Tell HN: The web is still broken due to Cloudflare

3 points by uconnectlol ↗ HN
I still can't curl or wget some website as of 2011 with an arbitrary IP address because Cloudflare controls the vast majority of the web and blocks any request that their bullshit firewall doesn't like. If you use Tor or VPN or any other IP that is "bad", all your traffic will be blocked by default to any website that sits behind Cloudflare (as of 2018 you can get around it by emulating a web browser instead of switching to a new untarnished IP[1]).

It's not even just that. If I type a certain word on a website I'll get some stupid Cloudflare security page. Even on fresh IPs on new computer hardware I still see the Cloudflare security page all the time. IT'S JUST BROKEN GARBAGE THAT NEVER WORKED, LIKE WINDOWS UAC.

Don't tell me some bullshit like "serves you right blah blah", or "security theater is good", or bring up the "oh no there are bots on the internet" meme.

This is a red herring. You can't have a protocol and say it can only be accessed by some specific implementation brought to you by IBM^WMicrosoft^WGoogle. You are literally just wrong, and your concern is that you were not able to serve ads to the user and hijack his browser in various ways or profile him. Just get a real job. Broadcast television did not require any of that. There was no way for anyone to know what TV channel you were watching, yet it still existed and was higher quality than the web. Your bullshit practice is not a right, it's a privilege.

Blocking IPs for any reason other than a temporary DDoS measure is simply an invalid practice and you do not know what you're talking about. I see this opinion so much but I'd like to imagine it's just the average lay people getting involved in subjects above their heads as opposed to the main characters but I know it's probably the latter.

1. Before that, you could not access anything at all from Tor Browser without filling out 2 captchas per website (yes two). Yes, that's SEVEN YEARS that they completely broke Tor for. Remember that Cloudflare is the #1 problem for Tor, not the NSA.

If you are okay with Cloudflare doing this shit just get out of my industry, like seriously, it's not even a moral issue, you're just wrong, it serves no purpose, but it's easy to convince laymen with bad arguments like "it stops sql injection", and is just annoying, how did you even pass FizzBuzz or whatever placebo hiring test they have these days. Don't give me any "wah software is toxic" bullshit, software industry is overly polite bunch of vastly overpaid people with sedentary minds and bodies who sit around all day who mostly don't know what they're doing. You are a bad person and deserve to feel bad.

7 comments

[ 3.4 ms ] story [ 43.9 ms ] thread
Windows UAC works just fine now. It's not like it was in Windows Vista where a lot of people just ran as administrator all of the time.

It's funny because I've yet to have had Cloudflare get in the way of an automation project but it bugs me all the time as an ordinary user.

My first case of getting seriously harassed by it though was a few weeks ago when it was blocking my access to archive.today, it wasn't being decent and telling me to buzz off, instead I was in an endless loop of "click on the traffic lights", "click on the motorcycles", ... I think it's because I have been using it a lot because my RSS reader automatically rewrites many URLs to go there.

Using the Tor browser I got different results depending on the exit node, sometimes it would just tell me I was banned, often I'd have to fill out one or two CAPTCHAs and I could see the content.

After a few weeks the problem cleared up.

Archive.today (or archive.is archive.fo whatever it's supposed to be) has had some messed up Cloudflare config since 2015 or earlier. It's not the default config the rest of Cloudflare websites have. It's not even purely "I am under attack mode" as it often failed in other ways than what a site in IAUAM would behave like.

> Windows UAC works just fine now.

What the hell how does it work, it just makes a vague popup for doing anything ever and the user has know way to know what he's being asked or whether it's normal. Almost no user will ever do anything other than click through it.

I do a lot of things that don't generate a UAC popup, I find the cases where it appears to be pretty predictable.

Arguably it's a problem that you need it to install almost any piece of software so in principle any malicious software at all can do something evil in the installer. That said Windows does have a reasonable model for people installing software just for themselves that some software actually uses.

i'm sorry but you don't know what you're talking about uac is pointless because the concept of "admin" or "root" is an obsolete boomer idea. we are never going back to shared OS, good riddance. 2GHz machines can be had for $5 from thrift stores. the only thing keeping them slow are the likes of Cloudflare who insist that the web should be viewed in a bloated proprietary way like using Firefox or Chrome (yes these are proprietary in every way other than literally since they have all the bad features of proprietary software: spyware, adware, bloat, news, "Firefox Suggest (TM)", infinite half implemented features, terrible perf due to letting websites use all these features)

uac doesn't stop malware (as in, you wont even get a popup) from sending all your files to a remote party, which is the only thing i care about as a desktop user. i would prefer if windows went back to having no users and i didn't get random "permission denied" errors while browsing my documents.

Yeah, the iPhone model where your whole digital life belongs to Apple and developers have to ask permission to go to the bathroom is so much more secure. Funny how millennials and younger repeat "a phone is a phone and a computer is a computer, silly boomer" (I'm not a boomer, I'm a member of an invisible generation that thank goddess never gets talked about by the media) even though the equivalency of computers was the first result of computer science which is proven every day by video game emulation which many of that generation are quite familiar with.

That said my wife and I have separate accounts on a laptop that had the keyboard delaminated and replaces a mac mini 2013 that recently gave up the ghost. Works fine for us. Contrast that to the iPad which I don't really know how to share, and BTW she feels about the same as touching a touchscreen the way a lot of people would feel about putting their hand in a toilet.

At work I've recently been issued a new Win 11 desktop and they have a system where any user registered against it can just log in and have their desktop materialize on that machine w/ microsoft domains. It "just works" for the most part but when I was in grad school I remember an attempt to make a Win NT cluster behave like an old-school minicomputer went so badly that the sysadmin's head exploded and he left in a huff to go get a job admining printers for the whole campus.

But yeah, the current situation with virtualization does remind me of the old days when IBM never figured out how to make a general purpose OS for the 360 and wound up coming out with the 370 that supported virtualization... Thus a typical mainframe by 1980 was running many different operating systems and if you were doing software development you would end up spinning up a VM which ran a single user OS a lot like MS-DOS or CP/M.

> I think it's because I have been using it a lot because my RSS reader automatically rewrites many URLs to go there.

this is another good point btw. any single meta thing that makes the web better like RSS or browser plugins can get you blocked by Cloudflare. Cloudflare's policy simply is bad for the web, and they have vehemently defended it for 13 years without any resistance even from so called open web advocates.

FAQ:

Q1. But bots could crawl my site and scrape my content!

They can just buy a new IP (but they usually won't need to since they can just emulate a web browser or use Selenium and this bypasses the "block", are you paying attention?)

Q2. But my website could get hacked by a malicious web request!

They can just fill out the captcha and then hack your website. Or change IP if the captcha wasn't an option (but it is in 99.99% of cases in my experience)

Q3. But this is needed to stop DDoS!

To stop DDoS you temporarily block the most taxing IPs at the IP level. You don't generation a web session, a session to a 3rd party captcha provider (who then has to generate all the same and an image) and then see offer the bot a second chance. In other words: this has nothing to do with DDoS.

Q4. It doesn't have to be perfect, it's just one layer of defense!

This is an ad hoc hypothesis. If you don't know what that means go look it up. You would not be arguing this if they did not create this policy. And there was no difference of the security of the web at large before and after this.