Hacker News new | past | comments | ask | show | jobs | submit login

This has been prioritized since long before Matt emailed me. It was specifically flagged during our diligence process of S2 Systems, the company we acquired for the Remote Browser Isolation (RBI) technology. It has been an engineering project that I have personally followed since we acquired S2 nearly two year ago.

Unfortunately, this has proved a non-trivial problem to solve, in spite of significant engineering resources dedicated to it, and we don't yet have an acceptable solution. But I'm confident we're on the right track.

The challenge is that the process of rendering content inert to local security threats also makes it also not compatible with current screen reader technology. Matt has helpfully suggested some ideas which are in-line with what we have been working on, but the diversity of the web makes the solution very complex in practice. While I appreciate his suggestion in this thread that if we would just hire him this could be fixed in a few months, I think he would acknowledge upon reflection that is flippant.

How the web is rendered and the diversity of web pages, especially dynamically updated pages, makes many solutions that seem obvious not tenable. We need to validate the solution we deliver will work across all the complexities of the web and across a broad range of accessibility devices while, at the same time, not introducing new threats. We already have a great team doing this work. RBI is still a new product for us, and it's only been recently that we've gotten the core technology to work to a level that's acceptable, but I'm confident with the work we're doing we will be the first RBI technology in the market with broad accessibility support.

In the meantime, we provide our customers a way to bypass the RBI technology to accommodate their visually impaired employees. In these cases, we recommend that additional safeguards be put in place for these employees' machines to guard against potential security compromise. This isn't a perfect solution, but it does help significantly reduce the surface area of attack while allowing visually impaired employees to do their jobs.

I hope that others in the space with similar technologies — including Mighty, Menlo Security, zScaler, and others — will also dedicate the resources needed to make their products as accessible as possible. Matt is right to call on the industry to prioritize the needs of visually impaired users. As we solve these challenging problems ourselves, we will share what we've learned, how we overcame challenges, and we will not do anything to restrict the intellectual property behind the solutions so the entire industry can benefit.

As for the rest of the discussion in this thread, I agree that Cloudflare is fundamentally in the trust business. It takes 5 minutes to sign up for Cloudflare, but only seconds to leave. We need to earn the trust of our customers, as well as Internet users in general, on a daily basis or we won't have a business. Appreciate everyone holding us accountable to that.

Thank you for your response, on the weekend no less. However:

> if we would just hire him this could be fixed in a few months

That's not quite what I said. Here's what I actually wrote:


> For the specific project of making this remote browser accessible, my wild guess is that if Cloudflare were to hire me to work on the project (no, not available at the moment), it could easily take a few months, but probably not more than a year. They could probably cut down that time if they hired away someone from the Chrome or Edge team who's actually an expert on Chromium accessibility specifically; I admit my main expertise is in Windows accessibility.

And of course it's possible that even what I wrote there is too optimistic.

I'm sorry I was unclear. What I meant was that I could see the project easily taking at least a few months, and maybe up to a year, but likely not more than a year.

Also, the intent of that comment was to give my answer to a question about how big a project this would be, not to suggest that Cloudflare should "just" hire me. I even suggested that I wouldn't necessarily be the best person for the job.

My other reply, posted under your other copy of your response: https://news.ycombinator.com/edit?id=28032491

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact