Some context the article misses: there's a court order that allows the Spanish Football League to block websites which may be unlawfully broadcasting football, and the ISPs have to comply. Since Chrome activated ECH, LaLiga requested the order to be expanded to block individual IPs, to which the court happily obliged, and this order is being used to block Cloudflare's IPs ranges.
The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play. This is a breach of the court order itself, which clearly states that "no unrelated sites may be affected", all while the court order itself probably being illegal as well. And, of course, IPTV pirates found ways around the block.
bandaancha.eu is doing a fantastic job on the reporting of this.
>The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
At the risk of non-Spaniards being unable to understand: that's the most pandereta thing I've heard this year so far.
More context: Telefónica used one of its group companies to file a complaint against itself and all other telecom operators in Spain, instead of filing a complaint against Cloudflare. As the operators, including the plaintiff Telefónica, acknowledge and accept the claims, the judge granted the measures.
> The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
Aaah, this explains some stuff. I'm on holiday in Spain right now, and a bunch of little blogs and similar sites just don't work at all for some reason. I bet they're hosted on Cloudflare Pages or using Cloudflare as a CDN layer.
I assumed it was just the hotel WiFi doing something weird!
Orange and Vodafone are also implementing the blocking but users are not noticing because they are doing it wrong: instead of blackholing the IPs or only blocking when connecting through ECH, they are blocking by DPI the access when using the IP address as the SNI/Host header.
# curl http://104.21.16.1
<META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" CONTENT="-1"><html>Por causas ajenas a Vodafone, esta web no est� disponible</html>
# curl http://104.21.16.1 --header "Host: blockedsite.com"
error code: 1001
(1001 is the expected output from Cloudflare)
Which is really useless, but I guess fulfills the court order (pandereta meets undefined specifications).
They've been routinely blocking GitHub, I think because there are several repos tracking lists of IPTV streams? I often have to VPN to the US just to access my open-source repos.
As one would need more reasons to hate football. It's a disgrace, here in Italy last year there were flooding in the center, some matches had to be postponed, people were digging up sand, basket clubs complained in silence, but there were some clubs like AC Milan trying to bitch about their important matches and league point, something that a person with common sense would never think, for real, people digging sand, people dying, and they had the guts to complain about their league points, they're psychos
The simplified answer is that Spain has greater net neutrality laws than most other places, and on top of that the relevant European Union laws specifically forbid any lawful blocking/enforcement action if it causes a nontrivial amount of collateral damage to unrelated parties. So in theory the court order should've violated both Spanish and European law.
I can't find a violin small enough for cloudflare here. They're known for ignoring abuse and now they want to retaliate for someone blocking them like they're some kind of required utility provider? Maybe it's time for legal action from all the people randomly blocked by cloudflare without recourse?
What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
The only saving grace here, is that premium broadcasts kinda succeeded in getting the fans, rather than corrupt politicians and the state, to mostly fund the entire scheme that is the sport.
Other than that, cry me a river with how much we allow football to bend (and break) so many of our laws and regulations (not to mention ethics and decency).
>What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
It could be that CloudFlare does absolutely nothing to aid any site, big or small, when asked to stop hosting & concealing blatantly malicious origins. I don't even care who it is at this point, at least someone is causing problems for CF who, frankly, behave as if they're untouchable.
Literally every scam site I've checked out in recent years, pretending to a government entity, or parcel delivery service, in order to defraud millions from those not blessed with much technological literacy, has been hidden behind CF. Their responses are excruciatingly slow, if they even do anything at all. Usually they don't.
Depends on the kind of abuse. Acting as if CloudFlare is providing bullet-proof hosting and carrier services would be insincere. I have had CloudFlare suspend accounts within 18 hours of reporting.
They buy a service which should block a specific type of traffic, for example bots or attacks. I don't believe any of their customers have purchased a "block a random version of a specific browser" plan. The fact this is occasionally treated as a bug and fixed confirms that idea.
If the customer specifically set a header match to block some Firefox variant, people wouldn't complain to cloudflare about it.
You covered everything except the most important case: Cloudflare blocks innocent people trying to access websites protected by Cloudflare.
For instance they block me because I'm behind CGNAT and because some of the millions of machines also behind that CGNAT once did something unsavory.
I'm not a customer of Cloudflare, so I have no one to call, I just get blocked from endless websites or have to click a checkbox, solve puzzles and suffer other indignities because I'm using a reputable and popular ISP in my country.
Fuck Cloudflare. They're accelerating the utter shittiness of the web because of their indiscriminate solutions to web malfeasance, which are worse than the disease.
For what it's worth I think Cloudflare and a few other ultra-large CDNs should be considered an utility provider, given that it is very difficult to exist in the Internet without their protection - no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears. And if it's an online forum, chances are high someone will be pissed off by some moderation action and just buy a DDoS to shoot you off the 'net.
(In the end I think governments should finally hunt down and eliminate abusive netizens, but waiting for that to happen is pointless)
> no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears
This will happen to you if you use Cloudflare as well, _unless_ you enable (at least) the automatic captcha, which then annoys users and disallows privacy-focused people from visiting your site.
To effectively stop committed DDOS you'll need CF enterprise, which filters out private blogs etc by price. The WAF options definitely make it easier to fight simpler DDOS attacks, but even then you'll need to know what you're doing.
Seconding that anything this big should be nationalized. That said, the internet still worked before cloudflare. The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Add in their centralized panopticon of mass decrypted traffic and it becomes undeniable CF is an enormous net negative to the internet and society at large.
While massive overreach in the name of fighting piracy it's very on-brand for LaLiga, this seems pretty wild, even for them. I can't help but wonder if perhaps they didn't realize quite how many unrelated, legitimate sites/services that their citizens use would be affected by this.
I think burns/jokes about Cloudflare are missing the point. It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block. The block included things like Redsys, a major payments processor used by tons of ecommerce sites in Spain.
Piracy or not, you shouldn't be able to get away with this kind of collateral damage, blocking an entire population from accessing a far greater number legitimate websites.
And while I do understand their problems with piracy, LaLiga's view on the matter has always been so over-the-top and reminiscent of the false logic the record companies did in the early 2000s: LaLiga believe (or at least say, all the time) that every euro's worth of football that is pirated is a euro that has been stolen from them; that if piracy didn't exist, they would have that much more money. It's simply not the case. It's a hugely outdated viewpoint, and they shouldn't be able to cause damage to the public because of their adherence to it.
> It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block.
I happen to agree that La Liga wildly overreaching is on brand. But I think this is partly about Cloudflare.
What's happening is a reminder of how centralised the internet is becoming. If blocking Cloudflare IPs brings down big chunks of the internet for Spain, that's a problem. Cloudflare could go down for a while, or collapse permanently, or get compromised.
Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
Cloudflare might get a resolution from the court that suits them in the short-term. But drawing this to government attention might not suit them in the long run.
> Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
On the contrary, it would be an excellent outcome if the Internet became all-or-nothing, and countries could either choose to provide Internet access or block the entire Internet, with zero ability to selectively block things they don't like.
Doing that via a few centralized CDNs would be bad. Doing that at the protocol level would be excellent.
I think the comments here about cloudflare aren't trying to justify what LaLiga is doing, just pointing out that cloudflare does the same equally wrong thing ultimately. If you've ever ended up with an IP cloudflare decided is suspect for one reason or another, have fun being stuck in endless captcha loops all day for something like 70% of the websites you visit, with no recourse
This arguement on whether LaLiga or Cloudflare are the biggest dicks is kinda dumb.
Yeah, CF has stepped in it from to time and yeah, maybe they have ego-ish proclivities. What Behemoth online service doesn't?
But at the core of this debate is about LaLiga and it's peripheral relationships dragging a lot of innocent folks along with the genuine targets of their focus.
It's like those Drift Netters
who have demonstrated they care not for the unindended species they catch. A bit of a labored metaphore but, there you have it.
Honestly, I hate both parties here so much. I just wanted to say that Cloudflare is the biggest problem I have at work when trying to detect and take-down phishing websites. They do not collaborate with official entities and keep protecting malicious actors. I could not care less about someone giving them problems.
"Like the majority of cloud providers, Cloudflare uses shared IP addresses to manage its network, meaning that thousands of domains can be accessed with a single IP address."
Thousands?
It used to be one could access _any_ Cloudlfare customer website using appropriate Host header, SNI and a _single_ Cloudflare IP address, i.e., one address could be used to reach all CF customer websites. For whatever reason, that is no longer the case.
I don't understand why Cloudflare allowed itself to be use like this and is heading to court instead of just refusing to accept LaLiga's requests. They could just request them to provide appropriate evidence and make them pay for the time Cloudflare staff would need to review the evidence
Cloudflare isn't in a position to accept or decline LaLiga's requests; LaLiga, supported by a ridiculous court order, is forcing ISPs to block Cloudflare IP addresses.
Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
I think that's probably what they'll be doing in the end, so it's interesting to observe that they haven't done so already. Do they maybe have at least an internal domain reputation system so that long-time customers mostly share IPs with other long-time customers and are less likely to get caught in the crossfire?
Ok, this explains why Cloudflare is doing this. So the issue seems to be with the court order then. Is this then yet another case of court order makers not understanding the technological consequences of the court order they made?
I suspect that LaLiga lawyers and lawyer-techs aren't perhaps the most technical so when they learned to figure out IP's they made it their go-to way of working without even considering that they might need to contact CF (or Github that also seems blocked in Spain).
Finding abuse contacts is actually a M:N problem for the entire industry since we skimped on IPv6 (Had we gone to IPv6 providers like CF could've just assigned customers their own IP's and third-party fallout would've been minimal).
Well, I'm guessing here but I assume pirates are happy to stand up a new website for every match. And LaLiga wants the sites taken down within the ~90 minute duration of the game, otherwise what's the point?
Football goes beyond mere entertainment in Spain, it's like life itself. I think there's a case to be made that any and all disruption to internet services is justified to provide the public with the best possible Football experience.
I'd be interested to see if twitch is on their block list... or if running pirated tv, movies and sports from all over the world 24/7 just isn't as visible enough to them for them to say something...
Most streaming platforms actually put a lot of effort into combating live soccer broadcast piracy, more than a lot of other types of content. European soccer in is massively popular globally, as is the World Cup. Thus piracy of it is massive and global as well, and it gives the big leagues and competitions a lot of leverage. Most platforms try hard to counter soccer piracy, generally without waiting for a complaint or takedown request, and often using active methods like doing automated content detection on livestreams. The platforms simply have more to lose by poor enforcement of a huge soccer event than most anything else, including anything from Hollywood.
CloudFlare doesn't allow video streaming on their free/low tiers so I would expect this to be shutdown by CF regardless as there wouldn't be anyone legit to pay for the Enterprise plan.
As a reminder, LaLiga got caught spying their users with their app using the microphone and the geolocation to detect illegal emissions in bars. They got fined, applying the GDPR, with 250k euros. [0]
However, the last court order, removed the fine as they interpreted the AEPD (Spanish data protection agency, and the ones that fined LaLiga) did not showed any guidelines about this kind of stuff so it couldn't be fined retroactively. And that showing a "Mic in use" warning every time the app was using the microphone, as AEPD wanted, was "excessive". [1]
I've had issues with their captchas just not working but not providing that as feedback. Javascript enabled and all.
You can easily reproduce this by using a mainstream browser like Chrome and changing your user agent to e.g. a Firefox one (or the reverse). You'll be hit with captchas everywhere but unlike the cloudflare ones the google ones can at least be resolved.
I get locked out occasionally when travelling outside EU as well. I've got to the point I will just avoid using services with CloudFlare in front of them.
Also the one time I reported abuse which was online banking phishing they just replied that they'd informed the upstream provider and nothing happened.
Can confirm. If I click certain links in the Discord Electron client on Windows they work just fine, but in Firefox on Linux I get the DDoS block page, regardless of the internet connection I'm using.
Most folks do not realize the consequences. Of those who do, a significant fraction thinks that the only people accessing it are from US mainland and use Chrome on Windows.
CF's announcements are quite fragmented/deaggregated due to traffic engineering. Here's a much shorter list of the actual IP blocks: https://www.cloudflare.com/ips/
LaLiga is the main football league in Spain, where Real Madrid, FC Barcelona,... play. It's also considered the second most important league in Europe after the Premier League in England. And, related to this, it manages the TV rights of the matches.
Some context the article misses: there's a court order that allows the Spanish Football League to block websites which may be unlawfully broadcasting football, and the ISPs have to comply. Since Chrome activated ECH, LaLiga requested the order to be expanded to block individual IPs, to which the court happily obliged, and this order is being used to block Cloudflare's IPs ranges.
The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play. This is a breach of the court order itself, which clearly states that "no unrelated sites may be affected", all while the court order itself probably being illegal as well. And, of course, IPTV pirates found ways around the block.
bandaancha.eu is doing a fantastic job on the reporting of this.
> bandaancha.eu is doing a fantastic job on the reporting of this.
And LaLiga’s response to their reporting? Sending false abuse notices to their hosting provider [1]
[1]: https://x.com/bandaanchaeu/status/1892992576069783825?s=46
La Liga's president is known to be unhinged, so this is not a surprise.
>The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
At the risk of non-Spaniards being unable to understand: that's the most pandereta thing I've heard this year so far.
This is banana country-tier stuff.
More context: Telefónica used one of its group companies to file a complaint against itself and all other telecom operators in Spain, instead of filing a complaint against Cloudflare. As the operators, including the plaintiff Telefónica, acknowledge and accept the claims, the judge granted the measures.
> The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
Aaah, this explains some stuff. I'm on holiday in Spain right now, and a bunch of little blogs and similar sites just don't work at all for some reason. I bet they're hosted on Cloudflare Pages or using Cloudflare as a CDN layer.
I assumed it was just the hotel WiFi doing something weird!
I think the cloudflare issue only happens with movistar/digi. At least in my case I couldnt use github yesterday
Orange and Vodafone are also implementing the blocking but users are not noticing because they are doing it wrong: instead of blackholing the IPs or only blocking when connecting through ECH, they are blocking by DPI the access when using the IP address as the SNI/Host header.
(1001 is the expected output from Cloudflare)
Which is really useless, but I guess fulfills the court order (pandereta meets undefined specifications).
They've been routinely blocking GitHub, I think because there are several repos tracking lists of IPTV streams? I often have to VPN to the US just to access my open-source repos.
So "only" the biggest broadband provider in the country :)
I've seen reports that Orange may have imposed the block as well, which is the #2 provider. Definitely a nontrivial slice of the population
Only Vodafone refused to implement the blocking.
Other ISPs are blocking as well.
As one would need more reasons to hate football. It's a disgrace, here in Italy last year there were flooding in the center, some matches had to be postponed, people were digging up sand, basket clubs complained in silence, but there were some clubs like AC Milan trying to bitch about their important matches and league point, something that a person with common sense would never think, for real, people digging sand, people dying, and they had the guts to complain about their league points, they're psychos
What's a "basket club", and how can a thing complain in silence?
I suspect a translator app? AI translator? The complain in silence makes me think the intent is "complain but not heard"?
2 replies →
Is sand dug to construct dams?
This previously happened in Italy, and was quickly undone as "a mistake" after being called out.
I see in Spain it isn't a mistake.
> court order itself probably being illegal as well
How so?
The simplified answer is that Spain has greater net neutrality laws than most other places, and on top of that the relevant European Union laws specifically forbid any lawful blocking/enforcement action if it causes a nontrivial amount of collateral damage to unrelated parties. So in theory the court order should've violated both Spanish and European law.
https://www.redes-sociales.com/bloqueo-cloudflare-parte-lali...
2 replies →
What is ECH?
Encrypted Client Hello https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
I can't find a violin small enough for cloudflare here. They're known for ignoring abuse and now they want to retaliate for someone blocking them like they're some kind of required utility provider? Maybe it's time for legal action from all the people randomly blocked by cloudflare without recourse?
There's no violin small enough for LaLiga.
What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
The only saving grace here, is that premium broadcasts kinda succeeded in getting the fans, rather than corrupt politicians and the state, to mostly fund the entire scheme that is the sport.
Other than that, cry me a river with how much we allow football to bend (and break) so many of our laws and regulations (not to mention ethics and decency).
It is CloudFlare that should be shutting down websites to comply with the law. If they did that, LaLiga wouldn't need to resort to a bigger hammer.
Needless to say, companies should comply with the law of the place where they do business in.
11 replies →
> There's no violin small enough for LaLiga.
Both?-both.gif
>What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
It could be that CloudFlare does absolutely nothing to aid any site, big or small, when asked to stop hosting & concealing blatantly malicious origins. I don't even care who it is at this point, at least someone is causing problems for CF who, frankly, behave as if they're untouchable.
Literally every scam site I've checked out in recent years, pretending to a government entity, or parcel delivery service, in order to defraud millions from those not blessed with much technological literacy, has been hidden behind CF. Their responses are excruciatingly slow, if they even do anything at all. Usually they don't.
2 replies →
It's not blocking hundereds of services, it's blocking one, cloudflare. A service that routinely is used to share copyright material.
> What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
In this case? A court order: https://bandaancha.eu/articulos/esta-nueva-sentencia-autoriz... which is a pretty heavyweight oversight mechanism.
Personally I'm broadly pro-piracy and anti-big-sports-organisation. But alas the legal system disagrees.
1 reply →
Depends on the kind of abuse. Acting as if CloudFlare is providing bullet-proof hosting and carrier services would be insincere. I have had CloudFlare suspend accounts within 18 hours of reporting.
> people randomly blocked by cloudflare without recourse?
Cloudflare does not randomly block access to sites that don't deal with Cloudflare.
Cloudflare customers buy blocking service to their sites from Cloudflare. Any randomness there is just customer service issue.
They buy a service which should block a specific type of traffic, for example bots or attacks. I don't believe any of their customers have purchased a "block a random version of a specific browser" plan. The fact this is occasionally treated as a bug and fixed confirms that idea.
If the customer specifically set a header match to block some Firefox variant, people wouldn't complain to cloudflare about it.
3 replies →
You covered everything except the most important case: Cloudflare blocks innocent people trying to access websites protected by Cloudflare.
For instance they block me because I'm behind CGNAT and because some of the millions of machines also behind that CGNAT once did something unsavory.
I'm not a customer of Cloudflare, so I have no one to call, I just get blocked from endless websites or have to click a checkbox, solve puzzles and suffer other indignities because I'm using a reputable and popular ISP in my country.
Fuck Cloudflare. They're accelerating the utter shittiness of the web because of their indiscriminate solutions to web malfeasance, which are worse than the disease.
4 replies →
For what it's worth I think Cloudflare and a few other ultra-large CDNs should be considered an utility provider, given that it is very difficult to exist in the Internet without their protection - no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears. And if it's an online forum, chances are high someone will be pissed off by some moderation action and just buy a DDoS to shoot you off the 'net.
(In the end I think governments should finally hunt down and eliminate abusive netizens, but waiting for that to happen is pointless)
Impossible to survive on the internet...
2 replies →
> no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears
This will happen to you if you use Cloudflare as well, _unless_ you enable (at least) the automatic captcha, which then annoys users and disallows privacy-focused people from visiting your site.
To effectively stop committed DDOS you'll need CF enterprise, which filters out private blogs etc by price. The WAF options definitely make it easier to fight simpler DDOS attacks, but even then you'll need to know what you're doing.
Seconding that anything this big should be nationalized. That said, the internet still worked before cloudflare. The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Add in their centralized panopticon of mass decrypted traffic and it becomes undeniable CF is an enormous net negative to the internet and society at large.
2 replies →
Maybe you don't care about Cloudflare, but a lot of small sites use CF, and they're getting blocked. I'd feel bad about those sites.
Anyway, read the rest of the responses here giving context; the issue has more nuance than you seem to realize.
While massive overreach in the name of fighting piracy it's very on-brand for LaLiga, this seems pretty wild, even for them. I can't help but wonder if perhaps they didn't realize quite how many unrelated, legitimate sites/services that their citizens use would be affected by this.
I think burns/jokes about Cloudflare are missing the point. It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block. The block included things like Redsys, a major payments processor used by tons of ecommerce sites in Spain.
Piracy or not, you shouldn't be able to get away with this kind of collateral damage, blocking an entire population from accessing a far greater number legitimate websites.
And while I do understand their problems with piracy, LaLiga's view on the matter has always been so over-the-top and reminiscent of the false logic the record companies did in the early 2000s: LaLiga believe (or at least say, all the time) that every euro's worth of football that is pirated is a euro that has been stolen from them; that if piracy didn't exist, they would have that much more money. It's simply not the case. It's a hugely outdated viewpoint, and they shouldn't be able to cause damage to the public because of their adherence to it.
> It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block.
I happen to agree that La Liga wildly overreaching is on brand. But I think this is partly about Cloudflare.
What's happening is a reminder of how centralised the internet is becoming. If blocking Cloudflare IPs brings down big chunks of the internet for Spain, that's a problem. Cloudflare could go down for a while, or collapse permanently, or get compromised.
Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
Cloudflare might get a resolution from the court that suits them in the short-term. But drawing this to government attention might not suit them in the long run.
> Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
On the contrary, it would be an excellent outcome if the Internet became all-or-nothing, and countries could either choose to provide Internet access or block the entire Internet, with zero ability to selectively block things they don't like.
Doing that via a few centralized CDNs would be bad. Doing that at the protocol level would be excellent.
11 replies →
I think the comments here about cloudflare aren't trying to justify what LaLiga is doing, just pointing out that cloudflare does the same equally wrong thing ultimately. If you've ever ended up with an IP cloudflare decided is suspect for one reason or another, have fun being stuck in endless captcha loops all day for something like 70% of the websites you visit, with no recourse
They want cloudflare deal with pirated issue for them
Sure it's blunt. But I guess it will be rather effective in getting Cloudflare to urgently revise their policy on copyright violation.
When they started doing these blocks a few weeks ago they also took down Telegram for the whole weekend and part of Monday.
It's my understanding that the usual process is to ask Cloudflare to move infringing domains from shared IP addresses to fixed IP's, before blocking.
Do you have a source for this?
No, it's my recollection of words spoken by a lawyer. https://torrentfreak.com/internet-backbone-cogent-blocks-clo... is related to the topic.
1 reply →
This arguement on whether LaLiga or Cloudflare are the biggest dicks is kinda dumb.
Yeah, CF has stepped in it from to time and yeah, maybe they have ego-ish proclivities. What Behemoth online service doesn't?
But at the core of this debate is about LaLiga and it's peripheral relationships dragging a lot of innocent folks along with the genuine targets of their focus. It's like those Drift Netters who have demonstrated they care not for the unindended species they catch. A bit of a labored metaphore but, there you have it.
Honestly, I hate both parties here so much. I just wanted to say that Cloudflare is the biggest problem I have at work when trying to detect and take-down phishing websites. They do not collaborate with official entities and keep protecting malicious actors. I could not care less about someone giving them problems.
"Like the majority of cloud providers, Cloudflare uses shared IP addresses to manage its network, meaning that thousands of domains can be accessed with a single IP address."
Thousands?
It used to be one could access _any_ Cloudlfare customer website using appropriate Host header, SNI and a _single_ Cloudflare IP address, i.e., one address could be used to reach all CF customer websites. For whatever reason, that is no longer the case.
I don't understand why Cloudflare allowed itself to be use like this and is heading to court instead of just refusing to accept LaLiga's requests. They could just request them to provide appropriate evidence and make them pay for the time Cloudflare staff would need to review the evidence
Cloudflare isn't in a position to accept or decline LaLiga's requests; LaLiga, supported by a ridiculous court order, is forcing ISPs to block Cloudflare IP addresses.
Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
I think that's probably what they'll be doing in the end, so it's interesting to observe that they haven't done so already. Do they maybe have at least an internal domain reputation system so that long-time customers mostly share IPs with other long-time customers and are less likely to get caught in the crossfire?
7 replies →
Ok, this explains why Cloudflare is doing this. So the issue seems to be with the court order then. Is this then yet another case of court order makers not understanding the technological consequences of the court order they made?
1 reply →
I suspect that LaLiga lawyers and lawyer-techs aren't perhaps the most technical so when they learned to figure out IP's they made it their go-to way of working without even considering that they might need to contact CF (or Github that also seems blocked in Spain).
Finding abuse contacts is actually a M:N problem for the entire industry since we skimped on IPv6 (Had we gone to IPv6 providers like CF could've just assigned customers their own IP's and third-party fallout would've been minimal).
LaLiga went directly to the courts, according to Cloudflare.
Well, I'm guessing here but I assume pirates are happy to stand up a new website for every match. And LaLiga wants the sites taken down within the ~90 minute duration of the game, otherwise what's the point?
Football goes beyond mere entertainment in Spain, it's like life itself. I think there's a case to be made that any and all disruption to internet services is justified to provide the public with the best possible Football experience.
I'd be interested to see if twitch is on their block list... or if running pirated tv, movies and sports from all over the world 24/7 just isn't as visible enough to them for them to say something...
Most streaming platforms actually put a lot of effort into combating live soccer broadcast piracy, more than a lot of other types of content. European soccer in is massively popular globally, as is the World Cup. Thus piracy of it is massive and global as well, and it gives the big leagues and competitions a lot of leverage. Most platforms try hard to counter soccer piracy, generally without waiting for a complaint or takedown request, and often using active methods like doing automated content detection on livestreams. The platforms simply have more to lose by poor enforcement of a huge soccer event than most anything else, including anything from Hollywood.
CloudFlare doesn't allow video streaming on their free/low tiers so I would expect this to be shutdown by CF regardless as there wouldn't be anyone legit to pay for the Enterprise plan.
They just host the pages on CF, not the video streams.
Fucking rich when I can't access a load of cloudflare sites on a vpn
What's the chance that
1) Cloudflare wins its lawsuit against LaLiga. 2) LaLiga appeals to Cloudflare to block these individual, infringing sites.
3) Cloudflare does nothing.
I wonder what prompted this reaction from them for this particular case. This has been happening for years in my country without a peep from them.
As a reminder, LaLiga got caught spying their users with their app using the microphone and the geolocation to detect illegal emissions in bars. They got fined, applying the GDPR, with 250k euros. [0]
However, the last court order, removed the fine as they interpreted the AEPD (Spanish data protection agency, and the ones that fined LaLiga) did not showed any guidelines about this kind of stuff so it couldn't be fined retroactively. And that showing a "Mic in use" warning every time the app was using the microphone, as AEPD wanted, was "excessive". [1]
[0]: https://confilegal.com/20220505-la-an-ratifica-la-sancion-de... [1]: https://www.cuatrecasas.com/es/spain/propiedad-intelectual/a...
Cloudflare's ddos protection constantly locks out non-mainstream browsers, so pot and kettle, and such.
I've had issues with their captchas just not working but not providing that as feedback. Javascript enabled and all.
You can easily reproduce this by using a mainstream browser like Chrome and changing your user agent to e.g. a Firefox one (or the reverse). You'll be hit with captchas everywhere but unlike the cloudflare ones the google ones can at least be resolved.
A Firefox user agent with a Chrome Javascript engine and a Chrome TLS engine is suspicious. Any decent bot prevention mechanism will trigger on that.
I don't have issues passing these blocks in Firefox, though.
3 replies →
Not just non-mainstream web browsers but also users in certain less developed countries.
Clearly there’s a balance to be had, but Cloudflare’s shadowbans are just mean.
I get locked out occasionally when travelling outside EU as well. I've got to the point I will just avoid using services with CloudFlare in front of them.
Also the one time I reported abuse which was online banking phishing they just replied that they'd informed the upstream provider and nothing happened.
Can confirm. If I click certain links in the Discord Electron client on Windows they work just fine, but in Firefox on Linux I get the DDoS block page, regardless of the internet connection I'm using.
It's a service that Cloudflare customers buy for their site.
This is about messing with unrelated parties. Cloudflare is not doing that.
I'm also an unrelated party, it messes with me, Cloudflare is doing it, and I can't opt out.
2 replies →
I mean isn't that a feature customers have to turn on?
Most folks do not realize the consequences. Of those who do, a significant fraction thinks that the only people accessing it are from US mainland and use Chrome on Windows.
Can we get those IP ranges posted here that belong to Cloudflare for educational purposes?
https://bgp.tools/as/13335#prefixes
CF's announcements are quite fragmented/deaggregated due to traffic engineering. Here's a much shorter list of the actual IP blocks: https://www.cloudflare.com/ips/
What's laliga
LaLiga is the main football league in Spain, where Real Madrid, FC Barcelona,... play. It's also considered the second most important league in Europe after the Premier League in England. And, related to this, it manages the TV rights of the matches.
Cloudflare is a flaming heap of garbage of a company and to see them have beef with another company like this is very ironic.