People use CloudFlare to solve a multitude of problems, some of which include automated attacks by bots, which would make the website unavailable in the first place.
If you're going to use a non-mainstream browser then you're going to compromise in some way. If people are going to defend their website against attackers then there's compromise.
CloudFlare isn't the problem, it's a symptom of other problems left unsolved. Is it a compromise? Yup. What's the alternative? Not using it and thus having constant downtime?
Using a "non-mainstream browser" is not in fact an indicator of malicious or even "annoying" behavior. It's almost certainly not even statistically associated. In fact, if you're going to build a bot that impersonates a browser, the natural choice right now is to impersonate Chrome. And there are frameworks available for puppeting Chrome.
What they seem to be doing is just presenting a CAPTCHA to anything at all unusual. Which is actually kind of strange, given the vast amount of raw data available to them. They should be able to learn real indicators.
I'm actually not even sure Cloudflare is primarily responsible for most of this... exactly. The problem is more likely that Cloudflare gives its users a lot of knobs to twiddle, and most of the users are probably not up to twiddling them correctly. That could be the main source of these problems.
And there are so many possible combinations that it would be hard for Cloudflare to really test them, or even think about how all the knobs might interact.
Taking away knobs would be a good start, but there may be reasons they don't think they can do that. Probably reasons that are more about their customers' perceptions than about their customer's real needs.
Come to think of it, isn't one of those knobs the ability to turn off PrivacyPass? I don't have access to a Cloudflare account at the moment, but I seem to remember that it was.
> Using a "non-mainstream browser" is not in fact an indicator of malicious or even "annoying" behavior. It's almost certainly not even statistically associated. In fact, if you're going to build a bot that impersonates a browser, the natural choice right now is to impersonate Chrome. And there are frameworks available for puppeting Chrome.
It definitely is. And there are even bot detection services that can detect puppeted Chrome installs pretty reliably (I ran into that when I tried to scrape some data about the housing market). Blink, WebKit, and Gecko are the only common browsers and the rest is a long tail. If you pick an uncommon browser (Lynx, Ladybird) you're an outlier in most automated scans but still end up with a smaller total browser market share than even the small bots. Another reason to be suspicious of uncommon clients is that puppeted Chromium builds with special flags to prevent bot detection don't run on a hacked security camera/router/TV box/NAS/IoT box.
If you're being extorted by someone who paid $50 to DDoS your business for a month, you're going to turn up the DDoS protection knobs. The annoying tracking, cyberstalking and CAPTCHA services are mere symptoms of the underlying problem.
I wouldn't want to use an internet where Cloudflare doesn't give you knobs to turn. You'll end up with websites either not being protected from DDoS attacks or several layers of CAPTCHAs for everyone. Sometimes you need to turn up the protections when the defaults don't work well enough but the defaults shouldn't be high enough to cover those scenarios.
Is an independent indicator, or is statistically correlated?
> And there are even bot detection services that can detect puppeted Chrome installs pretty reliably (I ran into that when I tried to scrape some data about the housing market).
Interesting. The arms race continues...
> Blink, WebKit, and Gecko are the only common browsers and the rest is a long tail. If you pick an uncommon browser (Lynx, Ladybird) you're an outlier in most automated scans but still end up with a smaller total browser market share than even the small bots
The post I was responding to was calling Firefox an "uncommon browser".
> If you're being extorted by someone who paid $50 to DDoS your business for a month, you're going to turn up the DDoS protection knobs. The annoying tracking, cyberstalking and CAPTCHA services are mere symptoms of the underlying problem.
Wouldn't most Cloudflare users prefer that Cloudflare notice that attack, adjust the settings by itself, and send them an email saying "You appear to be under attack; we've enabled X, and lowered the thresholds for Y and Z"? And then notice when the attack seemed to be slowing down, and put things back the way they were?
I'm normally not a fan of machines acting like they know better than I do... but the machines probably do know better than Cloudflare's average customer.
At the very least, they could probably find ways to discourage people from messing with knobs they don't understand, and more ways to make the specific costs obvious, even if those knobs ultimately stayed available.
It's not a matter of "why" it's a matter of "how". Cloudflare could have done way less intrusive and nerve-wrecking DDoS protection. But no, they had to make people suffer.
Also, I'm using Falkon browser every day - ever heard of that? I have to switch user agent to be allowed in some places which is ridiculous.
Why not just "enter grainy distorted 123 + 456"? No JS, no tracking. It takes literally milliseconds to generate and present. I've seen this work on large scale. Why is it mandatory to run tons of JS anyway?
It may be profitable to use CAPTCHA for AI training, but that's not only annoying, it's also unethical because one (like me) may be unwilling to engage in such activity. Also, CAPTCHAs involving houses, number plates or bikes are absolutely invading someone's privacy.
Owners of websites (e.g. shops) themselves have more options to show captchas only in critical moments: when performing heavy searches, registering, checking out, posting. Again, it doesn't have to be intrusive or disruptive. But I understand this way takes more professional approach and probably requires programming, which is not what _every_ store owner can probably afford.
> Why not just "enter grainy distorted 123 + 456"? No JS, no tracking. It takes literally milliseconds to generate and present. I've seen this work on large scale. Why is it mandatory to run tons of JS anyway?
Probably because it takes fractions of a cent to solve those grainy distorted captchas?
Whereas its not so trivial to get an extra IP address, extra computer, etc.
I can’t think of any alternative that would still be as onerous a bar to spammers and bots but also be less restrictive for genuine users. Other then linking real IDs, which has its own can of worms.
> Using a "non-mainstream browser" is not in fact an indicator of malicious or even "annoying" behavior. It's almost certainly not even statistically associated. In fact, if you're going to build a bot that impersonates a browser, the natural choice right now is to impersonate Chrome
This is a good point.
Bots are going to try to make their traffic look as legit as possible, which means spoofing the most common browsers with the most common setups.
So if a User-Agent is reporting that it's running Firefox, it's actually more likely that it's legit traffic, as bots wouldn't try to pretend to be an uncommon setup.
It isn't a good point though. The problem isn't that a user might be malicious because they are or are not running Chrome, the problem is that you chose Firefox and that comes with compromises, just like picking Chrome comes with compromises.
The "non-mainstream browser" comment is about zigging when the overwhelming majority of people zag. It's a self-inflicted problem.
Don't like it? Pick a different set of compromises, whether that's using Privacy Pass or a Chromium-derivative browser. God forbid people work on the problem itself rather than just complain that they don't like compromising.
You can't demand "taking away knobs" with taking away control of the end user on CloudFlare whilst simultaneously lamenting that using Firefox (browser choice is a "knob") yields compromises. It's hypocritical.
Why shouldn't people be free to deny Tor users access to their server? Why shouldn't people be free to self-inflict their set of compromises on themselves with their choice of browser? Why shouldn't people be free to mitigate bruteforce attacks? It may not align with your views or beliefs, but that service provider is free to do as they please within the extent of the law. Doesn't make it ethical, but your access to the service depends on x.
The end user chose to use Firefox. The service provider is free to do as they please, it's their infrastructure and your access to it is at their discretion.
Don't like it? Use Privacy Pass or pick another set of compromises.
With that said, when I was still willing to subject myself to Mozilla in any form, I never found CloudFlare to be a problem, and I've used it since it launched. If people use Firefox, they're probably a privacy wonk LARPing an imagined threat model, and are using a shitty cheap VPN used by countless attackers, it's unlikely to be the browser itself unless they're doing something weird with extensions.
> If people use Firefox, they're probably a privacy wonk LARPing an imagined threat model, and are using a shitty cheap VPN used by countless attackers
What kind of nonsense is this? Firefox is a mainstream browser used by millions of people every day. Maybe you're confusing it with Tor?
People use CloudFlare to solve a multitude of problems, some of which include automated attacks by bots, which would make the website unavailable in the first place.
If you're going to use a non-mainstream browser then you're going to compromise in some way. If people are going to defend their website against attackers then there's compromise.
CloudFlare isn't the problem, it's a symptom of other problems left unsolved. Is it a compromise? Yup. What's the alternative? Not using it and thus having constant downtime?