Tell HN: The web is still broken due to Cloudflare
It's not even just that. If I type a certain word on a website I'll get some stupid Cloudflare security page. Even on fresh IPs on new computer hardware I still see the Cloudflare security page all the time. IT'S JUST BROKEN GARBAGE THAT NEVER WORKED, LIKE WINDOWS UAC.
Don't tell me some bullshit like "serves you right blah blah", or "security theater is good", or bring up the "oh no there are bots on the internet" meme.
This is a red herring. You can't have a protocol and say it can only be accessed by some specific implementation brought to you by IBM^WMicrosoft^WGoogle. You are literally just wrong, and your concern is that you were not able to serve ads to the user and hijack his browser in various ways or profile him. Just get a real job. Broadcast television did not require any of that. There was no way for anyone to know what TV channel you were watching, yet it still existed and was higher quality than the web. Your bullshit practice is not a right, it's a privilege.
Blocking IPs for any reason other than a temporary DDoS measure is simply an invalid practice and you do not know what you're talking about. I see this opinion so much but I'd like to imagine it's just the average lay people getting involved in subjects above their heads as opposed to the main characters but I know it's probably the latter.
1. Before that, you could not access anything at all from Tor Browser without filling out 2 captchas per website (yes two). Yes, that's SEVEN YEARS that they completely broke Tor for. Remember that Cloudflare is the #1 problem for Tor, not the NSA.
If you are okay with Cloudflare doing this shit just get out of my industry, like seriously, it's not even a moral issue, you're just wrong, it serves no purpose, but it's easy to convince laymen with bad arguments like "it stops sql injection", and is just annoying, how did you even pass FizzBuzz or whatever placebo hiring test they have these days. Don't give me any "wah software is toxic" bullshit, software industry is overly polite bunch of vastly overpaid people with sedentary minds and bodies who sit around all day who mostly don't know what they're doing. You are a bad person and deserve to feel bad.
7 comments
[ 3.4 ms ] story [ 43.9 ms ] threadIt's funny because I've yet to have had Cloudflare get in the way of an automation project but it bugs me all the time as an ordinary user.
My first case of getting seriously harassed by it though was a few weeks ago when it was blocking my access to archive.today, it wasn't being decent and telling me to buzz off, instead I was in an endless loop of "click on the traffic lights", "click on the motorcycles", ... I think it's because I have been using it a lot because my RSS reader automatically rewrites many URLs to go there.
Using the Tor browser I got different results depending on the exit node, sometimes it would just tell me I was banned, often I'd have to fill out one or two CAPTCHAs and I could see the content.
After a few weeks the problem cleared up.
> Windows UAC works just fine now.
What the hell how does it work, it just makes a vague popup for doing anything ever and the user has know way to know what he's being asked or whether it's normal. Almost no user will ever do anything other than click through it.
Arguably it's a problem that you need it to install almost any piece of software so in principle any malicious software at all can do something evil in the installer. That said Windows does have a reasonable model for people installing software just for themselves that some software actually uses.
uac doesn't stop malware (as in, you wont even get a popup) from sending all your files to a remote party, which is the only thing i care about as a desktop user. i would prefer if windows went back to having no users and i didn't get random "permission denied" errors while browsing my documents.
That said my wife and I have separate accounts on a laptop that had the keyboard delaminated and replaces a mac mini 2013 that recently gave up the ghost. Works fine for us. Contrast that to the iPad which I don't really know how to share, and BTW she feels about the same as touching a touchscreen the way a lot of people would feel about putting their hand in a toilet.
At work I've recently been issued a new Win 11 desktop and they have a system where any user registered against it can just log in and have their desktop materialize on that machine w/ microsoft domains. It "just works" for the most part but when I was in grad school I remember an attempt to make a Win NT cluster behave like an old-school minicomputer went so badly that the sysadmin's head exploded and he left in a huff to go get a job admining printers for the whole campus.
But yeah, the current situation with virtualization does remind me of the old days when IBM never figured out how to make a general purpose OS for the 360 and wound up coming out with the 370 that supported virtualization... Thus a typical mainframe by 1980 was running many different operating systems and if you were doing software development you would end up spinning up a VM which ran a single user OS a lot like MS-DOS or CP/M.
this is another good point btw. any single meta thing that makes the web better like RSS or browser plugins can get you blocked by Cloudflare. Cloudflare's policy simply is bad for the web, and they have vehemently defended it for 13 years without any resistance even from so called open web advocates.
Q1. But bots could crawl my site and scrape my content!
They can just buy a new IP (but they usually won't need to since they can just emulate a web browser or use Selenium and this bypasses the "block", are you paying attention?)
Q2. But my website could get hacked by a malicious web request!
They can just fill out the captcha and then hack your website. Or change IP if the captcha wasn't an option (but it is in 99.99% of cases in my experience)
Q3. But this is needed to stop DDoS!
To stop DDoS you temporarily block the most taxing IPs at the IP level. You don't generation a web session, a session to a 3rd party captcha provider (who then has to generate all the same and an image) and then see offer the bot a second chance. In other words: this has nothing to do with DDoS.
Q4. It doesn't have to be perfect, it's just one layer of defense!
This is an ad hoc hypothesis. If you don't know what that means go look it up. You would not be arguing this if they did not create this policy. And there was no difference of the security of the web at large before and after this.