[dineshp2]

The fact that all traffic is decrypted at their servers makes possible caching optimizations (what most users care about) and inject content,headers. This is the best example of the centralization of the internet.

Does anyone know what Cloudflare's response was regarding them treating Tor traffic suspiciously by putting up never ending captchas?

[9248]

This is actually not just about Tor. Their definition of "suspicious" is quite liberal and naive to be honest.

As an anecdote, I get ~1 captcha per month because I live in Eastern Europe. Add to that Linux, Firefox, NoScript and you're in for a fun ride.

[jgrahamc]

We are working closely with the Tor project. We made a large number of changes to reduce impact and improve the experience.

[Shank]

And website owners can whitelist Tor traffic to never get a captcha now too. Progress!

[hyperpape]

Cloudflare and Tor, several months ago: https://news.ycombinator.com/item?id=11404770 https://news.ycombinator.com/item?id=11388560

[MichaelGG]

Trump's website throws a captcha every time I access it from Central America. This is for read only pages. I can only assume CF doesn't care too much and certainly doesn't educate customers very well.

Edit: I'll also admit I love CF as a customer. It makes things fast and easy. But it's concerning. Sorta like every time I use Google search.

[prdonahue]

Individual customers can set their security settings however they like. If you're seeing a CAPTCHA each and every time you connect to a site served by us (and are not coming from an IP with recent/excessive abuse) the site may have locked down their security settings to require this step.

[MichaelGG]

I understand. But IIRC the defaults aren't so open. Plus I would expect that a site like the one for a presidential candidate would get at least a minor review and a "hey you don't need any 'security' settings here".

Jet.com had a similar issue. I'm pretty sure CF customers are not getting sufficient info/onboarding.

[prdonahue]

The default setting does not present a CAPTCHA each time. Or even most of the time.

Have you considered that presidential candidates may be subject to more malicious traffic than a typical site (and thus may considering adjusting their settings)?

> I'm pretty sure CF customers are not getting sufficient info/onboarding.

I can ensure you that Enterprise customers are assigned highly technical resources during onboarding that walk them through settings. Is there a specific suggestionyou'd like me to pass along?

[MichaelGG]

Not insulting talented team CF has. The end result though is that viewing a static asset, a policy position, shouldn't be challenging residential users with a captcha. Whatever the cause, this behaviour is wrong. It's particularly noticeable as a ton of other static assets are served. So it's just switching the doc content for a captcha, while still returning all the images and styling.

Jet.com gad the same issue - captcha every time I erased cookies, despite having my own residential IP. Till I brought it to their attention. (Maybe coincidence.)

This mirrors my own experience as a low end user. Devs in Easter Europe would get challenged a lot until we went and whitelisted everyone.

[mirashii]

As a former Cloudflare customer, I'm pretty sure they're getting plenty of onboarding if they take the time to really request it. I had one of the more pleasant vendor experiences with them, they happily invited us to their office, sat down and walked through the admin panel and all of the settings we could tune, describing them and providing recommended values or asking questions to figure out what the settings should be.

It's a matter of customers not bothering. You can only hold a customer's hand so closely.

[MichaelGG]

Sure. But customers are not likely to realise the impact on users not in the US or otherwise "dangerous". I get captcha'd every time I clear cookies, to access static content. This is just wrong behaviour.

I highly doubt that CF customers understand. I cannot imagine them saying "yeah, I think requiring people to solve a puzzle before they read a text document seems reasonable".

[anonbanker]

I get the very real feeling, when using cloudflare-based sites over Tor, that I'm being tracked specifically by the captchas used. It's always the same two or three.

[ryanlol]

> caching optimizations (what most users care about)

Cloudflare does a really shitty job at that though, I've literally never seen them beat a reasonably configured nginx instance running on GCE or even OVH. (That is for a single instance serving both EU and US markets).

It's honestly baffling that anyone who isn't drowning in bandwidth bills would use them, but I guess antiviruses and PC optimizers are a big industry too.

[LoSboccacc]

eh it's a very cheap way to go around delivery speed problems - just know what the tradeoff are and you're golden.

using subdomains one can easily partition bulk traffic which needs caching from secure traffic that requires end to end encryption, and benefit from having a tenth of server hits

sure everyone can host his caches and be better off. but that cost money, and localizing traffic to reduce latency costs even more money. hard to beat free.

[ryanlol]

>sure everyone can host his caches and be better off. but that cost money, and localizing traffic to reduce latency costs even more money. hard to beat free.

My entire comment was about refuting this.

You don't need to host your own caches to be better off, you'll be better off by simply not having cloudflare in front of your server (even for transatlantic pageloads!).