though, there is nothing in our system that
defaults to "do X for IP/Country y"... what there is, is learned state about
traffic, clients, and the many layers of customer expressed configuration.

~~~
Aeolun
Yeah, that was my first thought when reading this.

It’s not that Cloudflare is ruining the internet for you. It’s the loads of
illegitimate traffic and attacks that just so happen to originate in your
country.

~~~
throwaway_bad
This parallels the conversation going on in the ML world right now.

"They just so happen to look like gorillas!"

This is not okay.

I know it's just a pile of linear algebra and there's no conspiracy to screw a
particular country.

But once it's brought up that your system is causing harm by increasing
inequality in the world, you can't just say "But that's what the algo is
spitting out!".

At least _try_ to fix it.

~~~
Aeolun
> 1+1=2, but I want it to be 3, why are you not attempting to fix it?

How do you fix that which is not broken?

I understand the problem you are trying to point out, but the problem is not
in the technology, it’s in the application.

------
iliketosleep
Companies like CloudFlare are contributing to the erosion of user privacy in
the name of security. I experience the same kind of issues that the author of
the article highlights, just because I take some privacy measures. It's my
view that so-called security on the Internet, which implies confidentiality,
integrity, and availability, is getting increasingly worse for end users. If I
want to give up all of my privacy, the Internet is more convenient to use than
ever. But for the privacy-conscious user, the Internet is becoming less usable
by the day.

~~~
snek
The article is complaining that CloudFlare (as a result of them refusing to
track you) requires people to solve captchas over and over again. How is this
hurting your privacy exactly?

~~~
kevsim
Correct me if I’m wrong but isn’t one of the strongest signals recaptcha uses
to prove “I am not a robot” the fact that you’re currently logged into a
google account, have the associated cookies, etc? This “phoning home” from all
these sites is a clear privacy challenge.

The good news is Safari and Firefox are making this harder and harder. The bad
news is that you’ll be solving a lot more captchas.

~~~
jarfil
I wonder if privacy conscious browsers making their users have to solve more
captchas will lead to more people disabling the privacy features... or there
will be a time when captchas may become micro transaction based, so for a fee
you might be able to skip them. A browser with support for an anonymous
cryptocurrency to make the payments should be private and easy to use enough,
but it might become an interesting world where you need to pay to remain
anonymous.

~~~
therein
Try creating a free email account on ProtonMail. I think they have an
interesting approach very similar to what you're describing.

------
ridgewell
Is the situation improved by using the Privacy Pass add-on [1] from
Cloudflare?

Supposedly:

>Privacy Pass is a Chrome/Firefox browser extension to make browsing
Cloudflare-protected websites a better experience for users. In particular, if
a user IP address is designated to have a poor reputation then the user may
have to solve a Cloudflare CAPTCHA page before they can gain access to such
websites. Privacy Pass uses elliptic curve cryptography to generate
'anonymous' tokens after a single CAPTCHA page is solved. These tokens can be
used in future engagements with Cloudflare websites to prevent having to solve
more CAPTCHAs. The extension generates 30 tokens for each CAPTCHA solution and
thus can be used to reduce CAPTCHA pages for each user by a similar factor.

[1] [https://support.cloudflare.com/hc/en-
us/articles/11500199265...](https://support.cloudflare.com/hc/en-
us/articles/115001992652-Can-I-use-Privacy-Pass-with-Cloudflare-)

~~~
skrebbel
So wait, "we shipped a bug, so we made a browser extension that lets you
circumvent the bug". That's cloudflare's answer? I'm not impressed.

EDIT: people seem to be confused as to what bug cloudflare shipped. The bug is
not having people solve captchas because their IP has a bad reputation. It's
having them solve it _over and over again_.

You can put it however you want it, but if my app's UX is fine without
cloudflare and it's shit with cloudflare, for a small but significant
percentage of my users, then CF has a bug.

~~~
sjwright
Thwarting denial of service attacks isn’t a bug.

You seem to be confused about what your rights are around website
availability. Hint: you have no rights. Absent specific coercion by
government, the owner of the website had all the rights. If she wants to
require you to solve a _Where’s Waldo_ first, that’s her prerogative. Your
choice is to accept the terms or go elsewhere.

~~~
therealmarv
It's discrimination by country/region. It's like saying: oh, you are from
Africa or Asia. The chance is higher you are a criminal, so do this test
first.

~~~
optimiz3
Which is completely legal and encouraged. Here's an example: if you've ever
shipped an ad-monetized free app, you've probably disabled regions like
Russia, Iran, North Korea, etc.

You know why? Because the ad-revenue is worthless (and often malicious) and
the users will be more trouble than they are worth. Same thing is happening
with net traffic from other low value regions. One star reviews because users
from $banned_region are complaining about lag due to their crappy wifi and/or
some other issue you have no control over (defective ram in their 6 year old
2nd hand phone comes to mind)? Sign me up!

~~~
cthaeh
The hate for poor people in this comment is insane.

~~~
sjwright
If insane is a new word for nonexistent

------
markonen
The OP has posted a follow-up, but it’s also from 2016:
[https://www.slashgeek.net/2016/06/07/cloudflare-making-
inter...](https://www.slashgeek.net/2016/06/07/cloudflare-making-internet-
little-bit-faster-select-group-people/)

Two things that have changed since then are 1) Cloudflare’s Privacy Pass
browser extension and 2) their significant network expansion, both of which
would be likely to affect the experience described.

One thing that has not changed, however, is how many (typically
unsophisticated) web site operators actively search their logs for signs of
suspicious / bot activity and then institute manual blocks in the hope of
catching all of them. This is often done with very blunt instruments, such as
whole-country blocks.

In contrast, people who are confident about their infrastructure can deal with
the background noise of the Internet appropriately—by doing nothing.

~~~
judge2020
I think a sizable portion of the small websites that use CF are on so much of
a budget that they use a $10/month VPS for hosting then turn to CF for "ddos
protection" in order to handle any spikes in traffic that would take down
their under-provisioned server. Issue here is that CF's layer 7 flood
protection (that's even on the free plans, you can use the rate limiting
service for smaller-scale floods) doesn't take effect unless you are really
getting hit hard, the cutoff is probably 500 requests per second or more.

When CF fails to protect against the small 30 request per second flood once,
they're probably going to go through and add a bunch of aggressive blocks like
blocking entire countries, as you've said.

------
therealmarv
Experienced the same during my Asia travels with Cloudflare 2016/2017\.
Actually that was the biggest reason/negative ad not to consider Cloudflare
when choosing a CDN. They simply don't respect Asia and other non first class
countries with their standard settings. It's like good Internet only for the
rich people in the world!

I'm aware on the Chrome extension (really, why should I install this sh&+t on
the first place?) and that you can change Cloudflare settings. But the usual
IT admin won't change this settings and f&+ck up Asia.

~~~
RobertRoberts
Asia is the #1 attacker of all websites I work with.

Since 100% of the traffic (based on our analysis) coming from Asia is not
legitimate business traffic, how would you advise those responsible for these
sites security to handle this?

Edit: I have no interest in using Cloudflare...

~~~
johndough
Similar for me. From the 732745 login attempts last month, 52% were from
China, followed by US with 13%. Here is a graph:
[https://i.imgur.com/YPAuTXO.png](https://i.imgur.com/YPAuTXO.png)

The sheer volume of bot traffic surprised me at first, especially since my
website has zero human visitors as far as I can tell, but the numbers are
consistent month after month.

Nevertheless, my $1/month VPS can handle the traffic without a problem, so I
see no need to ban or rate limit any IPs, especially since I hate captchas
with a passion.

~~~
speedplane
> my $1/month VPS can handle the traffic without a problem, so I see no need
> to ban or rate limit any IPs, especially since I hate captchas with a
> passion.

I run a company that routinely scrapes government run, public domain websites.
Sadly, many of these sites come with captchas. We can easily bypass these
captchas by paying roughly $1.50/1000 captchas, but when scraping millions of
pages a month, these costs become significant.

As far as I can tell, adding a captcha to a site does nothing to prevent bots,
it just alters the economics of any business that relies on the data. I
understand that bots can potentially slow down servers and cause disruptions
for human users, but for the handful of government agencies that actually talk
to us, we happily restrict scraping to certain hours of the day or limit
overall traffic to a reasonable level. I would go further and happily give the
money we're spending on solving captchas back to the government so they can
upgrade their servers and make the system better for everyone.

For those that are conducting nefarious activities, captchas likely do
nothing. For individuals, they are annoying. For legitimate scraping
companies, they are a needless expense. Captchas are pretty obsolete.

~~~
therein
> adding a captcha to a site does nothing to prevent bots, it just alters the
> economics of any business that relies on the data

Definitely agreed. Recently I have been working on a side-project that makes
use of bypassing/placating reCaptcha and it has been trivial and not so
costly.

If it is accounts you're creating, it simply puts a "reasonable" price on
account creation. If it is about scraped content, once again, does the same.
However these costs already existed in terms of compute resources and time
anyway. Captchas hardly made it any harder.

------
superasn
Not to mention that it's not just a matter of filling some random words
anymore but more like a "neverending" cycle of identifying buses and traffic
lights which can last 5+ minutes. I must have identified more buses for Google
than I've actually seen irl :(

~~~
sdan
Especially when you hop on a VPN; I kid you not I have to spent literally 20
straight minutes following this bs. It’s infuriating for someone who self-
respects their privacy.

~~~
judge2020
Maybe try a personal VPN on digital ocean? You'd be guaranteed a clean IP that
only you have access to, as it's very likely CF only flags VPN IPs because
some malicious traffic is coming from them. The only issues with this are
sites that block the digital ocean ASN (like Crunchyroll).

~~~
toast0
How many other VPNs are operating out of Digital Ocean?

~~~
judge2020
I know torguard, at least for their wireguard endpoints, operates out of
Digital Ocean.

~~~
toast0
Sorry, i was too vague. There are a bunch of VPNs running in DO. If you don't
want to look like a VPN, it's not a great place to be.

~~~
sdan
Actually, not sure on DO's "relations" with VPNs. I've heard they're pretty
strict on what you do since they're a somewhat small company that focuses on
"droplets"/instances.

Personally I'd reccomend AWS or GCP given the free credits anyways.

------
jruz
Please people do the internet a favor and disable the captcha. Go to Firewall
> Settings > Security Level (captcha) And set it to "Essentially Off"

[https://support.cloudflare.com/hc/en-
us/articles/200170096-H...](https://support.cloudflare.com/hc/en-
us/articles/200170096-How-do-I-turn-off-the-Cloudflare-Captcha-challenge-
page-)

------
song
As someone living in Hong Kong I hate cloudflare. Way too many websites behind
cloudflare block hong kong or cause me to have a captcha. This causes me to
often route my traffic to my own vpn to counter that which is really annoying.

At least I'm lucky enough that my VPN is for some reason still not detected as
a cloud hosting provider by either cloudflare or netflix.

~~~
RobertRoberts
What do you suggest to the people running websites where 90%+ of the hack
attempts come from Hong Kong?

~~~
pavs
Please stop spreading this false narrative:
[https://www.slashgeek.net/2016/06/07/cloudflare-making-
inter...](https://www.slashgeek.net/2016/06/07/cloudflare-making-internet-
little-bit-faster-select-group-people/)

Most network attacks and Spams actually comes from the United States.

~~~
switch007
I think they were suggesting the websites they run, 90%+ of the attacks come
from Hong Kong, i.e. not that 90% of all website attacks come from HK. No way
of knowing unless they publish the logs/stats

~~~
song
I think most likely they are amalgamating Hong Kong and China like some people
do on the thread here. And yes, indeed some Data Centers in China are a big
source of spam and automated attack, but it just doesn't make sense to block
an entire country when you can just block hosting providers.

------
jstanley
> reCAPTCHA prompts happens a lot, I know its only one click away

This actually isn't true when browsing over Tor. It always makes you do 5 or
more rounds of "click the traffic lights", "click the bicycles", etc. I don't
know why. It seems to go far beyond checking that you're not a machine, and I
suspect they're just abusing Tor users to get free machine-learning training.

~~~
kevindong
Per CloudFlare themselves: "Based on data across the CloudFlare network, 94%
of requests that we see across the Tor network are per se malicious."

[https://arstechnica.com/tech-policy/2016/03/new-data-
suggest...](https://arstechnica.com/tech-policy/2016/03/new-data-
suggests-94-percent-of-tor-traffic-is-malicious/)

[https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

~~~
jstanley
A sensible CAPTCHA would be fine, but reCAPTCHA is borderline malicious
towards Tor users.

------
DarkmSparks
Heh. I just found out last week my hosting provider had put my websites on
cloudflare for me.

They are not my hosting provider anymore.

How did I find out?

Traffic to the sites (all legitimate) fell circa 75% overnight. (non english
sites)

~~~
creato
> Traffic to the sites (all legitimate)

How do you know it was all legitimate?

I don't understand how cloudflare can stay in business if they cause a 75%
drop in legitimate traffic to any website.

~~~
uponcoffee
> I don't understand how cloudflare can stay in business[...]

VC backing and recent IPO have them swimming in cash, but they currently
aren't profitable.

~~~
almost_usual
Out of all the recent S-1s they have one of the strongest aside from Zoom.

------
lstodd
This.

I route all my traffic via mmy own vpn server at Hetzner for privacy and
security reasons and this Cloudflare bullshit is infuriating at times.

Besides I guess 95% sites that use their free tier either don't actually need
it or would be better off without it.

~~~
luckylion
If you're in Europe and it happens on the website of a European company: make
it a GDPR case. If you need to solve a captcha to access the privacy policy,
they are clearly in violation.

~~~
marcus_holmes
Can you explain why this is a violation, please?

~~~
luckylion
Privacy policies need to be immediately accessible to users. Hiding your
privacy info page behind captchas, using unclear names for links ("service
status" as a link to privacy info for example), making users click through
multiple pages to find it etc makes you non-compliant.

Basically: you cannot hide the information, you cannot make users jump through
hoops (captchas, require signup/login, pay for accessing) to read them.

~~~
marcus_holmes
Thanks, that's very useful.

Presumably the fact that it's not the site owner mandating the captcha, but an
intermediary service provider doesn't matter then?

~~~
luckylion
It really shouldn't, because the site owner is the one making the choice to
use CF; CF is acting on their behalf (and the security-settings the site owner
chooses at CF does influence whether and how often captchas are shown to
users, i.e. "I'm under attack" mode). It would be different if the user's ISP
did this.

This is another related issue, too, as CF is a data processor, so the
controller (=site owner) needs to make users aware that their data is being
shared with CloudFlare, as SSL terminates at CF, the content is analyzed and
it's then (optionally re-encrypted) transmitted to the origin.

------
uponcoffee
They have an extension that addresses this:
[https://support.cloudflare.com/hc/en-
us/articles/11500199265...](https://support.cloudflare.com/hc/en-
us/articles/115001992652-Can-I-use-Privacy-Pass-with-Cloudflare-)

------
cortesoft
As someone who works for a CDN (not CloudFlare), this was certainly
interesting to read. It is always good to remember that we owe something to
our customers' end users in addition to our direct customers, the website
owners.

We have to remember that those are real people and not just percentages of
traffic that are affected when we make decisions like putting a captcha up
against every visitor from certain countries. I like to think we were already
doing that, but it is good to be reminded.

However, I am not quite sure I am getting what the author is suggesting when
they say that sites should forgo a CDN. Maybe I am biased, but if you thought
latency was bad when a datacenter near you went down for maintenance, try
having to go all the way to the sites origin in New Jersey for every request.
I am not aware of any way besides a CDN (or a CDN like setup) that would get
you good performance for people in all countries.

So I get the frustration with the captchas, and I get the frustration with the
lack of multiple datacenters near you, but I wonder if you will make things
worse for yourself by advocating to not have a CDN.

~~~
cnst
If you have a proper website without a gazzilion of useless JavaScript
frameworks and custom fonts, there's hardly going to be an unacceptable
experience latency-wise even if you have to go all over the world to fetch
those resources.

~~~
cortesoft
I guess I didn't realize, until another commenter replied, that their traffic
was actually blackholed... I thought it just had really bad latency, which
they were complaining about.

------
Mathnerd314
[2016].

Cloudflare's been working on improvements to the CAPTCHA system for Tor users
([https://www.zdnet.com/article/cloudflare-ends-captcha-
challe...](https://www.zdnet.com/article/cloudflare-ends-captcha-challenges-
for-tor-users/)), maybe some of those have benefited foreign countries as
well. And CloudFlare does do country-level blacklists (which show up as the
CAPTCHA behavior described) so maybe StackExchange had/has an overaggressive
firewall.

------
cnst
I don't know what's so unique about my connection, but I, too, receive these
capchas on a daily basis, on the very same sites.

I'd rather they track me, by IP address and/or cookies, and stop this non-
sense. I accept the cookies and have a static and dedicated IP, but there's
never an end to Cloudflare's captchas.

~~~
sl1ck731
Do you routinely use a VPN or a shared connection like University housing?

~~~
cnst
How do you define a VPN? Noone other than myself has ever used my IP addresses
in X years.

~~~
_bxg1
Honestly I wonder if even an unusual setup like a static IP would register on
one of their heuristics. It could flag as a web server, which would
theoretically be more likely to ping a site rapidly than a personal computer.

~~~
the_pwner224
> Honestly I wonder if even an unusual setup like a static IP

I have internet at home through Comcast, a huge and universally hated ISP in
the USA. I also run a home server (though it only takes incoming connections,
and does not visit websites itself). I purchased a dynamic DNS service that
would update my domain's DNS whenever my home internet's public IP changed.

In over 5 years and through numerous modem reboots, my IP address has not
changed once. A year ago I transferred my domain to another provider; I did
not bother setting up dynamic DNS again and my website still works fine.

I have not purchased a static IP from Comcast. When I initially set up the
server I had read that my home's IP address can change anytime the modem
reboots, or possibly anytime at all, to any IP in Comcast's pool - which is
why I subscribed to dynamic DNS.

So a static IP may not be as unusual of a setup as you say it is.

------
cracker_jacks
What is the alternative solution here? How do you effectively protect access
to websites while simultaneously making sure you never get false positives?

I really don't think going _back_ to not having Cloudflare-like services is a
step forward. Is there another way?

~~~
therealmarv
It's afaik only Cloudflare's way. You don't see that behaviour from Google or
Facebook. They really now how to handle the Internet in the "second" and
"third world". Cloudflare is like: we don't care about you, you are too poor
or a bot. Here is a extension if you are tech-savvy enough to find and install
it.

~~~
lilyball
From my perspective Google is far worse. I don't ever see Cloudflare's
Captchas but I get Google's all the damn time, because I try to avoid Google
properties. They intentionally punish people that aren't regularly using their
products.

------
bArray
Is it possible to have a "Cloudflare-like" service without using Javascript? I
have Javascript turned off by default (no script) and run into the Cloudflare
wall all of the freaking time, so much so, I refuse to use it on my websites.

~~~
oefrha
You can set the security level to “essentially off” and the vast vast majority
of your users shouldn’t have to face the JS browser check. That’s what I do on
all of my sites.

The default is medium, and the sites where you run into checks all the time
are probably on high.

Ref: [https://support.cloudflare.com/hc/en-
us/articles/200170056-W...](https://support.cloudflare.com/hc/en-
us/articles/200170056-What-does-Cloudflare-s-Security-Level-mean-)

~~~
ipsum2
Does anyone know why you can't turn off Cloudflare's security?

~~~
oefrha
IIRC you can only turn it off completely on a business or enterprise plan.
Probably a bandwidth-saving measure, or an upgrade incentive, or both.

------
blunte
There is some presumption that Cloudflare's behavior related to "second class"
regions is based on statistics - percentage of traffic that is of ill-intent.
Maybe that's not the case, but I suspect so.

CF customers probably know that any delays cost viewers/visitors, but losing a
few good visitors is worth preventing a ton of bad visitors. And CF generally
seems very thoughtful about their actions. If they make something unpleasant,
they're likely to have a good reason for doing so.

~~~
cnst
Most properties protected by Cloudflare appear to be webpages that could
easily be cached without any ill effects, for hours to days or weeks.

Why exactly do they need captcha protection?

~~~
dzhiurgis
That’s like asking a gun shop why americans need so many guns

------
chairmanwow
These especially suck in China. It’s especially painful when you are finally
free and clear of the great firewall only to be stopped by a mistuned fraud
filter.

~~~
judge2020
Assuming the website itself isn't blocked by the GFW, many site owners
regularly either set a Cloudflare rule to block or challenge (recaptcha) all
china traffic (or even all non-US traffic for US-only businesses) due to the
amount of spam and malicious requests that come from IPs originating in those
countries. My own sites has shown some attacks from within the US but not
nearly as much as from China before I set up a firewall rule to block China.

------
jitbit
I live in the EU, but use a self-hosted VPN (for privacy reasons) on a German
IP (digitalocean). And I too get the annoying reCaltcha prompts or even bans
“your IP range has been blocked” all the time.

PS. To be fair it’s not just coming from Cloudflare-protected sites.
Webmasters and SaaS-app devs add this to their WAF layers everywhere. :(

~~~
tgsovlerkhgsel
It's probably less about the German IP and more about DigitalOcean.

Most people live in homes, not datacenters, which means that web sites expect
human traffic to come from residential IPs, not datacenter IPs. What comes
from the datacenter IPs is an endless stream of costly abuse, so they get
CAPTCHA'd (if they want to support use cases like yours) or blocked (if they
don't care about those)

------
dzhiurgis
Huh, I never had problems with cloudflare I used something like tor.

But I had TONS of New Zealand websites captcha me without a good reason. They
all used some shitty local providers.

~~~
mkl
Where were you connecting from? From within NZ, unsurprisingly, I've never hit
a CAPTCHA barrier on a NZ site.

------
coding123
I totally get it. For about 2 years I was subject to captchas for visiting
websites of restaurants. No one else felt what I did because I don't have
(never have and will never have) a Facebook account. What that meant for phone
users trying to see the menu of 25% of any restaurant - a Facebook captcha. I
think the only reason it went away is because I complained about it in hn. I
think I got lucky.

------
marcus_holmes
As a CTO of a startup trying to build a product on the web, though, CF is
awesome. It solves a whole bunch of problems for free, and I don't have to
worry about stuff that I would otherwise have to worry about (and I don't have
time to worry about those things on top of all the other things I have to
worry about).

In a few years, when I have a team of engineers and can spare the
resources/expertise, we'll come off CF and do it properly. Until then, CF is a
great service.

Sorry that your experience from SEA is not great, but tbh we're not selling in
SEA, so any traffic from there is just a resource drain on our servers.
Anything to discourage traffic from areas we're not serving is a positive for
us.

Anything to discourage bot traffic is a huge positive. CF won't stop the bots,
but costing them some minor amount of money per visit is still positive.

------
luord
I live in a developing country and I did experience an odd surge in recaptcha
triggering for sites behind cloudflare around the end of 2016, but it really
hasn't happened since.

It's barely anything at all, but my personal website is behind cloudflare and
I've never had any trouble.

------
zxcvbn4038
Networking in Asia seems to be really complicated due to the various political
interests in play. I remember our Cloudflare rep explaining that China had two
or three telcos that refused to exchange traffic directly so you had to send
everything through Japan and back to the telco you wanted in China.

I’ve always wondered how all the expats in Bali accomplish anything. Everybody
says they can work remotely via the internet and run their businesses, but
when I was there the internet would go down for the entire island frequently
and could be down for minutes or hours.

------
duckvader
SSL is terminated on CF and website owners are allowing CF to generate SSL
Cert and _Key_ for them in free plan. It is a wildcard certificate.

CF has the ability to read/alter the information we are sending to (or
receiving from) the actual website. CF also has the ability (I do not mean
they do) to impersonate the original website without the owner’s knowledge,
and with visitor’s trust.

------
libeclipse
In regards to the accidental censorship of content for users behind VPNs and
proxies, on my site I have set the security level to essentially off and
disabled any and all integrity checking of visitors. I haven't tested the
effect on those users but it should allow anyone to retrieve the pages
unmolested.

------
aasasd
The upside is that the ‘second-class’ markets will be served by local
services. And when western markets are completely saturated, western site
owners will be scratching their heads wondering how they get any part of the
‘second-class’ markets.

------
Little_John
Everything is collected. From the Boot. Bomb Utah.

------
patientplatypus
Hmmm...well unfortunately a lot of scammers and thieves on the internet come
out of third world countries. Like, it's crazy, but the economics of scam
artistry make this worth while as a career in certain countries - for example
Romania ([https://abcnews.go.com/International/journey-hackerville-
rom...](https://abcnews.go.com/International/journey-hackerville-romanian-
city-reputation-criminal-hacker-breeding/story?id=60123285)).

So, websites are protecting themselves as best they can while pissing off the
fewest of their customers by putting up more security measures blocked by
country IP.

The real issue is the authoritarian governments that are making it so
countries (like China) are completely fire-walled off from the internet.

Have you heard that Iraq is having massive street protests at the moment? If
not, it might be because the government cut off internet access so a lot of
the stories and media about the protests are not making it onto the social
media sites. That's scary.

------
briandear
How is it Google.com doesn’t require captchas to open the home page? Nor does
apple.com or any number of massive-traffic sites. The idea that captcha is the
best, most effective, or most secure way to protect against DoS is just lazy.

~~~
deftnerd
To open the home page? True... But to view search results? I get captcha
demands from google all the time depending on the search query (sometimes a
query I make looks like something a bot might supply, like searching for a few
IP addresses in a row) or if I'm using a VPN or Tor.

------
unityByFreedom
OP lives in Southeast Asia and suggests website owners choose a different CDN
and fails to propose an alternative. ¯\\_(ツ)_/¯

There are two complaints,

(1) cloudflare requires a captcha for visitors from some regions (like
SouthEast Asia)

(2) cloudflare does not have enough nodes in SouthEast Asia, and OP feels
being rerouted to another node defeats the purpose of a CDN.

Yet, Cloudflare does (1) because they often see attacks from those regions.
I'm not sure blaming Cloudflare for this is the right strategy. Regarding (2),
CDNs do not just benefit users, they benefit the website too. Getting rid of
the CDN is not a solution. Is there a better free CDN for that region? Is
multi-CDN easy to setup?

~~~
cnst
> Getting rid of the CDN is not a solution.

Why not? The whole everyone-needs-Cloudflare is a made up problem, which
depends on many false narratives.

And why do we as website visitors have never heard of Akamai, yet it's hard to
find anyone who's never seen these captchas from Cloudflare and Incapsula?

> Is there a better free CDN for that region?

You can only find free mice in mousetraps.

~~~
unityByFreedom
> Why not? The whole everyone-needs-Cloudflare is a made up problem, which
> depends on many false narratives.

I've never seen anyone say "everyone needs cloudflare" except maybe CF itself.

> why do we as website visitors have never heard of Akamai

Akamai is not free, they have a trial period that is free. It's not in the
same space.

> You can only find free mice in mousetraps.

I don't understand your point. You feel CF is a trap?

~~~
cnst
> I don't understand your point. You feel CF is a trap?

Of course it is. If you aren't paying for service, you're not the customer,
you're the product.

The whole mandatory TLS campaign is part of the lock-in, too.

------
cirno
Not to mention, CloudFlare has become synonymous with hosting and protecting
the worst websites on the internet, with currently only two exceptions made,
seemingly at the CEO's whim.

CloudFlare protects websites dedicated to doxing, stalking and harassing their
victims. And when their victims complain, CloudFlare forwards all their
personal information directly to said website owners while doing nothing about
it. Websites that host content like the Christchurch massacre video and
manifesto. Websites that have bullied people to the point of suicide.

I'm all for the importance of freedom of speech and being able to say
offensive things on the internet, but CloudFlare is protecting sites that
flagrantly violate the law.

~~~
judge2020
The CEO's blog posts make it clear that CF really wants to bee the city water
company that sells access to "dumb pipes": pipes that can route, filter and
transform the stuff that goes through them while not knowing about exactly
what it is that is going through them (at least when some maliciousness
filters haven't triggered); the city water doesn't want to start cutting
people's water off because of what they use the water for. Their stance is
that they don't have the power to remove that content, all they can do is make
the website vulnerable to ddos attacks and whatnot by kicking them off the
service.

While 8chan being kicked off CF did bring them offline (their new anti-DDOS
provider was told to kick 8chan off by the upstream bandwidth provider, and
the domain hasn't worked since to my knowledge) the daily stormer is still
working. CF kicking TDS off their network didn't stop their website from
working.

~~~
cirno
I understand that, and I don't think websites should be deplatformed just for
saying unpopular things.

But when a site clearly crosses into blatant criminality, it's disappointing
when everyone who has the power to rein them in (Google with PageRank,
CloudFlare with protection, the US government with criminal proceedings)
decides to pass the buck on to someone else. It's always someone else's
problem, meanwhile people's lives are being ruined and lost.

These sites would not be as highly profitable without CloudFlare's network, so
I think it's fair that if someone wants to use CloudFlare, they're aware of
what they're supporting when they give CloudFlare their money.

~~~
mendelmaleh
If it's "blatant criminality", sue them in court. Deplatforming is literally
passing the buck to some other platform.

