[tfha]

Should we be building the internet such that a single website can make it effectively unusable for any user at their arbitrary whim?

[pjkundert]

You mean, the internet that allows web property owners to elect to protect themselves from vandalism?

That sounds like a powerful use of personal choice to me -- allowed by an internet that (still) allows individuals to make choices in their own best interests.

[cnst]

The problem is that it's often uninformed choice. Some people at LAX, for example, decided that my whole AS has no business accessing their website. (Yes, an international airport blocking international visitors — how cute.) And Cloudflare is the enabler.

Notice that you never see Akamai presenting these messages that you've been blocked.

Most of these pages where you get blocked are something that looks entirely static, should be cachable with the most basic nginx if dynamically generated, yet Cloudflare tells everyone that they need to protect such content from the users. (Some of their newer competitors that protect from more "bots" are even worse, BTW.)

[mdkdog]

I don't use cf, I'm running some mail services but i do block entire AS's after 5 brute force attacks from different IP addresses from same AS regardless of country of origin. This are always modem / routers left with default password, IP cameras with default password, various IoT devices with default password or all of the above with vulnerable firmware with CVE's dating way back. I think that if you are unable or can't be bothered to change the default password for your device you don't deserve internet access. There is much need for something like natural selection on the internet. It is getting to crowded out there.

[oefrha]

An AS with an /8 is decidedly different from an AS with a /24. There could easily be millions of complete strangers behind a single ISP AS. Not saying you can’t choose whatever criteria for your service, but trying to pass off five-different-attacker-IPs-per-AS as fair is silly.

Edit: Even the CIDR block size isn’t a good indicator of the actual network size, due to NAT.

[judge2020]

Their AS blocking functionality is based on the free "maxmind geoip2 ASN" database, LAX could have chosen to set up a nginx module or site middleware to perform the same block. CF's service offering is making this configuration easier and shifting thinks like having to update the DB onto CF.

[cnst]

And how's that any better? What's the likelihood that LAX would bother to block my AS if it wasn't a simply click courtesy of Cloudflare?

It's like that IBM saying: no-one's been fired for buying IBM. Doesn't make it a good choice, though.

[blub]

How exactly can one vandalize a static web page?

The worst I've seen is the SPIN website which always requires a captcha.

Cloudflare is just one more middleman extending their tentacles over the web.

[knolax]

> web property owners

WTH is this newspeak, just say website owners.

[unityByFreedom]

> a single website can make it effectively unusable for any user at their arbitrary whim

CF is a free service. Websites can choose to use it or not, and it certainly does not dictate the nature of the internet.

[lugg]

Nor the world or the internet is this black and white. And heartbleed begs to differ.

[unityByFreedom]

I'm not suggesting anything is black and white. No idea why you brought up heartbleed. You're free to choose to use free services, open source software, public resources etc. or not. That's not black and white, it's a bunch of choices you can make about resources without requiring money.