[paulgb]

> Cloudflare verifications are destroying the web.

This line of thinking assumes that without captchas, things that were captcha-walled would remain but be unprotected. I think the actual counter-factual is that those things would either require a nominal payment or some other harder-to-spoof-at-scale action first.

I run a service that provides arbitrary compute (Jupyter notebooks) on demand. Without a captcha, there was a period where it would have been overwhelmed by crypto miners to the point that it wouldn’t be available to anyone else.

[Aachen]

Let's start with the low-hanging fruit though. How many people have their personal blog behind cloudflare? A lot of things really don't need it, aside from being told by cloudflare that they need their protection.

Generously offering free services that incur costs for the hoster are much harder to solve, no doubt about that. You essentially can't have anonymity because, if you did, any normal user will look indistinguishable from a cryptobro. You'll need to either have them cover the costs or have pseudonymity at best.

But in instances where anonymity is fine, I share the experience from the person you're responding to: just to read resources, to browse read-only material like a normal person, cloudflare is a barrier to the open web.

[mschuster91]

> A lot of things really don't need it, aside from being told by cloudflare that they need their protection.

Anything that has a dynamic backend of any kind (or, let's be real, even stuff that's static-built) will get relentlessly hounded by hackers the very same second it's online on the Internet. Be it spammers trying to sell you dick enlargement pills or questionable supplements, pedos looking for a place they can use to host their shit, botnet operators looking for good connectivity to abuse in DDoS attacks or whatever, targeted attacks against your site by extortion gangs (very common in business), or (particularly if you're active in the gamer/streamer scene) pseudo-"trolls" that just want to cause you harm for the lulz.

The problem is, as I've written multiple times here, that our governments are doing nothing against the bad actors, their ISPs and the countries that allow them to operate. That needs to be fixed, and then we won't have to rely on Cloudflare and friends any more.

[Aachen]

I run so many dynamic things of many different kinds and cannot confirm this in the slightest.

There's the obvious things like public forums or contact forms where spammers submit messages, but "anything that has a dynamic backend of any kind" is just not true. Most things don't lend themselves for making money.

I do agree that we could do better about tackling the abuse that does happen, both by law enforcement and by sysadmins simply banning IP ranges whose abuse center doesn't make any attempt to solve the problem.

[hifromwork]

As someone who works for the government and whose team is doing nothing but fighting against bad actors, I don't think that's true. We're not doing nothing, that very unfair assessment.

It's like saying "we shouldn't have to lock our doors, but the governments are doing nothing to stop the robberies". And the internet is much more wild than the real world, IMO. The biggest obstacles to the safe internet I see are:

* Globality. Aspiring Russian cybercriminal can hack from their own basement with no OPSEC and VPN without any fear of repercussions as long as they don't bother anyone in Russia (and neighboring countries). Before COVID we used to have literal "wanted posters" (as a joke) in our office with names, addresses and photos of known cybercriminals that we could nothing to arrest, because they resided in another (usually Russian-speaking) country. Even in Europe it's not trivial, because Europol has relatively high requirements to start an international investigation and extradition, and "regular" cybercrime doesn't qualify - so one can send malware across the border as long as they want without any (real) fear.

* Velocity: there is no such thing like "bad actor ISP". I mean ok, there are so called bulletproof hostings, but in general the bad actors buy things like anyone else. The typical phishing campaign starts with criminal buying a domain (using fake data), cheap (or usually free/demo) hosting account, getting a letsencrypt certificate, uploading some fake login form HTML, now just send a few hundred thousand emails/SMS and you're done. Next day tweak some things and do the same, just with a different domain. The typical phishing campaign is live only for a few hours. There's no way a lawful country can make a proper legal decision in a few hours. And this is assuming no international cooperation - usually the server and domain are hosted by another country than the attacked country, so we're talking about contacting another country to make a legal decision in a few hours timeframe.

* Censorship fears: Ok, so a proper timely expropriation is not possible. What we have in practice is a list of more and less formal blacklists, like Google safe browsing, (extremely annoying and opaque) spam blacklists, and many lists of unsafe domains (my country provides one). In most cases the lists are DNS based, and they work great. In my country, our list is also applied by some ISPs automatically (so home users are protected as long as they don't change theit default DNS). It would work even better if every ISP applied it, and blocked malicious plaintext DNS requests on the wire, but I can already feel HN readers becoming tense as they read this (I don't like it too). We all hate censoring the internet, and want to preserve the right of normal people to be scammed by visiting a phishing website.

* Money: Having a dedicated abuse team cost money and brings no revenue. Just look at how google does it, and they are drowning in money. Imagine how responsive are smaller providers. In many cases you could as well try to contact /dev/null.

* Privacy: This rant is getting a bit long. I'll just mention that one of my colleagues (frustrated when a known criminal managed to turn off his computer and was let free later, since his disks were encrypted and there were no strong enough evidence to jail him) said "law abiding people have no reason to encrypt their disks". Of course I strongly disagree, but I share the frustration. With god-mode on the internet (the ability to read all the communication, get into any server and take down any domain) I could do so much more to help people in my country. I guess that's also what drives NSA and similar agencies to get more and more power. Unfortunately, we live in a democracy, so we have to make compromises, and I think the compromises we make (i.e. that my powers as someone fighting cybercrime are reasonably restricted) are good ones.

Personally, I think a big issue is that there are no legal repercussions for ISPs/hostings that repeatedly host malware/phishing. Even if they respond to abuse and take down something (maybe even block the account - the horror!), the same happens few days later and there's nothing that can be done. I think financial fines for gross negligence would really help to align the incentives here.

[mschuster91]

> As someone who works for the government and whose team is doing nothing but fighting against bad actors, I don't think that's true. We're not doing nothing, that very unfair assessment.

I'm just looking at the dozens of billions of dollars lost to scams in the US alone each year [1]. And that's just scams, not the other forms of cybercrime. And Europe isn't much better off.

(I won't copy your points for a quote since they're too long)

> Globality

Agreed. But Western governments, united, could mandate their ISPs and phone traffic to cut off all traffic from these countries. Most international carriers are based in the US and Europe. Guess how long India would take to dismantle their scam callcenters if cut off? A week tops. Russia wouldn't cave, but I see no reason for this country to be connected to the Internet at all, at least not as long as they are invading Ukraine. And China? They've been running rampant with espionage campaigns for years. It's time to accept this declaration of war and retaliate.

> Velocity

Oh hell yes there are bad actors. Phone providers providing connectivity to scammers and spammers, residential ISPs not acting against abuse reports and thus allowing compromised residential devices (e.g. cheap IoT crap) to continue to attack infrastructure... if I had anything to say, I'd mandate that three credible abuse reports should yield in the disconnection of any Internet participant, and that ISPs were to assist their customers in cleaning their devices. As for domain providers: mandate verification of domain names, and boot off providers that repeatedly violate this requirement. The only thing that reverses profit incentives is serious sanctions.

> Money

See above. Fine providers that don't respond to abuse requests similar to GPDR, up to 10% of yearly worldwide revenue. If they don't comply and show no credible efforts to become a good citizen of the net, cut them off.

[1] https://www.statista.com/statistics/1050001/money-lost-to-ph...

[paulgb]

Yes, I agree with you there. I think having static content be captcha-walled is generally dumb. Arguably cloudflare makes it too easy to do this (I think it’s on by default if you use them for DNS?) so I can see blaming them for it.

[michaelteter]

> How many people have their personal blog behind cloudflare?

I suspect that more people have their blog behind Medium, so that’s even lower hanging fruit.

[NicoJuicy]

Medium uses Cloudflare as far as I'm aware

[chocolatkey]

Just to add another reason why captchas are useful - a platform I operate was recently targeted by stolen CC testers that registered thousands of accounts to make the cheapest possible purchase on our site. I had to deal with the fallout, taking dozens of calls from angry people, refunding the transactions (of course you lose the transaction fee) etc. The only way to effectively stop them was a captcha on the checkout, and this is also what our payment processor, PayPal, required we do to reinstate our account. There's no other signal that can be used, user agent was random, IP was random etc.