[ridgewell]

Is the situation improved by using the Privacy Pass add-on [1] from Cloudflare?

Supposedly:

>Privacy Pass is a Chrome/Firefox browser extension to make browsing Cloudflare-protected websites a better experience for users. In particular, if a user IP address is designated to have a poor reputation then the user may have to solve a Cloudflare CAPTCHA page before they can gain access to such websites. Privacy Pass uses elliptic curve cryptography to generate 'anonymous' tokens after a single CAPTCHA page is solved. These tokens can be used in future engagements with Cloudflare websites to prevent having to solve more CAPTCHAs. The extension generates 30 tokens for each CAPTCHA solution and thus can be used to reduce CAPTCHA pages for each user by a similar factor.

[1] https://support.cloudflare.com/hc/en-us/articles/11500199265...

[skrebbel]

So wait, "we shipped a bug, so we made a browser extension that lets you circumvent the bug". That's cloudflare's answer? I'm not impressed.

EDIT: people seem to be confused as to what bug cloudflare shipped. The bug is not having people solve captchas because their IP has a bad reputation. It's having them solve it over and over again.

You can put it however you want it, but if my app's UX is fine without cloudflare and it's shit with cloudflare, for a small but significant percentage of my users, then CF has a bug.

[sjwright]

Thwarting denial of service attacks isn’t a bug.

You seem to be confused about what your rights are around website availability. Hint: you have no rights. Absent specific coercion by government, the owner of the website had all the rights. If she wants to require you to solve a Where’s Waldo first, that’s her prerogative. Your choice is to accept the terms or go elsewhere.

[therealmarv]

It's discrimination by country/region. It's like saying: oh, you are from Africa or Asia. The chance is higher you are a criminal, so do this test first.

[optimiz3]

Which is completely legal and encouraged. Here's an example: if you've ever shipped an ad-monetized free app, you've probably disabled regions like Russia, Iran, North Korea, etc.

You know why? Because the ad-revenue is worthless (and often malicious) and the users will be more trouble than they are worth. Same thing is happening with net traffic from other low value regions. One star reviews because users from $banned_region are complaining about lag due to their crappy wifi and/or some other issue you have no control over (defective ram in their 6 year old 2nd hand phone comes to mind)? Sign me up!

[asdfasgasdgasdg]

Another example: on Ebay, one bit of bog standard anti-fraud advice is prohibiting international bids. This is because the overwhelming majority of bidders living in certain countries are fraudsters. The tiny slice of legitimate traffic attempting to make international purchases is not worth the massive increase in exposure to fraud risk.

[saagarjha]

I believe selling your products in some of those counties can get you in legal hot water as well.

[cthaeh]

The hate for poor people in this comment is insane.

[sjwright]

If insane is a new word for nonexistent

[cnst]

And the problem is worse because, apparently, even solving the captchas repeatedly from a given IP address doesn't make it whitelisted, either. So, it fits the very definition of discrimination against a whole wider group, where the individual actions of any individual actors don't matter.

[dfcowell]

I’ve lived in Vietnam for the past 5 years and experienced these issues first hand. I’m also part of the team responsible for maintaining a relatively aggressive set of Cloudflare WAF rules at my current employer.

In these developing countries, great swathes of users are accessing the internet behind carrier-grade NAT.

This makes it increasingly likely that any individual user is sharing a public-facing IP with one or more bad actors.

In my experience, I’ve never had to solve more than one CAPTCHA per domain, and frankly clicking a checkbox isn’t that hard.

As far as discrimination goes, this is a much friendlier solution than just immediately rejecting connection requests from certain CIDRs, which is what would otherwise be happening.

[yjftsjthsd-h]

> In my experience, I’ve never had to solve more than one CAPTCHA per domain, and frankly clicking a checkbox isn’t that hard.

If it were that easy, there would be little complaint; the complaints seem to be that people get stuck on capchas indefinitely.

[bogomipz]

>"In these developing countries, great swathes of users are accessing the internet behind carrier-grade NAT."

Do you have any citations that CGN is any more prevalent in developing counties than in say Western Europe or the US? The last report from RIPE that I read indicates CGN usage in substantial in both the RIPE and APNIC regions.[1] How would IPv4 resource exhaustion be an economic issue?

>"In my experience, I’ve never had to solve more than one CAPTCHA per domain, and frankly clicking a checkbox isn’t that hard"

I imagine if you are personally "responsible for maintaining a relatively aggressive set of Cloudflare WAF rules" as you stated, you've probably become quite proficient at solving CAPTCHAs. I think people that don't mind jumping through hoops are a minority. Also just even if something isn't hard does not mean its any less annoying and degrading of the user experience. Those things are not mutually exclusive.

[1] https://ripe73.ripe.net/presentations/21-ripe73_cgn_richter....

[Thorrez]

>1.The IP address you are on has shown problematic activity online recently in one of our data sources. If you would like to look your IP up, then please look your IP up at Project Honeypot. If the IP address shows data for malicious activity, you can see why there. You can also attempt to whitelist your IP directly on that page by connecting from that IP. If no bad activity is seen from the IP address after a two-week period, then the challenge behavior will stop against that IP address.

https://support.cloudflare.com/hc/en-us/articles/203366080-W...

[Aeolun]

Probably because those IP’s cycle, or get shared between a number of people. If you know that the IP has switched between illegitimate and legitimate 10 times before, you can’t just assume that it’s now valid after one captcha.

[adventured]

Discrimination by country/region often makes tremendous sense.

I tell Cloudflare to block all traffic from China because my services derive zero contribution and zero potential value from the Chinese market. The maximum potential positive contribution from China is near zero. The overwhelmingly likely contribution from China is attacks from within the country.

So, to summarize, in my particular case China provides nearly zero positive value and China is simultaneously one of the biggest attack origin countries. It would be the wrong decision to not aggressively discriminate against their traffic: I lose, in real terms, absolutely nothing from blocking all Chinese traffic.

[oceanplexian]

I’ve been in the same boat with my startup, 99% of SSH logins and lame, phpmyadmin-style attacks came from China. However I would ask is what you’re doing really good for humanity? I don’t personally think it’s ethical to block entire countries or regions from a service. China may not provide value to you, but you may provide immense value to people in China.

Maybe it would help you to travel the world more, but once I did I had a different view of things. The internet is truly a global entity, and the more we can do to keep the Internet unified the closer we can bring the planet together. To me that’s a much more important goal than short term profits or mitigating trivial attacks with poorly thought out geo-restrictions.

[souterrain]

Except that it is quite likely the best quality Chinese attacks come from compromised machines in the United States.

[marcus_holmes]

there is still value in screening out all the low-quality attacks, though

[GetOutOfBed]

Are you saying that OP is trying to do denial of service attacks? Stopping random users from accessing web sites isn't thwarting a DOS attack. If they classify random users as part of some bot net, it sounds like their algorithms are buggy.

[sseveran]

I completely agree the website owner has the right to run whatever they want, so thanks for saying that as its something that too often gets overlooked.

At this point I basically refuse to use things with recaptcha or the stupid little cloud flare dots. I just close the tab and move on. I am just so tired of little dots, storefronts, cars, etc...

[lilyball]

You calling this a "bug" makes it sound like you expect Cloudflare to violate your privacy by tracking which websites you've visited in order to determine that you're not a threat. It sounds like the point of Privacy Pass is the only information it gives Cloudflare is that you've solved a Captcha recently but otherwise provides no information about where you did it (beyond the fact that it's a Cloudflare property).

Given the fact that they've resorted to providing an extension to do this, this suggests that they've deliberately engineered their services to not have access to that data internally, and that's a good thing.

[unityByFreedom]

If captchas are a bug, try running your own popular web service, and good luck keeping away the spam.

An extension is easy to install and is a reasonable way for the CDN to verify that you're not a spammer without requiring you to repeatedly prove it whenever your IP changes.

[cnst]

Your comment would make perfect if this whole captcha thing was required in order to post comments.

But they require it for static-like content that any decent site should be serving from cache.

[tfha]

Should we be building the internet such that a single website can make it effectively unusable for any user at their arbitrary whim?

[pjkundert]

You mean, the internet that allows web property owners to elect to protect themselves from vandalism?

That sounds like a powerful use of personal choice to me -- allowed by an internet that (still) allows individuals to make choices in their own best interests.

[cnst]

The problem is that it's often uninformed choice. Some people at LAX, for example, decided that my whole AS has no business accessing their website. (Yes, an international airport blocking international visitors — how cute.) And Cloudflare is the enabler.

Notice that you never see Akamai presenting these messages that you've been blocked.

Most of these pages where you get blocked are something that looks entirely static, should be cachable with the most basic nginx if dynamically generated, yet Cloudflare tells everyone that they need to protect such content from the users. (Some of their newer competitors that protect from more "bots" are even worse, BTW.)

[mdkdog]

I don't use cf, I'm running some mail services but i do block entire AS's after 5 brute force attacks from different IP addresses from same AS regardless of country of origin. This are always modem / routers left with default password, IP cameras with default password, various IoT devices with default password or all of the above with vulnerable firmware with CVE's dating way back. I think that if you are unable or can't be bothered to change the default password for your device you don't deserve internet access. There is much need for something like natural selection on the internet. It is getting to crowded out there.

[oefrha]

An AS with an /8 is decidedly different from an AS with a /24. There could easily be millions of complete strangers behind a single ISP AS. Not saying you can’t choose whatever criteria for your service, but trying to pass off five-different-attacker-IPs-per-AS as fair is silly.

Edit: Even the CIDR block size isn’t a good indicator of the actual network size, due to NAT.

[judge2020]

Their AS blocking functionality is based on the free "maxmind geoip2 ASN" database, LAX could have chosen to set up a nginx module or site middleware to perform the same block. CF's service offering is making this configuration easier and shifting thinks like having to update the DB onto CF.

[cnst]

And how's that any better? What's the likelihood that LAX would bother to block my AS if it wasn't a simply click courtesy of Cloudflare?

It's like that IBM saying: no-one's been fired for buying IBM. Doesn't make it a good choice, though.

[blub]

How exactly can one vandalize a static web page?

The worst I've seen is the SPIN website which always requires a captcha.

Cloudflare is just one more middleman extending their tentacles over the web.

[knolax]

> web property owners

WTH is this newspeak, just say website owners.

[unityByFreedom]

> a single website can make it effectively unusable for any user at their arbitrary whim

CF is a free service. Websites can choose to use it or not, and it certainly does not dictate the nature of the internet.

[lugg]

Nor the world or the internet is this black and white. And heartbleed begs to differ.

[unityByFreedom]

I'm not suggesting anything is black and white. No idea why you brought up heartbleed. You're free to choose to use free services, open source software, public resources etc. or not. That's not black and white, it's a bunch of choices you can make about resources without requiring money.

[faitswulff]

The author runs an ISP. Is this extension for the end user or can it be used at the ISP level for all affected IP addresses?

[auslander]

> .. to generate 'anonymous' tokens

Yeah, right. I think double quotes is more appropriate here.