25 comments

[ 2.9 ms ] story [ 46.9 ms ] thread
I fully agree. It's not only the waste of time when you have to confirm you're a human (that adds up to multiple hours per month).

It's also the entire blockage of older or less mainstream systems that no longer can access, sometimes critical, websites at all when the Cloudflare check blocks things entirely because the "browser is out of date" or not on their whitelist. Therefore causing excessive discrimination of poorer folks that can't afford upgrading to never/ other systems that still are legible to pass Cloudflare's "grace".

Without a market CloudFlare wouldn't be able to ruin the internet. You can thank all of the incessant AI bots for that. I can't even browse GitHub anymore without logging in.
I wish there were more information and guides being spread of free and open source systems worldwide, there is tremendous potential in upgrading "end of life" systems to use a Linux-based operating system. That way we could avoid unfathomable amounts of e-waste being dumped for no other reason than them not being commercially viable anymore and poor people could keep using their computers
What are the symptoms of being shadowbanned? I see an awful lot of "click here to prove you are human" boxes, click then, the page reloads, and I'm left with the captcha again. It's been very very frustrating.
Moreover, the most hilarious thing here is that Turnstile is easily bypassed by "patchright" (patched playwright runtime) + xvfb + good residential IP pool. So it's hurting real users and not protecting against bots.
(Note I share your sentiment, however)

Is there any data that’s supports this suggestion users with older devices are actually being discriminated? (% of users actually using older devices incapable of upgrading to browser versions supported by cloud flare)

I just find it hard to believe users are actually getting denied access because their device are old. Surely you can still run new versions of Chrome and Firefox on most things [1].

——————

[1] Don’t get me wrong I use Safari and I find it inflammatory when a site tells me to use a modern browser because they doesn’t support safari (the language more so). But I wouldn’t call it discrimination seeing as I have an opinion to run firefox/chrome from time to time.

This article is from 2016, and it should be noted that things have significantly increased since then. I no longer have to click traffic lights and motorcycles, I just have to wait a few seconds. I'm in Vietnam so my IP gets flagged for checks a lot, but they all pass automatically in a few seconds.

The only time I still get asked to click motorcycles is not Cloudflare, it's Google. They absolutely hate when you try to do a search in an incognito window and will give you an unpassable captcha until you give up and use DDG instead.

(The author runs a small ISP in an unspecified country in SEA and complains about many CF captchas.)

This may be one reason:

https://blog.cloudflare.com/ddos-threat-report-2025-q3/

Top 10 largest sources of DDoS attacks: 2025 Q3

1. Indonesia

2. Thailand

3. Bangladesh

Vietnam and Singapore also make it into the top 10. The latter is a bit of an outlier being rich and having a small population.

it's ruining the internet for everybody else
[flagged]
OP didn’t put this in the title but the article is from 2016. Turns out a lot has changed in the last decade and I think it’s likely that the article should be updated on what it’s like right now.
I have almost the same experience. I'm not running my own ISP and I'm not in a country known for originating DDoS attacks (Sweden), yet just using Firefox on Linux seems to be enough to be forced to click on traffic lights many times an hour. If I'm using Mullvad VPN that accelerates to almost every minute. CloudFlare claims to support privacy pass, but their extension implementing it seems to do absolutely nothing.
What is a better option for website owners? We don't want to keep people out, we want to keep attackers out.
It is not CloudFlare that is ruining the Internet, but the spammers and attackers. On the second level, that catching and punishing them is impractical or even impossible depending on their location.

Businesses were perfectly fine to accept the low security of 1990s email, webserver, and all the other configurations and software. They did not suddenly out of nowhere ask for more restrictions (such as email sending restricted to using the email server "officially responsible" for that domain- it used to be you could do the same as with physical mail, where you can drop letters into mailboxes writing a "From" address that was not in the same city as the mailbox location). They certainly did not volunteer to make everything much more difficult -- and expensive -- to set up and use. It also leads to a lot more work for their IT staff and a lot more user problems to respond to.

All these annoying restrictions were forced to be implemented by attacks of all kinds.

Because it is so difficult, compromises needed to be made. CFs methods are of course full of them, such as taking country and IP ranges into account. Feel free to make practical and implementable and affordable suggestions for alternative solutions. You may even get a reward from CF if you can come up with something good that allows them to cut back on restrictive policies while at least maintaining the current level of security. It is in the interest of CFs customers to be as accessible as possible, after all.

All of these problems would go away if we had micropayments. So that the user could pay for the resources they use.

The user would know that each pageview is $0.001.

The website owner would know each pageview pays for itself.

We probably could get there with some type of crypto approach. Probably one that is already invented, but not popular yet. I don't know too much about crypto payments, but maybe the Bitcoin Lightning network or a similar technology.

One of worst issues is when Cloudflare starts asking RSS reader to verify that it is human.
I can't use DigiKey without getting silent CF reCAPTCHA challenges for their CDN that break images in a non-obvious manner. Also, I get reCAPTCHA and CF ray challenges almost constantly for every website.
> CloudFlare is a very helpful service if you are a website owner and don’t want to deal with separate services for CDN, DNS, *basic DDOS protection* and other (superficial) security needs

A lot of people try to downplay cloudflare's ddos protection but it saved me so many times over the years. I honestly don't think that there exists a good solution that someone with without a lot of money and resources can leverage besides cloudflare.

It's almost dismissed in the first sentence as "basic DDOS protection" as if there is any other company that provides an ironclad solution besides cloudflare, especially free for a tiny niche community. There is none that I am aware of.

I believe the problem is not really Cloudflare or another cloud provider.

The fact is internet was built around the idea that everything should be decentralized in order to be resilient.

Resilient to attacks, resilient to outages or any form of censorship.

So, each time amazon, cloudflare (...) fails, it reminds us that nobody like SPOFs.

Blame the devs as well, lots of useless junk code and libraries for things that could've been couple lines of code that ends up bloating a site and make it slow - then they need a CDN like and caching solutions like cloudflare. 4/5 of the web wouldn't need any of it (if their sites were optimized from the start). DDOS attacks do happen, but considering the size of the web, the chance it will affect you is very low. AI bots are more of a stress test than a DDOS, figure out your bottlenecks and fix them.

E.g. for a frontend yourself a budget of 1MB for a static site and 2MB for dynamic one and go from there.

(comment deleted)