Hacker News new | comments | ask | show | jobs | submit login
Page Views on Black Friday and Cyber Monday (cloudflare.com)
89 points by jgrahamc 36 days ago | hide | past | web | favorite | 34 comments



> Despite all of that mobile browsing activity, desktop devices are more commonly used for checkout actions. People seem to browse more on mobile, committing to buy more often with desktop...

Could this be because people are also doing comparison shopping for deals, and that using tabbed browser interfaces is easier and more convenient on the desktop than on mobile with smaller screens?

Regardless of the reason, using standalone browsers (as opposed to apps), especially on desktops, gives users more (this is relative) freedom and control to avoid being tracked and also block ads and annoyances, resulting in a much better user experience. That's something I'd always encourage.

P.S.: Off topic, but in the back of my mind I worry about Cloudflare becoming the new Google, at least as it pertains to collecting information on the sites that it sits in front of and profiling and monetizing that. Also given that many sites may use the free SSL solution from Cloudflare, the traffic from Cloudflare to the site would be visible to it. I wish Cloudflare would provide cheaper paid plans in multiple tiers so that there's more to it than just free vs. (a relatively steep) $20 a month.


> Could this be because people are also doing comparison shopping for deals, and that using tabbed browser interfaces is easier and more convenient on the desktop than on mobile with smaller screens?

I don't know about everyone else, but I make a conscious effort to "check out" on a pc instead of the phone because it's much easier to fill out the litany of forms.


> P.S.: Off topic, but in the back of my mind I worry about Cloudflare becoming the new Google, at least as it pertains to collecting information on the sites that it sits in front of and profiling and monetizing that. Also given that many sites may use the free SSL solution from Cloudflare, the traffic from Cloudflare to the site would be visible to it. I wish Cloudflare would provide cheaper paid plans in multiple tiers so that there's more to it than just free vs. (a relatively steep) $20 a month.

I was just thinking about this when I read the headline. I also wish they would provide some less pricier plans. We used to use them for private servers, lots of skids like to "DDoS" (they pay for a service to do it for them) when you don't make them admins or you ban them for scamming other users, etc.


Is $20 really that steep for that? I'd say it's amazingly cheap for what you get.


Yes, but do I need all that or could I live with a small subset of it for cheaper?


Re: Cloudflare plans, their paid plans also see the traffic; at most you can get a dedicated cert, or even hide the cert from them, but the traffic is always visible, since their CDN system pretty much relies on that.


I think the parent comment is referring to the "Flexible SSL" option where Cloudflare does HTTPS on the frontend but HTTP over the internet to the origin. Customers like it since they get the "green lock" in one click and no one can tell it's actually insecure. You could speculate Cloudflare are only analyzing this outbound unencrypted traffic, but they are of course seeing everything as you rightly pointed out.


Okay, but you don't need to pay to get Full SSL.


>Black Friday is spreading internationally despite these still being normal working days for the rest of the world. //

My feeling, in the UK, is that it's not stuck. Peak seemed to be 2 years ago, last year was big but more organised to avoid the violence (!) of the previous year. This year ... some kids in my city had the day off school, other than that it seemed calm, some companies definitely avoiding it, perhaps it's moved primarily online?

A UK consumer rights company "Which?" published price comparison info showing most items are cheaper at other times of the year. I think this realisation may in part be why the super-hype is not working.


Yeah honestly I completely forgot about it till I went to buy something from Amazon and saw their banners everywhere (UK). Got a decent enough discount on the item I wanted but not going to remember it next year either.


It is deeply concerning that regular employees at cloudflare have access to analyze the content of user traffic like this.


Much of this would be semi-public anyway, they could be analysing HTTPS traffic to find most if not all of these conclusions.

Most of it seems to be domain and user-agent based. I'd suspect you could even guess the device type based on IP with reasonable accuracy. It wouldn't be entirely correct, but with the kind of scale Cloudflare deal with it doesn't have to be to be useful.

The domain (which is public) gives you the info about whether users are browsing or checking out (if a browser hits api.stripe.com, worldpay, PayPal, some checkout API domain for Amazon, etc, then you can infer).


The particular part that is concerning:

If you imagine a typical ecommerce application makes a purchase with a HTTP request like “POST /store/checkout HTTP/1.1” we can look for requests similar to this to understand the activity.


Yep that is more concerning. They might be using unencrypted HTTP to get an idea of the breakdown and then inferring volumes based on HTTPS traffic and known differences between the two.

I basically wouldn't jump to "Cloudflare have a bunch of sensitive data and will use it in bad ways", I suspect they have less data than we might assume from the article, and in general their security/privacy stance is great.


> Much of this would be semi-public anyway, they could be analysing HTTPS traffic to find most if not all of these conclusions.

I'm not sure I understand this sentence. What about analyzing HTTPS traffic is analogous to analyzing "semi-public" data? By design and convention, HTTPS traffic is considered private data. Portions are by technical necessity still public, such as the hostname and IP addresses. In order to produce these findings, private data (which is certainly not public or semi-public) such as full URLs and user-agents needed to be analyzed.


How do you guess the device type based on IP?

Do we have any sense how often a mobile device is on wifi? For my brother it's 0%. For me it's 90%.


I'd guess based on the owner of the IP range. Mobile carriers are an easy case, business ISPs will likely have far fewer mobile devices, residential ISPs will be a mix. I'm sure if anyone has an idea of the breakdowns and averages it would be Cloudfront.


Predictable HN jumping-to-conclusions paranoia. You have no clue who the employee is, you have no idea what exact data they have access to and whether it is anonymized, or what's in the CF terms of service etc.


It’s self evident they have full access to the network requests as they are a MITM, and from the article you can see they are in fact logging at least the URLs being accessed, the IPs, and User-Agent for trillions of requests.

And they are cavalier enough with the data to use it for writing a random “Black Friday Analytics” blog post that is only tangentially related to their core value proposition.


cloudfare also does ssl termination, so it will have access to the traffic between their edge servers and the origin ones.


Yes, as soon as you use the "orange cloud" they have access to traffic, which lets them insert their value-added services for content delivery - and apparently also store and analyze the content of your traffic.


What makes you think regular employees have this access?


The fact that they can analyze this data for a blog post on Black Friday as opposed to limiting its use to security, network improvements, etc.


perhaps an employee was given access to analyse how their network performed across that week, and afterwards was asked by marketing to make a blog post. you're jumping to a lot of conclusions. FUD.


I thought so too - though I note that the request included 'HTTP/1.1', which I presume means this is solely non-encrypted traffic? Can anyone clarify?


I would hope that requests to "POST /store/checkout" are encrypted. Cloudflare is a MITM so they can of course see this (and the associated personal / payment data...) regardless of encryption.


That is my first thought. It makes you wonder who they think they are. I am sure this is all covered pretty well in the TOS, but that doesn't mean it is alright.

If this is the stuff they make public about what they can do with all their data, you can only imagine the type of thing that they wouldn't share with the public.


>We can see here that Black Friday has an almost 200% increase in checkout interactions compared to the previous Friday.

Anecdotally I hear a lot of people say they are "waiting for Black Friday".

Is it best to compare to the previous Friday here, or to average Fridays? some other number?


A lot of other stuff might be analyzable from those "POST /store/checkout" requests, too, so please keep sharing with the world. Thanks! You're awesome!


I would love to see this data for Singles' Day (the Chinese holiday). Alibaba's claims are staggering.


Singles day is also migrating around the world now.

There are some numbers from Alibaba that I've seen in Apache Flink presentations, though I can't remember which ones off the top of my head


These plots seem to be very deceiving. Obviously if you aren't one of the big players like Walmart or Amazon, it may not look as dramatic as it really was. I'm assuming cloudflare is not a cache for those two?


I suspect google could do the same with "Anonymize Data" from FREE Google analytics platform.


Why is the content only taking up a middle third of the available space on a 20" monitor making the text on the graphs almost unreadable? Not even an option to zoom/click on the graphs.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: