- They want their vendor to arbitrarily deny access to customers and prospects
Maybe they have a 100% success rate at blocking actual threats but they sure do have a lot of false positives. I get blocked or forced into captchas at least three times per week.
I used to report it to the site admins, but among the few that responded, almost none knew how to fix it. I no longer bother, so I suspect that the less clueless admins have no idea how many visitors Cloudflare has driven away.
> I used to report it to the site admins, but among the few that responded, almost none knew how to fix it. I no longer bother, so I suspect that the less clueless admins have no idea how many visitors Cloudflare has driven away.
It's an acceptable cost, versus other ways of dealing with abusive traffic.
Hell, we (sysadmins, back when that was a term people used) used to just blackhole all the IP blocks associated with certain countries—made the logs so very much quieter, and this was back when the whole Internet was a lot quieter to begin with. At least CloudFlare's less blunt than that.
Failing to block abusive traffic can be really expensive. Detecting it is always going to cause false positives. Admins are OK with those as long as they don't cost more than implementing a system with fewer false positives would. A half-percent tax on revenue (to pick a number out of a hat) in the form of lost customers is a reasonable trade-off for a lot of companies. You've got to have pretty serious scale before it's worth investing real money to try to shave that down by a couple tenths of a percent (you'll never get it to zero, and only places like Amazon have the kind of scale that make it worth attempting to closely approach zero)
Absolutely. I had a post here about how Cloudflare is locking out Linux users[1] (which was momentarily resolved and they're back to blocking them again), but it was quickly flagged, suppressing any real discussion about it.
I have to assume jgrahamc was one of the flaggers, given their indignant comment at the top of this thread.
Hi there! I work at Cloudflare. Our global performance for Linux users on challenge pages looks good at the moment, but I'd love to take a closer look.
Could you send me an email with details you have available, (rayID, IP address + website, or HAR file) at amartinetti at cloudflare.com?
Whitelisting the Opera Mini browser how? Asking Opera Mini to include a signature with requests? Based on user-agent? In any case, browser behavior can and will be copied by bad actors if doing so is a get-past-cloudflare-free-card. That's why it's not just browser, it's browsing habits based on your IP and location in addition to fingerprinting where appropriate in order to allow legitimate users to prove they're human via captcha.
Edit: even if you just mean whitelisting their proxy ip... that doesn't do much good either. It's like asking to whitelist tor - those IPs are blocked because a good amount of spam or malicious traffic originates from them, not because there are x0,000 users on each.
> That's why it's not just browser, it's browsing habits based on your IP and location in addition to fingerprinting where appropriate
Mini is a barely configurable hosted browser with one IP, one location, and one fingerprint. It doesn't return anywhere near full HTML/JS/CSS, but highly cut-down code generated by Opera's server. Unless somebody has found a way to hack that server, I'm at a loss as to what damage it could cause.
This seems to me a case of sloppy use of overly broad security tools.
I've had a couple HN comment threads recently, about Cloudflare blocking me, and I contacted multiple sites about this, but so far no improvement.
Maybe the right people are hearing, but they consider it a necessary evil of negligible impact (accurately or inaccurately). Or is stuck with Cloudflare, who says they'll take care of it. Or maybe the message is getting lost before it gets to someone who cares.
>I get blocked or forced into captchas at least three times per week.
Same.
I get blocked on websites I have accounts on if I use a VPN. I'm not just a visitor, I'm a member, and still get blocked by cloudflare. Other times it's a small or local business and to me the website just looks down. Then, if I bother to think about and willing to drop my VPN, suddenly the website works fine.
Treating VPN users as hostile is getting really fuckin old.
VPN users are hostile just not you. VPN is abused by bad actors all the time using a shared IP that you are likely using too. If you had a dedicated IP I'm sure this would be different though makes you less anonymous which is part of the reason why you get captchas.
It's still a false positive, which is what we're talking about, unless cloudflare itself is the bad actor and they're deliberately blocking normal VPN users. Which I'm sure there's money if you dig. Governments for one would happily pay to de-anonymize or block "misbehaving" citizens.
Personally, my favorite was CF emailing me to brag about how many robots/malicious actors they block, right after blocking me for being a robot/malicious. Like... that's sure one way to undermine your numbers...
20 years ago I was beta testing a browser nobody's heard of and happened upon a mainstream PC accessories seller like pcconnection.com or the original cdw.com with a poorly designed site: malformed cookies, important information hidden inside nonstandard tooltips, etc. Don't recall their name, but they had domains for the US and Canada. I emailed them at least twice to point this out, but they blew me off. I was amused when they went out of business a few years later.
When you criticise Cloudflare, the common response is that the site owner has chosen to block this or that. I don't believe for a moment that Cloudflare offers a checkbox for "Spin the busy animation forever, never loading the site and never generating an error". This is what happens when a company dubs itself the Internet Police while not knowing what the f*ck they're doing. In the words of the Joshua AI from Wargames
"The only winning move is not to play."
I suggest that it's impossible to do what Cloudflare is attempting without false positives, but they haven't figured that out yet. And when you complain in their public forum, do they apologize and send up the flares? No, you're met with arrogance:
I wasn't caught in this particular dragnet, but had the same thing happen to me this past winter with the Iceraven browser. I did complain to one of the affected sites, who weren't particularly helpful, and the issue disappeared on its own about 2 months later. Maybe somebody did start a public thread with Cloudflare, but knowing the likely response, I held off restarting that fight.
I use the Opera Mini browser sometimes (not recommended), which apparently has its worldwide server/endpoint in the Netherlands. There used to be a US endpoint but no longer. If you're using Cloudflare to block European traffic for one reason or another, okay, I get it. If you're using Cloudflare to block "unusual traffic" like VPN endpoints (no idea how it actually works), it would take them two minutes to do a reverse lookup on the IP and see
109.211.145.82.in-addr.arpa. 13531 IN PTR h18-05-12.opera-mini.net
and simply whitelist the IP globally. But they haven't...while a little voice nags at me, reminding me this is supposed to be their day job.
On some level I'm okay with the status quo and letting my first paragraph scenario play out: smart businesses grow while idiots go bankrupt. With Chrome, Safari, and Edge controlling roughly 90% of the browser market, though, I'm not holding my breath. The rest of me considers this behavior anti-competitive and a growing civil rights issue. Imagine needing a toll road or ferry service to get somewhere but the owner tells you they don't like your car and please get another one. The average person would exclaim, "What? There's nothing wrong with my car!!" Ditto for whatever browser I choose. If it supports TLS 1.3 but doesn't like the web site's HTML/JavaScript/CSS, then maybe I'll consider switching...or maybe I won't. But that should be my choice, not theirs, and definitely not the choice of a middleman with delusions of grandeur. Web sites designed for use by the public need to be accessible by the public.
In the beginning of a project I want velocity and progress. CF gives me:
Easy SSL. Register domain at cost. Throw up static site on S3 equivalent (or app on whichever cloud), add Cloudflare and a couple redirects (no www to www, no ssl to ssl), done. It’s like gmail for simple web hosting. It’s also like early Google, friendly and useful and not trying to squeeze every dollar for shareholders and bonuses.
They lend us their very competent team at free or minimal cost. I totally get the single point of failure and monopoly but compared to AWS, Azure and Google complexity it’s a simple web app dream until I have time to care about certs etc.
Competitors need to build an easy alternative and get as good as the CF team. Which is way better than me at futzing with config I only touch once every couple years.
> - They have to deal with some level of DDOS or site scrapers hitting every page at once
Sadly, that is the norm with everything since Shodan made it trivially easy to find out targets for websites. Once your hostname or IP ends up there, you will get blasted with exploits a couple minutes after a 0-day was published.
I think blaming shodan/etc is incorrect - shodans rise in popularity coincided with the rise of cheap, fast bandwidth at VPS providers enabling you to scan real fuckin fast.
It’s much more efficient to just do “zmap | ./exp” than it is to query shodan, get a limited amount of targets, etc.
It's also popular in the SEO crowd for artificial link building. With such a chunk of the web behind Cloudflare, the presumption is that it's one less fingerprint that is reasonably scalable.
For the most part, the bandwidth doesn't matter, the sites are made for bots.
With the cost of popular cloud vendors, Cloudflare is essential. The first bullet points is enough to drive people there.
You can also manage all of your internet infrastructure (domains, dns, etc) under a single dashboard that doesn't suck. Pry it from my cold dead fingers.
- They want to save on bandwidth costs
- They have to deal with some level of DDOS or site scrapers hitting every page at once
- They want to block IPs, geographies, ASNs, etc. without editing a server config
- They want speed & server-sided visitor analytics, email routing, security settings, redirect configuration, and DNS all in one dashboard