Cloudflare Lied to Me
90 days ago there was a post on here complaining about getting blocked by Cloudflare. In the comments one of their employees was collecting "Ray IDs" from people who had the same issue, and said they would look into it.
In the same comment thread I asked if they were every going to post their findings, or if this is just going into a black hole.[0] The employee promised that they would have a blog post with updates on the investigation within 90 days.
Well it's been 90 days, so I guess that was all for nothing. I've checked every blog post in the last 90 days, and none of them address this.
[0]https://news.ycombinator.com/item?id=37055418
7 comments
[ 3.0 ms ] story [ 27.6 ms ] threadThey do not care if they enable domain hijacking (happened to me)
They do not care if they kill your website (as has been posted on HN countless times)
They do not care that their "bot check" is an incredibly intrusive man-in-the-middle attack on the internet (slowing down everyone's experience)
They only care about one thing: and that is taking over mindshare and people thinking they are a great company doing wonderful things
From the article:
> We’ve spent the past three and a half years working to build a better experience for humans that’s just as effective at stopping bots. As of this month, we’ve finished replacing every CAPTCHA issued by Cloudflare with Turnstile
So who is to say that the people complaining in the original post were using Turnstile or not?
If this was supposed to be the promised post, then fine, I retract my statement, but it was not at all clear that this is what the blog post was about. I didn't really see anywhere in the post where it discussed why they were getting so many false positives, and blocking real humans. Whether that is by Turnstile or the old CAPTCHA or whatever was blocking people 3 months ago.
> So who is to say that the people complaining in the original post were using Turnstile or not?
I'm sorry if that wasn't clear, but they were all using Turnstile (either in a Cloudflare Challenge or implemented in Turnstile individually). By the time of the original post, there was no difference between the two.
> I didn't really see anywhere in the post where it discussed why they were getting so many false positives, and blocking real humans
If you take a look at the section on what we learned in the beta, we mention the two biggest sources of false positives we received during the beta period are 1) incorrect system time and 2) privacy settings that restricted the execution of third party scripts entirely. In both case, there wasn't an easy "just fix it" option, but we surface the issue obviously in the managed challenge and via a Turnstile error callback, which should allow users to see clearly what the problem is.
We've also finished rolling out (update on the blog article, which states this was in progress) our challenge feedback reports, so we can better track when groups of users are impacted in ways where they can't render the challenge in the first place. This was an area where we had difficulties understanding the scope of a problem previously, because our telemetry relies on the widget to load in the first place.
We'll continue to use the new data we're gathering to continue making reliability improvements when we find issues. Ensuring we can accurately identify human users is fundamental to the success of Turnstile as a product, so this will always be a high priority for us.
It all makes sense now, but I guess my biggest "hurdle" was knowing if those people in the original post were using Turnstile or not, and the blog post being relevant or not totally hinges on whether or not they were using Turnstile.