Comment by Hizonner
3 years ago
Using a "non-mainstream browser" is not in fact an indicator of malicious or even "annoying" behavior. It's almost certainly not even statistically associated. In fact, if you're going to build a bot that impersonates a browser, the natural choice right now is to impersonate Chrome. And there are frameworks available for puppeting Chrome.
What they seem to be doing is just presenting a CAPTCHA to anything at all unusual. Which is actually kind of strange, given the vast amount of raw data available to them. They should be able to learn real indicators.
I'm actually not even sure Cloudflare is primarily responsible for most of this... exactly. The problem is more likely that Cloudflare gives its users a lot of knobs to twiddle, and most of the users are probably not up to twiddling them correctly. That could be the main source of these problems.
And there are so many possible combinations that it would be hard for Cloudflare to really test them, or even think about how all the knobs might interact.
Taking away knobs would be a good start, but there may be reasons they don't think they can do that. Probably reasons that are more about their customers' perceptions than about their customer's real needs.
Come to think of it, isn't one of those knobs the ability to turn off PrivacyPass? I don't have access to a Cloudflare account at the moment, but I seem to remember that it was.
> Using a "non-mainstream browser" is not in fact an indicator of malicious or even "annoying" behavior. It's almost certainly not even statistically associated. In fact, if you're going to build a bot that impersonates a browser, the natural choice right now is to impersonate Chrome. And there are frameworks available for puppeting Chrome.
It definitely is. And there are even bot detection services that can detect puppeted Chrome installs pretty reliably (I ran into that when I tried to scrape some data about the housing market). Blink, WebKit, and Gecko are the only common browsers and the rest is a long tail. If you pick an uncommon browser (Lynx, Ladybird) you're an outlier in most automated scans but still end up with a smaller total browser market share than even the small bots. Another reason to be suspicious of uncommon clients is that puppeted Chromium builds with special flags to prevent bot detection don't run on a hacked security camera/router/TV box/NAS/IoT box.
If you're being extorted by someone who paid $50 to DDoS your business for a month, you're going to turn up the DDoS protection knobs. The annoying tracking, cyberstalking and CAPTCHA services are mere symptoms of the underlying problem.
I wouldn't want to use an internet where Cloudflare doesn't give you knobs to turn. You'll end up with websites either not being protected from DDoS attacks or several layers of CAPTCHAs for everyone. Sometimes you need to turn up the protections when the defaults don't work well enough but the defaults shouldn't be high enough to cover those scenarios.
> It definitely is.
Is an independent indicator, or is statistically correlated?
> And there are even bot detection services that can detect puppeted Chrome installs pretty reliably (I ran into that when I tried to scrape some data about the housing market).
Interesting. The arms race continues...
> Blink, WebKit, and Gecko are the only common browsers and the rest is a long tail. If you pick an uncommon browser (Lynx, Ladybird) you're an outlier in most automated scans but still end up with a smaller total browser market share than even the small bots
The post I was responding to was calling Firefox an "uncommon browser".
> If you're being extorted by someone who paid $50 to DDoS your business for a month, you're going to turn up the DDoS protection knobs. The annoying tracking, cyberstalking and CAPTCHA services are mere symptoms of the underlying problem.
Wouldn't most Cloudflare users prefer that Cloudflare notice that attack, adjust the settings by itself, and send them an email saying "You appear to be under attack; we've enabled X, and lowered the thresholds for Y and Z"? And then notice when the attack seemed to be slowing down, and put things back the way they were?
I'm normally not a fan of machines acting like they know better than I do... but the machines probably do know better than Cloudflare's average customer.
At the very least, they could probably find ways to discourage people from messing with knobs they don't understand, and more ways to make the specific costs obvious, even if those knobs ultimately stayed available.
It's not a matter of "why" it's a matter of "how". Cloudflare could have done way less intrusive and nerve-wrecking DDoS protection. But no, they had to make people suffer.
Also, I'm using Falkon browser every day - ever heard of that? I have to switch user agent to be allowed in some places which is ridiculous.
Can you think of a feasible alternative?
3 replies →
> Using a "non-mainstream browser" is not in fact an indicator of malicious or even "annoying" behavior. It's almost certainly not even statistically associated. In fact, if you're going to build a bot that impersonates a browser, the natural choice right now is to impersonate Chrome
This is a good point.
Bots are going to try to make their traffic look as legit as possible, which means spoofing the most common browsers with the most common setups.
So if a User-Agent is reporting that it's running Firefox, it's actually more likely that it's legit traffic, as bots wouldn't try to pretend to be an uncommon setup.
It isn't a good point though. The problem isn't that a user might be malicious because they are or are not running Chrome, the problem is that you chose Firefox and that comes with compromises, just like picking Chrome comes with compromises.
The "non-mainstream browser" comment is about zigging when the overwhelming majority of people zag. It's a self-inflicted problem.
Don't like it? Pick a different set of compromises, whether that's using Privacy Pass or a Chromium-derivative browser. God forbid people work on the problem itself rather than just complain that they don't like compromising.
You can't demand "taking away knobs" with taking away control of the end user on CloudFlare whilst simultaneously lamenting that using Firefox (browser choice is a "knob") yields compromises. It's hypocritical.
Why shouldn't people be free to deny Tor users access to their server? Why shouldn't people be free to self-inflict their set of compromises on themselves with their choice of browser? Why shouldn't people be free to mitigate bruteforce attacks? It may not align with your views or beliefs, but that service provider is free to do as they please within the extent of the law. Doesn't make it ethical, but your access to the service depends on x.
Life is compromise.