Comment by kube-system
3 years ago
Why is this Cloudflare's problem to fix?
If you get locked out of your hotel room, do you call Assa Abloy to complain?
Complain to the site that their site doesn't work. They are the ones that install and configure their security software.
The analogy doesn't apply because a hotel has an override using a master key. In this case, the website, hopefully, would just open a support ticket with CloudFlare, and add a level of indirection that likely means my HAR file wouldn't even make it to CloudFlare. However, I think you make a good point that reporting to the website will put more pressure on CloudFlare or the website owner may choose a different vendor that has fewer problems. I think it's worth reporting to both in this case.
Now that CloudFlare has engaged with this problem, I'll give them some time to try to fix it, and if they don't, I'll start complaining to every website that uses this CloudFlare feature.
> The analogy doesn't apply because a hotel has an override using a master key.
Website operators can override Cloudflare the same way.
https://developers.cloudflare.com/waf/tools/ip-access-rules/...
I don't know why you're getting downvoted. I think what you're saying makes a lot of sense.
Websites are generally presumed open for business, not get-a-contract-first like a hotel room. A better analogy would be a shop front with an 'open' sign in the window.
An increasing numnber of shops on the street have locks that silently open if you look like the right kind of person, but lock if you don't look right.
And most people look right, so they don't even realise the lock is there.
Most websites are not clear-net. But regardless, people who do not fit social appearance norms are routinely not welcomed in businesses, often legally.
Here's some real-life equivalents to a web application firewall:
https://www.flickr.com/photos/ibran/595450232/
https://www.manythings.org/signs/im/shirt_and_shoes_required...
https://media.istockphoto.com/photos/restaurant-dress-code-p...
2 replies →
there are countless services that do what CloudFlare is doing
but not a single one has the false positive rate that cloudflare has
cloudflare only accepts the very standart users, and locks a lot of others out. and then they offer no convenient way to prove you're a legitimate user, to access the website.
and they have to fix it, because they sell their protection to admins who don't want to set it up themselves. They have the knowledge and are tasked to do that
That is not at all true. Many other WAF or similar anti-abuse configurations are much more ham-fisted. It is not uncommon for some to block entire countries, or block any IP ranges belonging to known VPNs, proxies, and Tor.