I don't know how Cloudflare can on one hand fight for net neutrality [1] and on the other hand play such an active role in creating a "two-class" Internet. I understand that spamming and DoS attacks are a real problem and that they provide a solution for this e.g. using CAPTCHAs, I just think their approach will lead to a world where your IP address (and thus often your country) decides more and more how easy or hard it is to browse large parts of the Internet. Not sure how to solve this in a better way but I really don't like what they're doing here considering their recent VPN/DNS efforts, which (IMHO) seem to be part of a long-term strategy to create a "fast-track" Cloudflare-powered Internet (for those who can afford it).
I see your point but 10% of the world's http traffic flows through Cloudflare, it is in their interest to provide a better web experience for their customers (enterprises and end-users alike).
For instance, for my mom, if instead of being subject to endless captchas due to privacy.resistFingerprinting [0], it might be okay to use Cloudflare's VPN/extension (esp since they promise to respect privacy), be able to resist fingerprinting, and not be subject to captchas. I see this as a better of two evils, since captchas aren't going away if you resist fingerprinting or use Tor, at least not anytime soon.
I'd like to think of this as OpenID-- even though it is bad privacy-wise (and single-point-of-failure security-wise), it was widely used for benefits to both the user and the service.
For me, though, the endless captchas are a price I'm willing to pay. YMMV.
Net neutrality is the principle that _Internet service providers_ should treat all Internet communications equally. Cloudfare is not an ISP.
Web service like Hacker News don't have any obligation to provide everyone equal access to their site. Cloudfare works for the web services. As a web service provider, you don't have, nor should you have, any obligation to provide equal access to anyone.
I understand the difference between an ISP privileging network packets based on service and a CDN / content provider privileging / filtering traffic for their customers, however the result for the end user is very similar. Also, Cloudflare is much bigger than most ISPs and already serves a sizeable portion of the Internet traffic, so I don’t think they should get a free pass regarding this issue just because formally they’re not an ISP.
> Hacker News don't have any obligation to provide everyone equal access to their site.
i disagree. Net neutrality to me also means that a site like HN should serve all customers coming to the site the same, and not discriminate against TOR users or VPN users, or users from a certain IP range, or users with different/non-standard user-agent headers.
This is so annoying. E.g. it's not unusual to surf the web with Laptop on mobile connection in Philippines but then you get all this CAPTCHAs on all Cloudflare sites with the standard configuration.
Actually this is the biggest reason I don't like Cloudflare. They are discriminating some second/third world countries and if you don't travel much and check websites you will never know.
Many websites owners are also not aware of this issue with Cloudflare.
Discriminating traffic like this should at least be an optional opt-in in Cloudflare and not standard.
Cloudflare is for me the no. 1 company by far which is clustering up the web with their little border controls. No other company made surfing the web so complicated and annoying from distant regions of the world for me.
And because many website owners are just install and use Cloudflare with standard settings they don't care.
It's good that Cloudflare addresses this problem with their extension now but I had a little too much bad taste... this extension is long overdue and I still think it's not the best solution to the main problem (standard DNS settings too restricted).
Do you have a source for that claim? How does sharing IP's with 'like factories' and thousands of other legitimate users justifies getting captcha-blocked by Cloudflare without explicit instructions from the website owners?
Are people actually downvoting this comment just because it's not politically correct?
I mean, you could argue that it's not fair to discriminate entire countries because of the lax abuse policy of their ISPs, but the comment is correct: that's the reason those countries are discriminated against in this context.
When you do encounter CAPTCHAs, try out Buster [0]. It passes the CAPTCHA by solving the audio challenge using speech recognition APIs.
Google does block people from accessing the audio challenge [1] in some cases, so make sure to check if you can access the audio challenge even before installing the extension by clicking on the headphone icon within the challenge widget.
Enable user input simulation from the extension's options and install the client app to reduce the chance of a temporary block while using the extension.
If you're on Chrome, there is a pending update (0.5.2) that switches to the Wit Speech API (demo) service by default, verify that you're using the correct service by visiting the extension's options to avoid any errors.
Please open an issue if you have experience with image recognition and you'd like to contribute towards a mode that would solve the visual challege, or assist users by suggesting image tiles to select.
Isn't this ruining the feature for people who are forced to use the accessibility feature?
They'll improve the captcha just like they did with the basic obscured text to now making the user do image recognition for them and people who really need the accessibility won't have it that easy any more.
Google blocks people with disabilities from accessing the audio challenge, please see the second link in my original post for details. This project, while in the early stages, aims to bring attention to the human cost of the reCAPTCHA service, and helps those who can no longer cope with that cost.
Privacy Pass doesn't help when various desktop and mobile app developers host their APIs behind Cloudflare. Users end up with timeouts or other error messages that have don't mention anything about being blocked by Cloudflare.
Sounds like we're getting ever close to requiring identification before being allowed to use the Internet. Such a law would be vehemently opposed I'm sure, the question is whether we mind if a company does it and offers it "voluntarily" for those first blocked by said company.
This. We're centralizing all the websites to flow in the hands of one player who can decide who can or cannot access a website, not to mention the fact that they have the capability to know who accesses which website across a larger and larger portion of the net. De facto we're giving them the keys to the internet. But who's them? And who will it be in the future?
I understand that they offer cheap solutions to very real problems, but we keep making the same mistake we made with Google and other tech giants. While they are acting in a commendable way now, I fear for how much influence they'll have when they will inevitably drop their "Don't be evil".
To me, another company needs to step up and try to compete in the same sector. The problem is that the alternatives, like Sucuri and Stackpath that are reasonably cheap are _terrible_. I deal with both on a day to day and it’s horrendous to deal with :/.
This seems like a play taken directly from the United States TSA/DHS with their global entry/pre-check 'services' which only exist to track people at a more granular level.
I don't understand what is the motivation to block Tor or VPNs if there is no large volumes of traffic from specific IP. Does Cloudflare dislike anonymous users?
Also, did you see the permission list for a Firefox extension? [1] It says "Access your data for all websites".
That permission is required for a vast set of features in chrome and Firefox extensions because of how poorly the chrome extension API was designed. So while it indeed has that permission, there are lots of things it could be doing with it that don't impact your data at all. You'd have to audit the code.
I think that the idea is these IP addresses are leased out, renewed, changed frequently. While I might connect to my VPN and do basic stuff... another person before me might have used it much more heavily for example. So the IP which we shared is flagged as possibly nefarious. It doesn't know I am a totally different person. Only that, in the past, someone has used this particular IP in a negative way.
So "Privacy" Pass effectively generates a unique token for every user? That results in trivial tracking again, one of the main points of using VPNs, Tor or whatever.
From the linked page "Privacy Pass uses elliptic curve cryptography to generate 'anonymous' tokens after a single CAPTCHA page is solved."
In any case - privacy implications aside - having to install an extension to get around their risk assessment algorithm going wrong seems like placing the burden in very much the wrong place.
I don't know how Cloudflare can on one hand fight for net neutrality [1] and on the other hand play such an active role in creating a "two-class" Internet. I understand that spamming and DoS attacks are a real problem and that they provide a solution for this e.g. using CAPTCHAs, I just think their approach will lead to a world where your IP address (and thus often your country) decides more and more how easy or hard it is to browse large parts of the Internet. Not sure how to solve this in a better way but I really don't like what they're doing here considering their recent VPN/DNS efforts, which (IMHO) seem to be part of a long-term strategy to create a "fast-track" Cloudflare-powered Internet (for those who can afford it).
1: https://blog.cloudflare.com/battleforthenet/
I see your point but 10% of the world's http traffic flows through Cloudflare, it is in their interest to provide a better web experience for their customers (enterprises and end-users alike).
For instance, for my mom, if instead of being subject to endless captchas due to privacy.resistFingerprinting [0], it might be okay to use Cloudflare's VPN/extension (esp since they promise to respect privacy), be able to resist fingerprinting, and not be subject to captchas. I see this as a better of two evils, since captchas aren't going away if you resist fingerprinting or use Tor, at least not anytime soon.
I'd like to think of this as OpenID-- even though it is bad privacy-wise (and single-point-of-failure security-wise), it was widely used for benefits to both the user and the service.
For me, though, the endless captchas are a price I'm willing to pay. YMMV.
[0] https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_...
Net neutrality is the principle that _Internet service providers_ should treat all Internet communications equally. Cloudfare is not an ISP.
Web service like Hacker News don't have any obligation to provide everyone equal access to their site. Cloudfare works for the web services. As a web service provider, you don't have, nor should you have, any obligation to provide equal access to anyone.
I understand the difference between an ISP privileging network packets based on service and a CDN / content provider privileging / filtering traffic for their customers, however the result for the end user is very similar. Also, Cloudflare is much bigger than most ISPs and already serves a sizeable portion of the Internet traffic, so I don’t think they should get a free pass regarding this issue just because formally they’re not an ISP.
> Hacker News don't have any obligation to provide everyone equal access to their site.
i disagree. Net neutrality to me also means that a site like HN should serve all customers coming to the site the same, and not discriminate against TOR users or VPN users, or users from a certain IP range, or users with different/non-standard user-agent headers.
2 replies →
If only that. They're also forcing the hands of people that try to protect themselves from pervasive tracking online.
This is so annoying. E.g. it's not unusual to surf the web with Laptop on mobile connection in Philippines but then you get all this CAPTCHAs on all Cloudflare sites with the standard configuration.
Actually this is the biggest reason I don't like Cloudflare. They are discriminating some second/third world countries and if you don't travel much and check websites you will never know.
Many websites owners are also not aware of this issue with Cloudflare. Discriminating traffic like this should at least be an optional opt-in in Cloudflare and not standard.
I think the discrimination against third-world countries are justified as that's the main source of clickspamming and like factories.
Cloudflare is for me the no. 1 company by far which is clustering up the web with their little border controls. No other company made surfing the web so complicated and annoying from distant regions of the world for me.
And because many website owners are just install and use Cloudflare with standard settings they don't care.
It's good that Cloudflare addresses this problem with their extension now but I had a little too much bad taste... this extension is long overdue and I still think it's not the best solution to the main problem (standard DNS settings too restricted).
>I think that discrimination is ok as long as it is not me, or my group being discriminated. FTFY
1 reply →
Do you have a source for that claim? How does sharing IP's with 'like factories' and thousands of other legitimate users justifies getting captcha-blocked by Cloudflare without explicit instructions from the website owners?
4 replies →
Are people actually downvoting this comment just because it's not politically correct?
I mean, you could argue that it's not fair to discriminate entire countries because of the lax abuse policy of their ISPs, but the comment is correct: that's the reason those countries are discriminated against in this context.
6 replies →
Some cloudflare-based sites show a captcha when visiting from Russia, but it is relatively rare.
When you do encounter CAPTCHAs, try out Buster [0]. It passes the CAPTCHA by solving the audio challenge using speech recognition APIs.
Google does block people from accessing the audio challenge [1] in some cases, so make sure to check if you can access the audio challenge even before installing the extension by clicking on the headphone icon within the challenge widget.
Enable user input simulation from the extension's options and install the client app to reduce the chance of a temporary block while using the extension.
If you're on Chrome, there is a pending update (0.5.2) that switches to the Wit Speech API (demo) service by default, verify that you're using the correct service by visiting the extension's options to avoid any errors.
Please open an issue if you have experience with image recognition and you'd like to contribute towards a mode that would solve the visual challege, or assist users by suggesting image tiles to select.
[0] https://github.com/dessant/buster
[1] https://github.com/w3c/apa/issues/25
Isn't this ruining the feature for people who are forced to use the accessibility feature?
They'll improve the captcha just like they did with the basic obscured text to now making the user do image recognition for them and people who really need the accessibility won't have it that easy any more.
I don't feel like that's a nice thing to do.
Google blocks people with disabilities from accessing the audio challenge, please see the second link in my original post for details. This project, while in the early stages, aims to bring attention to the human cost of the reCAPTCHA service, and helps those who can no longer cope with that cost.
1 reply →
I suggest the link be changed to https://www.petsymposium.org/2018/files/papers/issue3/popets..., because there's serious misunderstanding in the comments.
- This is not made by Cloudflare, Cloudflare is just the first to support it.
- This does not tie anything to your IP address, this introduces an alternative to tying things to your IP address.
- This does not implement more granular tracking IDs, it implements unlinkable one-time tokens.
- This does not further Tor user blocking/inconveniencing, they're who it was made for.
Privacy Pass doesn't help when various desktop and mobile app developers host their APIs behind Cloudflare. Users end up with timeouts or other error messages that have don't mention anything about being blocked by Cloudflare.
Sounds like we're getting ever close to requiring identification before being allowed to use the Internet. Such a law would be vehemently opposed I'm sure, the question is whether we mind if a company does it and offers it "voluntarily" for those first blocked by said company.
To clarify a few things:
PrivacyPass is a third-party extension that allows a user to receive anonymous tokens that can't be tied back to them: https://privacypass.github.io/
CloudFlare supports that third-party extension so visitors can see fewer challenges.
I like cloudflare, but it seems like we're putting more and more trust in them. Not sure if that's good.
This. We're centralizing all the websites to flow in the hands of one player who can decide who can or cannot access a website, not to mention the fact that they have the capability to know who accesses which website across a larger and larger portion of the net. De facto we're giving them the keys to the internet. But who's them? And who will it be in the future?
I understand that they offer cheap solutions to very real problems, but we keep making the same mistake we made with Google and other tech giants. While they are acting in a commendable way now, I fear for how much influence they'll have when they will inevitably drop their "Don't be evil".
To me, another company needs to step up and try to compete in the same sector. The problem is that the alternatives, like Sucuri and Stackpath that are reasonably cheap are _terrible_. I deal with both on a day to day and it’s horrendous to deal with :/.
This seems like a play taken directly from the United States TSA/DHS with their global entry/pre-check 'services' which only exist to track people at a more granular level.
I don't understand what is the motivation to block Tor or VPNs if there is no large volumes of traffic from specific IP. Does Cloudflare dislike anonymous users?
Also, did you see the permission list for a Firefox extension? [1] It says "Access your data for all websites".
[1] https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/
That permission is required for a vast set of features in chrome and Firefox extensions because of how poorly the chrome extension API was designed. So while it indeed has that permission, there are lots of things it could be doing with it that don't impact your data at all. You'd have to audit the code.
I think that the idea is these IP addresses are leased out, renewed, changed frequently. While I might connect to my VPN and do basic stuff... another person before me might have used it much more heavily for example. So the IP which we shared is flagged as possibly nefarious. It doesn't know I am a totally different person. Only that, in the past, someone has used this particular IP in a negative way.
So "Privacy" Pass effectively generates a unique token for every user? That results in trivial tracking again, one of the main points of using VPNs, Tor or whatever.
The tokens can't be correlated with a user.
From the linked page "Privacy Pass uses elliptic curve cryptography to generate 'anonymous' tokens after a single CAPTCHA page is solved."
In any case - privacy implications aside - having to install an extension to get around their risk assessment algorithm going wrong seems like placing the burden in very much the wrong place.
edit: was wrong about who created the extension
3 replies →
I wish all Chromium plugins had such good plugin content overview, saves a lot of time if you want to review what you install.
https://github.com/privacypass/challenge-bypass-extension
This add-on isn't new. Why now?
https://notabug.org/themusicgod1/cloudflare-tor
How the f* does this even help at all when Google reCaptcha already "ghost-blocks" bad ips as well?
getting closer everyday to a global "login" to access the internet
this is TSA level thievery -- first organize security theater in form of "protection" and then charge money to be able to avoid that. Pathetic.
There isnt any money involved. Did you read this?
of course personal data is free. do you work for google or smth?