Ask HN: Why does Cloudflare not remove reported phishing sites?

[justmarc]

Roughly a week ago, after a physical theft of a phone I reported a phishing site pretending to be Apple/iCloud.

This is not some random cyber-only phishing attempt, instead, this one is operated by a real world criminal gang associated with the physical theft of devices, then further attempting to gain access/unlock said devices.

It is yet to be removed from Cloudflare's service.

1. Why? 2. Why are they judged by a different standard?

Thanks

[xxdesmus]

I run the trust & safety team at Cloudflare.

In the vast majority of cases, Cloudflare is not the hosting provider of a website resolving to our IPs. In those cases we have no capacity to remove content hosted by others. In those cases we can place a phishing warning page (like Google safe browsing) to warn and educate users that they were nearly phished. If we simply terminated a website it would not remove the content, and the user wouldn’t learn or realize they almost just got phished. It’d be the worst of both worlds. In the rare case where we are the host we place a non-bypassable block in front to make protect users.

[bilekas]

> 2. Why are they judged by a different standard?

This feels like a frustrated dig at cloudflare for not acting faster. Probably not necessary.

Its usually a few days so maybe you have more info on how long you've waited ?

For your answer, I guess you have to fill in the report : https://abuse.cloudflare.com/phishing

If you have done that there is a review process, I don't know the numbers but I can't even begin to imagine the amount of false requests they get and so they would need to all be verified (or maybe aggregated based on amount of requests but this is just a guess).

So long story short, it's a huge company with a lot of requests for sure and things take time.