I don't entirely disagree, but at the same time, La Liga shouldn't have this much power to shut down large swaths of the internet because of a handful of piracy sites, that probably only have a minimal impact on their income anyway.
Also, CDNs have inherent economies of scale and network effects, so it is natural that there would be just a few at the top.
Only it's not La Liga censoring, it's a court order as far as I can understand from the TF article. Should the judicial system of a country have the power to shut down large swaths of the Internet after presumably due process and in accordance with the law? IMO yes.
Now, the question really turns out to be "Is a law stating that large swaths of the Internet must be censored to stop a handful of piracy sites just?"
Yeah. I think this is the elephant in the room. I keep stumbling upon "We need to verify you are a human" by Cloudflare in many sites around the web. Crazy.
I agree that having so many sites behind one CDN (and related services) is a problem, but I don't think it is the elephant in this room. Even if there were 100 very popular CDNs having 1% of sites blocked because one user was streaming sports doesn't feel acceptable. Shared hosting has always been very popular and you have sites like Shopify, Squarespace, WordPress.com that are hosting thousands of sites.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.
Anubis is affective against certain kinds of bots and abuse, but wouldn't be that affective against large scale DDoS attacks. And it does have a negative impact on usability, as users have to wait for the browser to do the proof of work, which may or may not be worse than cloudflare's captchas.
Anubis is a partial mitigant of DDOS attacks, since it's less resource intensive to serve the Anubis page than the origin[1].
Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.
Yes, it's a partial mitigator, but it isn't as complete of a solution as a CDN, for a number of reasons. For one thing, with Anubis your server is still responding to requests, so a full scale DDoS could potentially take you down without having to actually complete the PoW, they just have to make enough requests.
Using a CDN for DDoS typically has multiple levels of protection:
- caching reduces load on your server
- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)
- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers
- Since the CDN fronts many sites, it can have more information about which IP addresss, and user agents are more suspicious. This one is a little controversial, because there is a conflict between getting an accurate profile of how suspicious a request is, and preserving the privacy of users.
- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.
In short, Anubis could be part of a DDoS mitigation plan, but if you are worried about a targeted attack, it probably isn't sufficient. And critical services are potentially a valuable target for attacks.
Also, if (when) their Captcha decides that you're a bad actor, there's literally no way around it. You can spend tons of time checking the box/trying again, but there's no way to "solve" it.
My sarcasm well is tapped, but this is why I was sus of CDNs like Cloudflare and Akamai at the outset. Yes, they’re highly convenient and enable more sites and services to weather large attacks or traffic spikes, but we willingly sunk a huge swath of the net behind a handful of for-profit entities and yet somehow expected nothing but sunshine and roses forever.
Stop. Trusting. Companies. To. Do. The. Right. Thing.
Cloudflare could’ve prevented this if they’d taken a stand on anything but profit motives, but they’ve repeatedly chosen not to. Piracy sites pay the bills just like Porn or Government sites, after all, and companies won’t turn down money unless forced to through regulation.
You seen to be implying that Cloudflare has been abusing this position of power, but then listing things it allows? Porn, of consenting adults, is actually a great example of business Cloudflare's right to take on. You may not care for it, but legal/ethical pornography is a matter only of taste. We'd be far worse off if Cloudflare was blocking content based off of personal preference.
TL;DR: "The tipping point for us making this decision [to discontinue service] was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology."
That was sort of the PR spin they put on it. If Cloudflare was drawing an ideological line in the sand, they might have discussed where that line is lest others cross it. Instead, the post talks about when they do and don't comply with law enforcement and pleads with government not to try and force them to take other websites down. Posts on Stormfront were under immense legal scrutiny and the praising of Cloudflare brings that eye on them. Reading between the lines it's very obvious that legal made the decision.
GP was discussing the larger pattern, and the larger pattern is one of inaction until there's little choice left legally speaking.
And that’s what he was getting at: if TDS hadn’t put words in Cloudflare’s mouth and kept paying their bills on time, there’s little doubt Cloudflare would have ever removed them as a customer.
Cloudflare’s consistent response to accusations it defends illicit or harmful content has been some variation of “they’re paying customers and it’s not our place to judge their content”. Which, sure, noble hill to die on and all that jazz, but also something of a cowardly defense for speech whose sole purpose is creating harm.
…that’s not what I was saying at all? Like, remotely close?
I was saying that:
* For-profit companies like Cloudflare have a vested interest in preserving as many paying customers as possible
* Their own process for getting content taken down makes it deliberately difficult to remove content, as that would harm their business model
* We have willfully chosen to sink large swaths of the internet behind companies like Cloudflare
* As a result, the only tools left to governments and the judiciary are often draconian in nature, harming innocent parties in pursuit of criminals
* We are naive to believe that any for-profit entity will act in the best interests of society, especially when those interests conflict with their profit-motives.
I think we are partially to blame for this too though. For the last 10-20 years the whole goal of a founder was to grow a business, get acquired then exit. If founders instead focused on building a sustainable business maybe we would have a more diverse tech landscape.
Nobody would fund a founder who wanted to build a sustainable business. It would have to be bootstrapped, and there are a lot of such businesses, but you never hear about them because they stay small.
Classic economies of scale. It’s a lot more efficient for one company to make one million services of lemonade than it is for one million people to make one serving each. Even if the homemade version is “better”.
This is what happens when everyone is incented to trade low-probability risk for short-term profits. Because who would bet that a giant CDN would be blocked like this?
I agree that oligopolies are more stable than polyopolies, but a huge part of why the internet collapsed in a handful of companies is how stock markets and venture capital love monopolies.
Also, CDNs have inherent economies of scale and network effects, so it is natural that there would be just a few at the top.