I don't know how Cloudflare can on one hand fight for net neutrality [1] and on the other hand play such an active role in creating a "two-class" Internet. I understand that spamming and DoS attacks are a real problem and that they provide a solution for this e.g. using CAPTCHAs, I just think their approach will lead to a world where your IP address (and thus often your country) decides more and more how easy or hard it is to browse large parts of the Internet. Not sure how to solve this in a better way but I really don't like what they're doing here considering their recent VPN/DNS efforts, which (IMHO) seem to be part of a long-term strategy to create a "fast-track" Cloudflare-powered Internet (for those who can afford it).
I see your point but 10% of the world's http traffic flows through Cloudflare, it is in their interest to provide a better web experience for their customers (enterprises and end-users alike).
For instance, for my mom, if instead of being subject to endless captchas due to privacy.resistFingerprinting [0], it might be okay to use Cloudflare's VPN/extension (esp since they promise to respect privacy), be able to resist fingerprinting, and not be subject to captchas. I see this as a better of two evils, since captchas aren't going away if you resist fingerprinting or use Tor, at least not anytime soon.
I'd like to think of this as OpenID-- even though it is bad privacy-wise (and single-point-of-failure security-wise), it was widely used for benefits to both the user and the service.
For me, though, the endless captchas are a price I'm willing to pay. YMMV.
Net neutrality is the principle that _Internet service providers_ should treat all Internet communications equally. Cloudfare is not an ISP.
Web service like Hacker News don't have any obligation to provide everyone equal access to their site. Cloudfare works for the web services. As a web service provider, you don't have, nor should you have, any obligation to provide equal access to anyone.
> Hacker News don't have any obligation to provide everyone equal access to their site.
i disagree. Net neutrality to me also means that a site like HN should serve all customers coming to the site the same, and not discriminate against TOR users or VPN users, or users from a certain IP range, or users with different/non-standard user-agent headers.
I don't see how individual inserting his own meaning to well defined terms adds anything positive to the.
If you encounter term you don't understand, you look it up and don't try to make up your own definition. There is no disagreement of what the term means in a way you insist.
I understand the difference between an ISP privileging network packets based on service and a CDN / content provider privileging / filtering traffic for their customers, however the result for the end user is very similar. Also, Cloudflare is much bigger than most ISPs and already serves a sizeable portion of the Internet traffic, so I don’t think they should get a free pass regarding this issue just because formally they’re not an ISP.
This is so annoying. E.g. it's not unusual to surf the web with Laptop on mobile connection in Philippines but then you get all this CAPTCHAs on all Cloudflare sites with the standard configuration.
Actually this is the biggest reason I don't like Cloudflare. They are discriminating some second/third world countries and if you don't travel much and check websites you will never know.
Many websites owners are also not aware of this issue with Cloudflare.
Discriminating traffic like this should at least be an optional opt-in in Cloudflare and not standard.
Are people actually downvoting this comment just because it's not politically correct?
I mean, you could argue that it's not fair to discriminate entire countries because of the lax abuse policy of their ISPs, but the comment is correct: that's the reason those countries are discriminated against in this context.
Maybe people are downvoting because GP says it's justified in their opinion? It might be the truth, not most of us can't tell either way, but saying it's justified is a judgemental statement that I find 'justified' to downvote.
It's not downvoting for disagreement, I think adding a judgement (like "they deserve it if that's where click farms are") is not constructive to the conversation.
I didn't downvote but I don't believe the claim was 100% factual. Cloudflare has always been horrible with dealing with shared IP's even if the users are all legitmate non-malicious. I once worked in an office with a single shared IP for ~200 people and we got constantly captcha-blocked by Cloudflared websites. It was also a problem with google but it was less prevalent and their captcha system was less annoying than Cloudlfare's.
When I was a sysadmin for a few admittedly-not-highly-popular websites, there were definitely more unwelcome bot traffic from US and EU IP's than there were from any 3rd world countries.
I also don't agree that social media "like-factories" should be a concern for Cloudflare at all. Even if they are truly a concern; social media "like-factories" are probably human-operated on third-world countries or bots that are likely running from developed world servers with access to cheaper bandwidth and IP's.
This is more insightful than anything else in the comment chain that was spawned from my GP. My opinion on the 'justifiable' end has shifted a bit, thanks!
I have downvoted because despite having 1st World passport I had experienced traveling a lot in SE Asia how Cloudflare blocks (sorry protects) 1/3 of websites.
Browsing from a cafe, using VPN results in almost every attempt of following link from HackerNews in solving endless captchas. It is like being harrassed on the border control just because you have the wrong passport.
Saddly many of the sites "protected" by Cloudflare are interesting personal sites owned by honest people who had been scared about dangers of traffic from bad places.
Cloudflare is running internet protection racket Al Capone style.
Do you have a source for that claim? How does sharing IP's with 'like factories' and thousands of other legitimate users justifies getting captcha-blocked by Cloudflare without explicit instructions from the website owners?
Note that you're asking the question as if the statement is true and you just inviting an opinionated justification. The answer to "how does sharing IPs with like factories justify blocking others" is easy to give an opinion on. Proving this is the real cause, that the local ISPs are not doing anything against it, etc. is what I think we should be asking.
Social media like factories are usually targeting websites that are not hosted by Cloudflare (Facebook, Twitter, Amazon, Youtube etc.)
If the like factories are using 3rd world IP's they are probably real human ( https://www.rt.com/viral/388169-smartphones-factory-generate... ) because bots can be run cheaper on a 1st world server because bandwidth, IP, and power usually cost less there. Captcha is an anti-bot measure and is not (or at least shouldn't be but I'm finding it hard to pass CF's captcha as human) very effective against actual humans.
I don't even think CF considers(or even aware of) the existence of a like factory on the same network for displaying the captcha and I am pretty sure they don't justify their captcha blocking with it. It's more likely that they just see a bunch of connections coming from the same IP and naively concludes that it must be a bot.
I'm sure it's easy to make "excuses"(vs justification) but given the real harm it does to actual human users and questionable effectiveness against the doubtful ill-effects of the existence of like factories against CF-hosted websites; I'd like to hear that "justification."
bots can be run cheaper on a 1st world server because bandwidth, IP, and power usually cost less there
First world server IP ranges are treated just as poorly for this exact reason. Try browsing the web through a VPN/proxy on an OVH (French) server. I get captcha requests on Youtube videos and Google searches.
Cloudflare is for me the no. 1 company by far which is clustering up the web with their little border controls. No other company made surfing the web so complicated and annoying from distant regions of the world for me.
And because many website owners are just install and use Cloudflare with standard settings they don't care.
It's good that Cloudflare addresses this problem with their extension now but I had a little too much bad taste... this extension is long overdue and I still think it's not the best solution to the main problem (standard DNS settings too restricted).
When you do encounter CAPTCHAs, try out Buster [0]. It passes the CAPTCHA by solving the audio challenge using speech recognition APIs.
Google does block people from accessing the audio challenge [1] in some cases, so make sure to check if you can access the audio challenge even before installing the extension by clicking on the headphone icon within the challenge widget.
Enable user input simulation from the extension's options and install the client app to reduce the chance of a temporary block while using the extension.
If you're on Chrome, there is a pending update (0.5.2) that switches to the Wit Speech API (demo) service by default, verify that you're using the correct service by visiting the extension's options to avoid any errors.
Please open an issue if you have experience with image recognition and you'd like to contribute towards a mode that would solve the visual challege, or assist users by suggesting image tiles to select.
Isn't this ruining the feature for people who are forced to use the accessibility feature?
They'll improve the captcha just like they did with the basic obscured text to now making the user do image recognition for them and people who really need the accessibility won't have it that easy any more.
Google blocks people with disabilities from accessing the audio challenge, please see the second link in my original post for details. This project, while in the early stages, aims to bring attention to the human cost of the reCAPTCHA service, and helps those who can no longer cope with that cost.
Privacy Pass doesn't help when various desktop and mobile app developers host their APIs behind Cloudflare. Users end up with timeouts or other error messages that have don't mention anything about being blocked by Cloudflare.
Sounds like we're getting ever close to requiring identification before being allowed to use the Internet. Such a law would be vehemently opposed I'm sure, the question is whether we mind if a company does it and offers it "voluntarily" for those first blocked by said company.
This. We're centralizing all the websites to flow in the hands of one player who can decide who can or cannot access a website, not to mention the fact that they have the capability to know who accesses which website across a larger and larger portion of the net. De facto we're giving them the keys to the internet. But who's them? And who will it be in the future?
I understand that they offer cheap solutions to very real problems, but we keep making the same mistake we made with Google and other tech giants. While they are acting in a commendable way now, I fear for how much influence they'll have when they will inevitably drop their "Don't be evil".
To me, another company needs to step up and try to compete in the same sector. The problem is that the alternatives, like Sucuri and Stackpath that are reasonably cheap are _terrible_. I deal with both on a day to day and it’s horrendous to deal with :/.
This seems like a play taken directly from the United States TSA/DHS with their global entry/pre-check 'services' which only exist to track people at a more granular level.
I don't understand what is the motivation to block Tor or VPNs if there is no large volumes of traffic from specific IP. Does Cloudflare dislike anonymous users?
Also, did you see the permission list for a Firefox extension? [1] It says "Access your data for all websites".
I think that the idea is these IP addresses are leased out, renewed, changed frequently. While I might connect to my VPN and do basic stuff... another person before me might have used it much more heavily for example. So the IP which we shared is flagged as possibly nefarious. It doesn't know I am a totally different person. Only that, in the past, someone has used this particular IP in a negative way.
That permission is required for a vast set of features in chrome and Firefox extensions because of how poorly the chrome extension API was designed. So while it indeed has that permission, there are lots of things it could be doing with it that don't impact your data at all. You'd have to audit the code.
So "Privacy" Pass effectively generates a unique token for every user? That results in trivial tracking again, one of the main points of using VPNs, Tor or whatever.
From the linked page "Privacy Pass uses elliptic curve cryptography to generate 'anonymous' tokens after a single CAPTCHA page is solved."
In any case - privacy implications aside - having to install an extension to get around their risk assessment algorithm going wrong seems like placing the burden in very much the wrong place.
They run a service that shows high-risk visitors (or whom they deem high-risk) a challenge. They support a third-party extension that lets you vouch for yourself on other websites anonymously. The alternative is that they don't support it.
The other things they do are debatable, but this is a good thing.
Yeah, in my view, it's nice that they're supporting a published way of anonymously vouching for myself. Maybe it's less than awesome that every visitor from Romania (as an arbitrary example) is considered a criminal, but supporting PrivacyPass is a nice move.
I don't know how Cloudflare can on one hand fight for net neutrality [1] and on the other hand play such an active role in creating a "two-class" Internet. I understand that spamming and DoS attacks are a real problem and that they provide a solution for this e.g. using CAPTCHAs, I just think their approach will lead to a world where your IP address (and thus often your country) decides more and more how easy or hard it is to browse large parts of the Internet. Not sure how to solve this in a better way but I really don't like what they're doing here considering their recent VPN/DNS efforts, which (IMHO) seem to be part of a long-term strategy to create a "fast-track" Cloudflare-powered Internet (for those who can afford it).
1: https://blog.cloudflare.com/battleforthenet/
If only that. They're also forcing the hands of people that try to protect themselves from pervasive tracking online.
I see your point but 10% of the world's http traffic flows through Cloudflare, it is in their interest to provide a better web experience for their customers (enterprises and end-users alike).
For instance, for my mom, if instead of being subject to endless captchas due to privacy.resistFingerprinting [0], it might be okay to use Cloudflare's VPN/extension (esp since they promise to respect privacy), be able to resist fingerprinting, and not be subject to captchas. I see this as a better of two evils, since captchas aren't going away if you resist fingerprinting or use Tor, at least not anytime soon.
I'd like to think of this as OpenID-- even though it is bad privacy-wise (and single-point-of-failure security-wise), it was widely used for benefits to both the user and the service.
For me, though, the endless captchas are a price I'm willing to pay. YMMV.
[0] https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_...
Net neutrality is the principle that _Internet service providers_ should treat all Internet communications equally. Cloudfare is not an ISP.
Web service like Hacker News don't have any obligation to provide everyone equal access to their site. Cloudfare works for the web services. As a web service provider, you don't have, nor should you have, any obligation to provide equal access to anyone.
> Hacker News don't have any obligation to provide everyone equal access to their site.
i disagree. Net neutrality to me also means that a site like HN should serve all customers coming to the site the same, and not discriminate against TOR users or VPN users, or users from a certain IP range, or users with different/non-standard user-agent headers.
> Net neutrality to me also means that
I don't see how individual inserting his own meaning to well defined terms adds anything positive to the.
If you encounter term you don't understand, you look it up and don't try to make up your own definition. There is no disagreement of what the term means in a way you insist.
That is definitely not what "Net neutrality" means. It might be an admirable goal, but it needs a different name.
I understand the difference between an ISP privileging network packets based on service and a CDN / content provider privileging / filtering traffic for their customers, however the result for the end user is very similar. Also, Cloudflare is much bigger than most ISPs and already serves a sizeable portion of the Internet traffic, so I don’t think they should get a free pass regarding this issue just because formally they’re not an ISP.
This is so annoying. E.g. it's not unusual to surf the web with Laptop on mobile connection in Philippines but then you get all this CAPTCHAs on all Cloudflare sites with the standard configuration.
Actually this is the biggest reason I don't like Cloudflare. They are discriminating some second/third world countries and if you don't travel much and check websites you will never know.
Many websites owners are also not aware of this issue with Cloudflare. Discriminating traffic like this should at least be an optional opt-in in Cloudflare and not standard.
I think the discrimination against third-world countries are justified as that's the main source of clickspamming and like factories.
Are people actually downvoting this comment just because it's not politically correct?
I mean, you could argue that it's not fair to discriminate entire countries because of the lax abuse policy of their ISPs, but the comment is correct: that's the reason those countries are discriminated against in this context.
Maybe people are downvoting because GP says it's justified in their opinion? It might be the truth, not most of us can't tell either way, but saying it's justified is a judgemental statement that I find 'justified' to downvote.
downvoting to indicate disagreement is the worst kind of downvoting.
It's not downvoting for disagreement, I think adding a judgement (like "they deserve it if that's where click farms are") is not constructive to the conversation.
I didn't downvote but I don't believe the claim was 100% factual. Cloudflare has always been horrible with dealing with shared IP's even if the users are all legitmate non-malicious. I once worked in an office with a single shared IP for ~200 people and we got constantly captcha-blocked by Cloudflared websites. It was also a problem with google but it was less prevalent and their captcha system was less annoying than Cloudlfare's.
When I was a sysadmin for a few admittedly-not-highly-popular websites, there were definitely more unwelcome bot traffic from US and EU IP's than there were from any 3rd world countries.
I also don't agree that social media "like-factories" should be a concern for Cloudflare at all. Even if they are truly a concern; social media "like-factories" are probably human-operated on third-world countries or bots that are likely running from developed world servers with access to cheaper bandwidth and IP's.
This is more insightful than anything else in the comment chain that was spawned from my GP. My opinion on the 'justifiable' end has shifted a bit, thanks!
I have downvoted because despite having 1st World passport I had experienced traveling a lot in SE Asia how Cloudflare blocks (sorry protects) 1/3 of websites.
Browsing from a cafe, using VPN results in almost every attempt of following link from HackerNews in solving endless captchas. It is like being harrassed on the border control just because you have the wrong passport.
Saddly many of the sites "protected" by Cloudflare are interesting personal sites owned by honest people who had been scared about dangers of traffic from bad places.
Cloudflare is running internet protection racket Al Capone style.
Do you have a source for that claim? How does sharing IP's with 'like factories' and thousands of other legitimate users justifies getting captcha-blocked by Cloudflare without explicit instructions from the website owners?
Note that you're asking the question as if the statement is true and you just inviting an opinionated justification. The answer to "how does sharing IPs with like factories justify blocking others" is easy to give an opinion on. Proving this is the real cause, that the local ISPs are not doing anything against it, etc. is what I think we should be asking.
Social media like factories are usually targeting websites that are not hosted by Cloudflare (Facebook, Twitter, Amazon, Youtube etc.)
If the like factories are using 3rd world IP's they are probably real human ( https://www.rt.com/viral/388169-smartphones-factory-generate... ) because bots can be run cheaper on a 1st world server because bandwidth, IP, and power usually cost less there. Captcha is an anti-bot measure and is not (or at least shouldn't be but I'm finding it hard to pass CF's captcha as human) very effective against actual humans.
I don't even think CF considers(or even aware of) the existence of a like factory on the same network for displaying the captcha and I am pretty sure they don't justify their captcha blocking with it. It's more likely that they just see a bunch of connections coming from the same IP and naively concludes that it must be a bot.
I'm sure it's easy to make "excuses"(vs justification) but given the real harm it does to actual human users and questionable effectiveness against the doubtful ill-effects of the existence of like factories against CF-hosted websites; I'd like to hear that "justification."
bots can be run cheaper on a 1st world server because bandwidth, IP, and power usually cost less there
First world server IP ranges are treated just as poorly for this exact reason. Try browsing the web through a VPN/proxy on an OVH (French) server. I get captcha requests on Youtube videos and Google searches.
Cloudflare is for me the no. 1 company by far which is clustering up the web with their little border controls. No other company made surfing the web so complicated and annoying from distant regions of the world for me.
And because many website owners are just install and use Cloudflare with standard settings they don't care.
It's good that Cloudflare addresses this problem with their extension now but I had a little too much bad taste... this extension is long overdue and I still think it's not the best solution to the main problem (standard DNS settings too restricted).
>I think that discrimination is ok as long as it is not me, or my group being discriminated. FTFY
Did you just assume my nationality?
Some cloudflare-based sites show a captcha when visiting from Russia, but it is relatively rare.
When you do encounter CAPTCHAs, try out Buster [0]. It passes the CAPTCHA by solving the audio challenge using speech recognition APIs.
Google does block people from accessing the audio challenge [1] in some cases, so make sure to check if you can access the audio challenge even before installing the extension by clicking on the headphone icon within the challenge widget.
Enable user input simulation from the extension's options and install the client app to reduce the chance of a temporary block while using the extension.
If you're on Chrome, there is a pending update (0.5.2) that switches to the Wit Speech API (demo) service by default, verify that you're using the correct service by visiting the extension's options to avoid any errors.
Please open an issue if you have experience with image recognition and you'd like to contribute towards a mode that would solve the visual challege, or assist users by suggesting image tiles to select.
[0] https://github.com/dessant/buster
[1] https://github.com/w3c/apa/issues/25
Isn't this ruining the feature for people who are forced to use the accessibility feature?
They'll improve the captcha just like they did with the basic obscured text to now making the user do image recognition for them and people who really need the accessibility won't have it that easy any more.
I don't feel like that's a nice thing to do.
Google blocks people with disabilities from accessing the audio challenge, please see the second link in my original post for details. This project, while in the early stages, aims to bring attention to the human cost of the reCAPTCHA service, and helps those who can no longer cope with that cost.
Thanks for clearing that up, I missed the second link while browsing on mobile.
I suggest the link be changed to https://www.petsymposium.org/2018/files/papers/issue3/popets..., because there's serious misunderstanding in the comments.
- This is not made by Cloudflare, Cloudflare is just the first to support it.
- This does not tie anything to your IP address, this introduces an alternative to tying things to your IP address.
- This does not implement more granular tracking IDs, it implements unlinkable one-time tokens.
- This does not further Tor user blocking/inconveniencing, they're who it was made for.
Privacy Pass doesn't help when various desktop and mobile app developers host their APIs behind Cloudflare. Users end up with timeouts or other error messages that have don't mention anything about being blocked by Cloudflare.
Sounds like we're getting ever close to requiring identification before being allowed to use the Internet. Such a law would be vehemently opposed I'm sure, the question is whether we mind if a company does it and offers it "voluntarily" for those first blocked by said company.
To clarify a few things:
PrivacyPass is a third-party extension that allows a user to receive anonymous tokens that can't be tied back to them: https://privacypass.github.io/
CloudFlare supports that third-party extension so visitors can see fewer challenges.
I like cloudflare, but it seems like we're putting more and more trust in them. Not sure if that's good.
This. We're centralizing all the websites to flow in the hands of one player who can decide who can or cannot access a website, not to mention the fact that they have the capability to know who accesses which website across a larger and larger portion of the net. De facto we're giving them the keys to the internet. But who's them? And who will it be in the future?
I understand that they offer cheap solutions to very real problems, but we keep making the same mistake we made with Google and other tech giants. While they are acting in a commendable way now, I fear for how much influence they'll have when they will inevitably drop their "Don't be evil".
To me, another company needs to step up and try to compete in the same sector. The problem is that the alternatives, like Sucuri and Stackpath that are reasonably cheap are _terrible_. I deal with both on a day to day and it’s horrendous to deal with :/.
This seems like a play taken directly from the United States TSA/DHS with their global entry/pre-check 'services' which only exist to track people at a more granular level.
I don't understand what is the motivation to block Tor or VPNs if there is no large volumes of traffic from specific IP. Does Cloudflare dislike anonymous users?
Also, did you see the permission list for a Firefox extension? [1] It says "Access your data for all websites".
[1] https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/
I think that the idea is these IP addresses are leased out, renewed, changed frequently. While I might connect to my VPN and do basic stuff... another person before me might have used it much more heavily for example. So the IP which we shared is flagged as possibly nefarious. It doesn't know I am a totally different person. Only that, in the past, someone has used this particular IP in a negative way.
That permission is required for a vast set of features in chrome and Firefox extensions because of how poorly the chrome extension API was designed. So while it indeed has that permission, there are lots of things it could be doing with it that don't impact your data at all. You'd have to audit the code.
So "Privacy" Pass effectively generates a unique token for every user? That results in trivial tracking again, one of the main points of using VPNs, Tor or whatever.
The tokens can't be correlated with a user.
From the linked page "Privacy Pass uses elliptic curve cryptography to generate 'anonymous' tokens after a single CAPTCHA page is solved."
In any case - privacy implications aside - having to install an extension to get around their risk assessment algorithm going wrong seems like placing the burden in very much the wrong place.
edit: was wrong about who created the extension
PrivacyPass is not their thing:
https://privacypass.github.io/
They run a service that shows high-risk visitors (or whom they deem high-risk) a challenge. They support a third-party extension that lets you vouch for yourself on other websites anonymously. The alternative is that they don't support it.
The other things they do are debatable, but this is a good thing.
Oh, thanks for pointing that out, totally missed that part! In that case, at least it's anonymous, yeah.
Yeah, in my view, it's nice that they're supporting a published way of anonymously vouching for myself. Maybe it's less than awesome that every visitor from Romania (as an arbitrary example) is considered a criminal, but supporting PrivacyPass is a nice move.
I wish all Chromium plugins had such good plugin content overview, saves a lot of time if you want to review what you install.
https://github.com/privacypass/challenge-bypass-extension
This add-on isn't new. Why now?
https://notabug.org/themusicgod1/cloudflare-tor
How the f* does this even help at all when Google reCaptcha already "ghost-blocks" bad ips as well?
getting closer everyday to a global "login" to access the internet
this is TSA level thievery -- first organize security theater in form of "protection" and then charge money to be able to avoid that. Pathetic.
There isnt any money involved. Did you read this?