> Second, we find that a few privacy-focused users often ask their browsers to go beyond standard practices to preserve their anonymity. This includes changing their user-agent
> those users can immediately understand the issue and make a conscientious choice about whether they want to allow their browser to pass a challenge.
So they will block privacy-focused users. I guess VPNs will be blocked too. It seems they have just removed the captcha part of their system and are spinning it as a good thing to block certain users.
> and make a conscientious choice about whether they want to allow their browser to pass a challenge.
I don't know how to vocalize this exactly, but this wording really gets under my skin. It shifts the entire responsibility of being blocked over to the user; it's not Cloudflare blocking privacy configs from browsers, it's not Cloudflare circumventing the notion that user agents have agency to present how they want, it's not Cloudflare blocking people from changing their user-agents: no, it's the user who just decided that they don't want their browser to pass the challenge.
It also trivializes the impact, there's something about this phrasing that's like: "oh, it's no big deal, some users have just decided they don't want to allow their browser to pass a challenge."
I am not the person who decides whether or not my browser passes a check that Cloudflare invented. Phrasing it this way has some real, "everyone has a choice whether to give me their wallet, but people also have the freedom to decide whether or not they're going to allow me let them go without shooting them" vibes.
Bullcrap.
And this is a huge deviation away from the idea of purely clientside checks like Privacy Pass (not that those methods are perfect, but they were at least headed somewhat in the right direction). Cloudflare is basically admitting that they are going to focus on verifying hardware and restricting software configurations, and they want to phrase it like a good thing. It's soft DRM because they can't go all-in on hardware attestation yet, Cloudflare is openly saying, "we're going to restrict hardware categories and software from accessing the Open Internet."
Oh sorry, I should rephrase that. They're going to give users the power to decide whether or not they want their devices they own to be allowed by Cloudflare to access the Open web.
Whenever one of those Turnstile checkboxes show up I'm unable to get past it. It's been that way on most of my computers for over a year. I check it and it just reloads with a blank checkbox again. It's an eternal loop of death.
My Firefox installations are not even Arkenfoxed. I just use couple of privacy oriented add-ons and a few about:config tweaks.
> Cloudflare verifications are destroying the web.
This line of thinking assumes that without captchas, things that were captcha-walled would remain but be unprotected. I think the actual counter-factual is that those things would either require a nominal payment or some other harder-to-spoof-at-scale action first.
I run a service that provides arbitrary compute (Jupyter notebooks) on demand. Without a captcha, there was a period where it would have been overwhelmed by crypto miners to the point that it wouldn’t be available to anyone else.
You don't even need Firefox or anything privacy-oriented. These checkboxes were forever hit-or-miss for me on a Chrome with the default settings (!). My ISP is using IPoE tunneling which has a side-effect of a shared IPv4 address among bunch of households and surprise-surprise no one in Cloudflare is aware that countries beyond US exist.
At this point I'd honestly take CAPTCHA over this bullshit.
> Cloudflare verifications are destroying the web.
Seconded.
At least for me, on Tor.
A lot of sites are behind Cloudflare.
The other killer problem of course are cookie-consent banners, and the considerable proportion of sites which have taken to emitting full-page modal dialogs the instant you view the site, or after you scroll down, or when you move the pointer upwards to pick another tab.
The amount of stuff you have to wade through to get to or use a site has reached the point where casual browsing isn't viable, not with Tor, not for me.
However, on my phone I cannot get past it. It's just an endless loop. The phone is an older model for the Indian market and the Firefox lags behind. So what, it's perfectly usable on 90% of the sites I want to visit. (Which excludes everything full of ads) I hate today's wasteful computing à la Android.
Edit: The article says there would be a report problem form. I have never seen that.
I am curious to see how this works in practice. When I went to their Turnstile sign-up page [0], that is itself protected, I had no problems passing the test despite a slew of privacy-focused features enabled in my browser.
The captcha on this page takes a few seconds then says "Failure", with no message, then restarts itself, when using Tor Browser on the Safer mode.
edit: Was able to get a mix of a few successes and a few failures upon multiple browser restarts. Maybe I was lucky to avoid a discriminated exit node? I'm not sure if IP address is a factor here.
Interestingly, although my Firefox ESR passed the test, that page immediately made my laptop's fan spin up (normally only does that on media-heavy pages) - possibly thr "proof of work" test they mention in the article?
Trying to get past their captchas was futile anyway, so just being blocked without a false sense of hope is an improvement. I learned to make no attempt on them and to just close the tab immediately.
I wish they also included the report link on the failed attempts, so I can let them know when Turnstile stops me from seeing websites on my mobile about every other week. I know other people are annoyed by captchas for good reasons, but this system also sucks unfortunately.
Just a rant / modern web sucks / CloudFlare effective monopoly sucks. There are other providers - please give them a go to diversify the web a bit.
Yup. I run into this a lot with Firefox and it's super frustrating when some website's homepage just gives you a cloudflare error and a message that says "bummer bro, you're not allowed to see this. Here's a Ray ID that won't actually help you fix the issue"
I've let airlines and other companies know that Cloudflare isn't letting me buy their products but unsurprisingly they don't care (or tell me to clear my cookies)
I'd be interested in other DDoS mitigation providers for any site in the sub-$100/month price category. The only other ones I know are Amazon and Microsoft, and those tie you to their clouds.
https://www.x4b.net/protection/prices is on the cheap side, but I've not used them yet. Amazon you can use without hosting in their cloud by proxying all the CloudFront traffic to your external host. It may not be the best option long term, but with low traffic it should work fine.
Ovh and Hetzner provide their own solutions. Opinions are mixed there, but they both have big pipes at their disposal.
Hopefully this is an all-around improvement over the last year, and I'll see how it goes, but I've gotten a little concerned about all the blind dependence that a lot of sites now have on Cloudflare.
For one reason, I recently spent months with Cloudflare blocking my Firefox ESR from many sites, including 2 key paid ones for work.
When both companies showed zero interest in trying to figure out why Cloudflare was doing that, even if they lost a customer, I had the thought that this is probably what it's going to be like with a lot more things.
We all know some of the key huge companies that do the math about how many users they're willing to lose/screw, to gain some other advantage or to reduce some cost.
But Cloudflare might be one way that small companies will have no choice but to lose/screw users in an uncaring way, like they were those uncaring huge companies. That might hurt the companies eventually, but it will tend to hurt many users first.
Fingers crossed that at least Cloudflare is rising to the challenge to not become a resented Kafkaesque institution.
The normal response from privacy advocates to this bullcrap is to just complain about it and tell Cloudflare that they should do better. More and more I feel like we need to take a page from pirates and attackers and treat Cloudflare systems like Turnstile like what they are: malware that circumvents device control. And we should encourage people to break the systems and to come up with ways to fool the systems, we should encourage pooling information about clients in a way that makes it easier to lie to these checks and give them the responses to APIs that they expect to get.
We need to stop treating this like it's a civil conversation and put more energy into decompiling and breaking Captchas and other attestation methods, and normalize the idea that breaking these systems is good and should be accessible to normal people.
Because increasingly, breaking the systems is going to be the only way to run really privacy-focused software. It's like adblocking, you don't make progress by negotiating with advertisers, you block ads. We have no negotiating power with Cloudflare and no way to force companies to care about user privacy or freedom unless we have ways to circumvent these systems.
----
I'm tired of trying of entering into a relationship with Cloudflare where they break everything and we send them a bunch of bug reports begging to be let back in. Nah, we need to start decompiling their crap and circumventing it.
CAPTCHA is pain in the ass. In a project I am working on, I have two forms I needed to protect - sign up and sign in. Sign up form does not do anything beside storing credentials in cache and waits for confirmation email link to be used. Sign in form uses various authentication methods but resource-wise, it will load user object and compare data at most. I decided to not use any captcha and let rate limiting do the heavy lifting if I get caught in some bot's eye. There really is no need for captcha because you can rate limit any page or form and once bot passes the threshold, nothing can happen since it is not a real user. All this captcha usage are remnants from a decade ago when all was new on the internet. But today, it's entirely archaic concept and serves only to mine personal data, just like all those "free" CDNs and fonts and whatnot that bigtech uses to literally map the entire internet.
A few years ago I had a newsletter subscription form where one day some bot started subscribing with real email addresses. These real users started marking confirmation email as spam, which in turn affected domain reputation. I don't remember anymore if it used proxies with different IPs or not, but I added CAPTCHA fix this ... CAPTCHA for newsletter subscription...
Rate limits are not going to help if you get targeted by somebody halfway serious. They’ll have plenty of nice residential IP addresses to bypass your rate limiting with.
if i allow one sign up/in request per ip per second, i have no fear of bots. i could implement additional "rate limit" per ip per request if i needed and ban ips if they exceed it manually. it's very easy to do. humans don't send more than one request per handler per second anyway.
That sucks, but it's also just a business decision. If 97%(I made that up, but I wouldn't be surprised if it was that high) of purchases through Tor are fraudulent, then it makes a lot of sense to just not allow it. Take your money elsewhere.
There was a report posted on HN months ago showing the proportion of fraudulent vs legitimate activities on Tor vs non-Tor across a pool of websites. Tor users were (slightly, IIRC) more likely to be malicious, but they represented a drop in the bucket against all malicious users. Maybe some sites that do block Tor might be seeing different proportions, I'd wager most of them do it because Tor == bad for most people.
How well does this work in practice? Does it block users who have relatively mundane settings like Firefox with "resist fingerprinting" on, or only extreme edge cases like someone's hand-compiled version of some obscure browser on HURD for Itanium with an extension that blocks all third party cookies and half of the JavaScript APIs in the browser?
I had issues using Apple private relay and an ad blocker on my iPhone, so this is probably the usual bullshit “we’re for the users!” then in reality it blocks anyone who doesn’t want to get fingerprinted. I’m not a fan.
Readit News
> those users can immediately understand the issue and make a conscientious choice about whether they want to allow their browser to pass a challenge.
So they will block privacy-focused users. I guess VPNs will be blocked too. It seems they have just removed the captcha part of their system and are spinning it as a good thing to block certain users.
I don't know how to vocalize this exactly, but this wording really gets under my skin. It shifts the entire responsibility of being blocked over to the user; it's not Cloudflare blocking privacy configs from browsers, it's not Cloudflare circumventing the notion that user agents have agency to present how they want, it's not Cloudflare blocking people from changing their user-agents: no, it's the user who just decided that they don't want their browser to pass the challenge.
It also trivializes the impact, there's something about this phrasing that's like: "oh, it's no big deal, some users have just decided they don't want to allow their browser to pass a challenge."
I am not the person who decides whether or not my browser passes a check that Cloudflare invented. Phrasing it this way has some real, "everyone has a choice whether to give me their wallet, but people also have the freedom to decide whether or not they're going to allow me let them go without shooting them" vibes.
Bullcrap.
And this is a huge deviation away from the idea of purely clientside checks like Privacy Pass (not that those methods are perfect, but they were at least headed somewhat in the right direction). Cloudflare is basically admitting that they are going to focus on verifying hardware and restricting software configurations, and they want to phrase it like a good thing. It's soft DRM because they can't go all-in on hardware attestation yet, Cloudflare is openly saying, "we're going to restrict hardware categories and software from accessing the Open Internet."
Oh sorry, I should rephrase that. They're going to give users the power to decide whether or not they want their devices they own to be allowed by Cloudflare to access the Open web.
My Firefox installations are not even Arkenfoxed. I just use couple of privacy oriented add-ons and a few about:config tweaks.
Cloudflare verifications are destroying the web.
This line of thinking assumes that without captchas, things that were captcha-walled would remain but be unprotected. I think the actual counter-factual is that those things would either require a nominal payment or some other harder-to-spoof-at-scale action first.
I run a service that provides arbitrary compute (Jupyter notebooks) on demand. Without a captcha, there was a period where it would have been overwhelmed by crypto miners to the point that it wouldn’t be available to anyone else.
At this point I'd honestly take CAPTCHA over this bullshit.
Seconded.
At least for me, on Tor.
A lot of sites are behind Cloudflare.
The other killer problem of course are cookie-consent banners, and the considerable proportion of sites which have taken to emitting full-page modal dialogs the instant you view the site, or after you scroll down, or when you move the pointer upwards to pick another tab.
The amount of stuff you have to wade through to get to or use a site has reached the point where casual browsing isn't viable, not with Tor, not for me.
However, on my phone I cannot get past it. It's just an endless loop. The phone is an older model for the Indian market and the Firefox lags behind. So what, it's perfectly usable on 90% of the sites I want to visit. (Which excludes everything full of ads) I hate today's wasteful computing à la Android.
Edit: The article says there would be a report problem form. I have never seen that.
[0] https://dash.cloudflare.com/sign-up?to=/:account/turnstile
edit: Was able to get a mix of a few successes and a few failures upon multiple browser restarts. Maybe I was lucky to avoid a discriminated exit node? I'm not sure if IP address is a factor here.
Hopefully blocking Tor users will mostly be a thing of the past... :)
Just a rant / modern web sucks / CloudFlare effective monopoly sucks. There are other providers - please give them a go to diversify the web a bit.
I've let airlines and other companies know that Cloudflare isn't letting me buy their products but unsurprisingly they don't care (or tell me to clear my cookies)
Ovh and Hetzner provide their own solutions. Opinions are mixed there, but they both have big pipes at their disposal.
For one reason, I recently spent months with Cloudflare blocking my Firefox ESR from many sites, including 2 key paid ones for work.
When both companies showed zero interest in trying to figure out why Cloudflare was doing that, even if they lost a customer, I had the thought that this is probably what it's going to be like with a lot more things.
We all know some of the key huge companies that do the math about how many users they're willing to lose/screw, to gain some other advantage or to reduce some cost.
But Cloudflare might be one way that small companies will have no choice but to lose/screw users in an uncaring way, like they were those uncaring huge companies. That might hurt the companies eventually, but it will tend to hurt many users first.
Fingers crossed that at least Cloudflare is rising to the challenge to not become a resented Kafkaesque institution.
https://news.ycombinator.com/newsguidelines.html
We need to stop treating this like it's a civil conversation and put more energy into decompiling and breaking Captchas and other attestation methods, and normalize the idea that breaking these systems is good and should be accessible to normal people.
Because increasingly, breaking the systems is going to be the only way to run really privacy-focused software. It's like adblocking, you don't make progress by negotiating with advertisers, you block ads. We have no negotiating power with Cloudflare and no way to force companies to care about user privacy or freedom unless we have ways to circumvent these systems.
----
I'm tired of trying of entering into a relationship with Cloudflare where they break everything and we send them a bunch of bug reports begging to be let back in. Nah, we need to start decompiling their crap and circumventing it.
The "Just a moment" security check does not complete - sits there, with the busy icon, "Verifying".
Using Tor Browser, which will be why.
This is normal behaviour for Cloudflare sites.
Making a new circuit sooner or later gets past the check, usually after between two and five retries.
Curiously, I can never view Shopify sites. They always and fully block Tor.
I'll add the source when I find it.
Deleted Comment