Readit News logoReadit News
jrochkind1 commented on The web does not need gatekeepers: Cloudflare’s new “signed agents” pitch   positiveblue.substack.com... · Posted by u/positiveblue
bobbiechen · 2 days ago
Cloudflare is implementing the (still-emerging) Web Bot Auth standard. We're working on the same at Stytch for https://IsAgent.dev .

The discourse around this is a little wild and I'm glad you said this. The allowlist is a Cloudflare feature and their customers are free to use it. The core functionality involving HTTP Message Signatures is decentralized and open, so anyone can adopt it and benefit.

jrochkind1 · 2 days ago
THANK YOU. The discourse on this is wild, people seem to be ranting agianst the Web Bot Auth standard without understanding what it is because of their (honestly quite legitimate) fears about Cloudflare's gatekeeping near-monopology.

If there's a way that the Web Both Auth standard might make their near-monopoly more harmful, we can talk about it, but let's focus on that -- the Web Both Auth standard itself is solving a problem that we in fact need solving, and seems to be designed properly for the use case. From my point of view as a site operator, it will actually help me allow in bot agents I want to allow in, that currently I'm being forced to block by trying to block all bot actors because of their expense to my site, without exception. I want to be able to make exceptions!

The giant wave of ridiculous distributed bot traffic of the past 1-2 years is very very real.

jrochkind1 commented on The web does not need gatekeepers: Cloudflare’s new “signed agents” pitch   positiveblue.substack.com... · Posted by u/positiveblue
dlcarrier · 2 days ago
I use uncommon web browsers that don't leak a lot of information. To Cloudflare, I am indistingushable from a bot.

Privacy cannot exist in an environment where the host gets to decide who access the web page. I'm okay with rate limiting or otherwise blocking activity that creates too much of a load, but trying to prevent automated access is impossible withou preventing access from real people.

jrochkind1 · 2 days ago
Do you currently get blocked a lot by Cloudflare/turnstile a lot then? Sorry, I think you implied that, just want to be clear.
jrochkind1 commented on The web does not need gatekeepers: Cloudflare’s new “signed agents” pitch   positiveblue.substack.com... · Posted by u/positiveblue
jrochkind1 · 2 days ago
> The same is true online. A cryptographic signature that claims “I am acting on behalf of X” means nothing unless it is tied to something real, like a verifiable infrastructure or a range of IPs. Without that, I can simply hand the passport to another agent, and they can act as if they were me. The passport becomes nothing more than a token anyone can pass around.

Well, that's true of any crytpographic key?

In this case, it would mean you are giving them permission to act on your behalf. Nothing wrong with that.

If some of the people acting on your behalf start acting maliciously, then presumably those who decided to trust the people who were acting on your behalf would stop doing so.

Is this not common to how most any digital authentication works at all? You can always share your keys. That's a feature not a bug, when the actor you want to identify is meant to have a distributed implementation.

I understand the concern about how much power CloudFlare has, how they have the ability to gatekeep a large part of the internet. Absolutely, this is alarming.

But the Web Both Auth protocol itself is not the problem -- it seems to me to be written and designed appropriately for authentication of automated web agents.

And I think we desperately need something for that. I, like many people, are being forced to put bot precautions in place, because otherwise my sites are overwhelmed. But this means I wind up blocking bots that I don't want to block too. Because they are are partners, because I approve of what they are doing, becuase they have demonstrated good behavior. I have no way to do that right now.

IP address ranges are absolutely not the right way. IP addresses are network topology, not authentication. i worked in academia for some time, where large unviersities have a history of trying to use IP addresses for authentication -- and even working with internal IP addresses theoretically controlled by the (large) institution, it was a fool's game. IP addresses can change all the time -- even for a device which has not moved it's physical location. Plus resources can be allocated to different physical locations. Different actors can share an IP address. They are often changed at various lower levels of hiearchical administration without informing the top, for network topological concerns -- they are designed for this. Etc etc etc.

I understand the concern about CloudFlare's gatekeeping monopoly.

There may be ways that Web Both Auth can make it worse. Discussion of that is not inappropriate. Maybe there are ways to ameliorate it (will individual customers be ablet o have their own allow-lists? Can we insist on that? Is that enough?). Maybe not good enough. But let's focus the discussion on that -- there is in fact nothing wrong with Web Both Auth protocol, at least nothing covered in this essay, it is well-designed for authenticating bot agents, and we actually do need something that does that, in the current world where misbehaving disguised bot agents have become a real problem.

Not having a way to authenticate distributed bot actors who wish to opt in to a way to be authenticated (everyone else is free to try to evade the bot detectors same as they are now?) -- is going to create more damage. All these people railing against what seems to be an appropriate protocol for authentication because they don't like Cloudflare's monopoly are distressing me, it's going to be worse if we don't have a way to do it. It is an open protocol not just for use by cloudflare.

jrochkind1 commented on Web Bot Auth   developers.cloudflare.com... · Posted by u/ananddtyagi
binarymax · 3 days ago
I think about failure modes. What happens if cloudflare decides you are a bot and you’re not. What recourse do you have? What are the formal mechanisms to ensure a person is not blocked from the majority of the web because cloudflare is a middleman and you are a false positive?
jrochkind1 · 3 days ago
I am not following what any of that has to do with the Web Bot Auth protocol?

it seems like complaints about Cloudflare's anti-DOS protection services and how they have a monopoly on such, I get that.

I'm not seeing the connection to a protocol for bots/crawlers voluntarily cryptographically signing their http requests, so sites (anyone implementing the protocol not just cloudflare) can use it to authenticate known actors?

I am interested in using it to exempt bots/crawlers I trust/support/have an agreement with from the anti-bot measures I, like many, am being forced to implement to keep our sites up under an enormously increased wave of what is apparently AI-training-motivated repeat crawling. Right now these measures are keeping out bots I don't want to keep out too. I would like to be able to securely identify them to let them in.

jrochkind1 commented on Web Bot Auth   developers.cloudflare.com... · Posted by u/ananddtyagi
binarymax · 3 days ago
I agree in principle, but I disagree that it should be designed and mandated by a private gatekeeper
jrochkind1 · 3 days ago
What's now at the top has links to IETF drafts in the first paragraph. What am I missing?

A way to authenticate identity for crawlers so I can allow-list ones I want to get in, exempt them from turnstile/captcha, etc -- is something I need.

I'm not following what makes this controversial. Cryptographic verification of identity for web requests, sounds right.

jrochkind1 commented on Proposal: AI Content Disclosure Header   ietf.org/archive/id/draft... · Posted by u/exprez135
0xDEAFBEAD · 5 days ago
>Attack applications may use a suitable API to request that [the evil bit] be set. Systems that do not have other mechanisms MUST provide such an API; attack programs MUST use it.

Potential flaw: I'm concerned that attackers may be slow to update their malware to achieve compliance with this RFC. I suggest a transitional API: Intrusion detection systems respond to suspected-evil packets that have the evil bit set to 0 with a depreciation notice.

jrochkind1 · 5 days ago
deprecation notice
jrochkind1 commented on We regret but have to temporary suspend the shipments to USA   olimex.wordpress.com/2025... · Posted by u/CTOSian
vesinisa · 5 days ago
Maybe Trump is just doing what's good for America and he's strategy is exactly being unpredictable and chaotic. This is stressful for others and they make political concessions to please him in exchange for a period of stability.

EU for example bulged for exactly this reason and accepted 15% one-way tariff for access to US market. Before the deal the uncertainty about the level of coming tariffs was deemed worse for European companies trading to US than the negotiated tariff itself.

European political leaders including the head of NATO have also practically turned to giving rimjobs to Trump's ass wishing he would not throw tantrums at them in important meetings: https://www.bbc.com/news/articles/c17wejpw79qo

Ultimately this all just strengthens US hegemony and makes other countries weaker, which is the explicitly stated goal he keeps repeating..

jrochkind1 · 5 days ago
It seems pretty stressful for Americans as well. I guess we too are being asked to make concessions for a period of stability... that doesn't sound great. Maybe the trains will run on time if we make enough concessions.
jrochkind1 commented on We regret but have to temporary suspend the shipments to USA   olimex.wordpress.com/2025... · Posted by u/CTOSian
tlogan · 5 days ago
The rule is from April 2, 2025 but we were all thinking about TACOs.

But the congress passed the bill to permanently repeals the legal basis for the de minimis exemption so no more TACOs. And I love TACOs…

jrochkind1 · 5 days ago
End of de minimus means you have to calculate taxes on a lot more packages; but you have to know what the tariffs are to calculate them, and it seems like that's been going all over the place, and could change again at any time?
jrochkind1 commented on Rv, a new kind of Ruby management tool   andre.arko.net/2025/08/25... · Posted by u/steveklabnik
jrochkind1 · 5 days ago
> We expect to be able to silently run equivalents of both rvm install and bundle install at the beginning of every bundle exec,

Do I understand right it doesn't use bundler code for resolving gem requirements dependency tree, but uses it's own code meant to be compatible? Hmmm.

And also producing the `Gemfile.lock`, which has had kind of a lot of churn in bundler, which bundler has had to work to keep from breaking for people even when it's assumed they're all using (different versions of) bundler.

jrochkind1 commented on We regret but have to temporary suspend the shipments to USA   olimex.wordpress.com/2025... · Posted by u/CTOSian
tlogan · 5 days ago
Both UPS and FedEx have been handling this correctly for years. They provide a simple option where you can choose who pays the tariffs (the shipper or the recipient). If it is the recipient, you just include their email and phone number so they can be contacted.

The “only” difference now is that the $800 limit no longer applies, so every shipment must include this information.

Which basically means end of Temu, Alibaba express, majority of Etsy sellers, etc.

jrochkind1 · 5 days ago
Good point. The issue is, according to OP, that they don't yet know how to calculate the correct amount for new rules going into effect in 3 days, or at any rate have that knowledge implemented into their systems.
j

u/jrochkind1

KarmaCake day27327March 14, 2012View Original