← Back to context

Comment by oefrha

9 months ago

I’m skeptical. Cloudflare clearly wants to move us to a future where only approved browsers are allowed to access the web. People have been fiercely debating whether that’s a terrible thing, or whether that’s the least bad practical solution on offer for website owners. I don’t want to make a judgement on that, but I don’t think the observation that CF is pushing us in that direction is very controversial. But an independent open source web browser is obviously against that ethos. So what’s the play here exactly? Just for goodwill?

(Regardless of motivation, they’re lending more support than most other companies, so it’s applaudable nonetheless.)

Cloudflare supporting Ladybird makes sense for the same reasons that Valve invests in Proton. Cloudflare's job is easier if everyone standardizes on a few approved browsers, but right now the three major browser engines are controlled by Google (IIRC most of Mozilla's funding comes from Google) and Apple, just as Valve's Steam is heavily dependent on Microsoft's Windows.

Both companies are basically hedging against future incentive misalignment with other (larger) companies, and reducing their dependencies on platforms they have ~zero influence over.

  • To add to this, Apple’s share of the control is minimal and precarious. A timeline where Google is the sole web engine authority could easily become reality and is even likely.

    Hedging on a promising upstart makes a lot of sense.

    • I haven’t seen any signs that Apple will abandon Safari, have you? Also, a browser that uses Chromium could put a halt to Google’s plans if they wanted. The easiest way would be to stop upgrading and just port over security patches. (Sure, it brings progress to a halt, but this is unlikely to matter to web developers in the short run and it would get people’s attention.)

      They aren’t going to do this, though, so long as new releases of Chromium are reasonable.

      17 replies →

    • Apple isn't the only one standing in the way of a Google hegemony. If they are, then the web is already fucked since neither corporation has a benevolent track record pertaining to Open Source. Apple just can't compete without steering privileges that are equally harmful to the open web.

      10 replies →

    • Google doesn't have control of Chromium though. The source is available and it is permissively licensed. If they did something truly onerous, Microsoft would fork it within hours and everyone would switch their upstream to Edgium.

      The only reason Google calls the shots is because they pour billions of dollars into maintaining Chromium. The fact that they can do that (and even fund Firefox at the same time) is because of their ad monopoly. Same with search, Gmail, Translate, Maps. None of those things can exist without the ad monopoly funding it all.

      Complaining about Chrome is barking up the wrong tree.

      38 replies →

  • That response ignores the fact that Valve isn't in the business of preventing you from playing your games on niche operating systems but Cloudflare is in the business of blocking non-standard browsers. If Cloudflare truly wants to prevent a Google/Apple web duopoly the most effective thing they can do is to stop blocking alternatives or even just browser-configurations that are Google-hostile.

    • I have never seen credible evidence that this is what Cloudflare sees as their business. They fundamentally don't care what browser the user is using. What they care about are the traffic patterns of users and preventing their customers from getting hit by bots, spam, and other malicious traffic. The fact that some browsers that look like malicious traffic is not something they can control or reasonably be held responsible for.

      2 replies →

    • > Valve isn't in the business of preventing you from playing your games on niche operating systems

      Getting your Steam library to work on Linux before it got Valve's blessing with Proton wasn't a great experience. If they wanted to, they could have easily decided to block games from running on Linux and gave some statement about preventing piracy and protecting users from malware.

      I'm optimistic that this investment means we'll see more open standards and large browser makers being forced to collaborate and create simpler standards without compromising security.

      2 replies →

  • > Cloudflare supporting Ladybird makes sense for the same reasons that Valve invests in Proton.

    Which Proton are you referring to?

I don't understand why we always assume bad faith. I wish more companies were like Cloudflare actually - trying to balance the need of revenues while trying to do good for internet and open source as a whole.

As a normal user with a few sites, I'm glad they provide what they provide to block bots, attacks and everything AI.

  • > I don't understand why we always assume bad faith. I wish more companies were like Cloudflare actually - trying to balance the need of revenues while trying to do good for internet and open source as a whole.

    This is quite simple and history bears it out: you can't rely on a for-profit corporation to operate in any other manner than optimizing shareholder value.

    When VC money is flowing, you see things that look like (or even can be) altruism - but when the belts tighten and waste is eliminated these endeavors need to align with the company's goals.

    Therefore, look for what Cloudflare is "buying" in this transaction. I suggest they probably want the PR win as it distracts from their objective of locking down the web, and it's worth the expenditure to them.

    • > This is quite simple and history bears it out: you can't rely on a for-profit corporation to operate in any other manner than optimizing shareholder value.

      You can't even do that honestly. Look at Boeing. It got taken over by know-nothing managers that followed that religion of shareholder value, and what did it do? Destroy shareholder value!

      I think we should instead say "we can't rely on any institution to be stable over time". That's a much more sane statement imo.

      5 replies →

    • > you can't rely on a for-profit corporation to operate in any other manner than optimizing shareholder value.

      I would like to understand where this breaks down. Would a for-profit individual be more reliable? Would a non-profit? At which point does quality deteriorate?

      4 replies →

    • > This is quite simple and history bears it out: you can't rely on a for-profit corporation to operate in any other manner than optimizing shareholder value.

      This is like saying that history bears out that you can't rely on governments to do anything but prepare for war and then send you out to die in one.

      2 replies →

  • > I don't understand why we always assume bad faith.

    I'm already bombarded with cloudflare captchas when using Firefox, especially on Linux. Residential IP address. I'm suspicious of everything cloudflare is doing right now.

    • I use firefox and I almost never see cloudflare captchas. I don't think it's the browser that is causing the problem.

    • I recently saw https://neal.fun/not-a-robot/ on the front-page but then I gave up as that's my daily reality with cloudflare and friends already. I use 3 browsers on linux with Thai IP address because at least one of them is always blocked by cloudflare. Especially if I go work on public wifi I often actually have to hotspot myself to 4g to even get stuff to load.

      I've started taking more extreme stance these days of ctrl+w instantly and maybe email the admins if I'm particularly angry that I will not buy whatever they're selling because I simply can't be bothered with their spyware blocking me. Maybe some day people will wisen up on the damage cloudflare is doing to their business.

      1 reply →

    • Anecdotally, I'm not. I always use Firefox (or Zen) and get almost no Captchas. Neither at home, nor at work. Not on Windows, not on Linux, not on macOS.

      I'm not going to say that Cloadflare isn't doing anything fishy, but if they are, it's probably more complicated.

      2 replies →

    • You're bombarded with Cloudflare captchas because bots are heavily scraping the websites you're browsing and they are struggling to stay online by putting in place heavy-handed bot-fighting tactics. Without Cloudflare, you wouldn't have the website you're browsing.

      5 replies →

    • If you're on a Residential IP, and your IP gets refreshed, like, every day, it's possible that one of the IP has been flagged.

      Cannot blame CloudFlare for that; they have an obligation to try protect the users of their CDN.

  • > I don't understand why we always assume bad faith. > I wish more companies were like Cloudflare actually - trying to balance the need of revenues while trying to do good for internet and open source as a whole. > As a normal user with a few sites, I'm glad they provide what they provide to block bots, attacks and everything AI.

    I think general distrust with any major company these days is warranted, especially one with so much control over the internet. But I agree with your points, too.

    This should be relevant to the Cloudflare discussion, posted today:

    A New Internet Business Model?

    https://news.ycombinator.com/item?id=45334599

  • Assuming bad faith in the case of Cloudflare specifically? Know first that the CIA once ran a front company for decades that was meant to be a trusted source for cryptographic hardware for use by embassies and the like: https://en.wikipedia.org/wiki/Crypto_AG

    If the CIA wanted to MITM all web traffic, and why wouldn't they, a company like Cloudflare is probably exactly how they'd do it.

  • Cloudflare is 100% acting in bad faith.

    They're a gatekeeper to a large chunk of Internet already. If they decide that your IP range stinks? Hope you enjoy your ration of 22 captcha pages a day!

    Now, they're making some very transparent moves to leverage what they have to get even more control. And once they get even more control? It's not an "if" they start choking you with it to get more revenue. It's a "when".

    People used to say "I wish more companies were like Google". They don't say that anymore.

  • Cloudflare is trying to establish itself as the toll station for AI. And anyone who doesn't play by their rules gets excommunicated.

    • And what are the rules? Don’t use AI to steal training content across the internet, spread nuclear grade spam and propaganda at scale, hack servers with automated agents? Seems fine.

      3 replies →

  • It's pretty easy, these are private companies and not democratic institutions that build consensus within their communities. It is better to assume bad faith upon corporate actors because they don't typically advocate for things that help humanity, mostly only themselves.

  • > I don't understand why we always assume bad faith

    Because they all seem to eventually "screw" us. Google seemed (and maybe actually was) altruistic at some point, and even Apple seemed to be (when the only way they could make money was to do right by the users).

  • Cloudflare is running the largest and longest denial of service attacks in the history of the internet by acting as arbitrary gatekeeper to important government sites like congress.gov. I haven't been able to load it in years.

  • Well, you see, once a Cloudflare site violated the TOS so badly that they had to get their C-levels involved to decide if the TOS violation was bad enough to not want them on their platform. That one site was kicked off and this site *HOWLED* at the terrible giant internet company doing a censorship and they have never been forgiven.

    (The site that was "deplatformed" was fine and still exists, much to the chagrin of the minorities it directs hate towards and the people literally stalked there.)

  • There is no way you didn't write this comment while laughing out loud.

    For-profit companies care about profits for their shareholders, that's it. Heck, even non-profit often tend to value more profit than their integrity or cause but that's a topic for another day.

    I wish this wasn't the case but even good-willed individuals at the helm of for-profits are forced to pursue profit and avoid anything clearly leading to losses, else they are sacked.

    • It is baffling and concerning that anyone disagrees with you. The blind faith of so many that companies will magically and selflessly act in the best interest of anyone but their shareholders is, perhaps, the most damaging social ill we face (exacerbated by Citizens United).

    • You're severely misinformed and parotting misinformed meme interpretations of fiduciary duty.

      Integrity and a healthy market align with fiduciary duty as long as one can make the argument that it's in the long term interest of the company. It's really, really difficult to find examples of a person being held liable for not upholding their fiduciary duty because what can be argued as good for the long term success of the company involves a lot of prognostication.

      Fiduciary duty is there to prevent things like a CEO choosing to oberpay his cousin's company that has no history in the market for things they've never done before when there is an obviously better option available.

      Companies that act poorly, as you describe, do so out of their own desire, not because they are forced to by any sort of duty.

      5 replies →

  • Hi, we assume bad faith because we have seen again and again that corporate humans can be expected in ways that would at best be described as sociopathic when referring to a real flesh and blood human.

Responding to a dead comment from a banned account:

> The big new game for them is AI crawler metering. Don’t think browser matters much anymore from their perspective.

Truly open browsers are easy to spoof. Approved browsers with whatever attestation features they champion builtin are hard to spoof. So browsers do matter.

Edit: authentication => attestation for accuracy.

  • Browser attestation doesn't really matter, its device attestation. Browser attestation is downstream from that.

    Google with SafetyNet attestation (whatever the hell its called these days) has pretty much locked down Android as tightly as iOS at this point.

    Hell, Apple device users already get to go in the internet "approved" fast lane because of attestation. iDevices and M-series Macbooks can send out a special response that bypasses all captchas.

    Windows 11 has a requirement for TPM2, which features hardware attestation too.

    Linux of course cannot be locked down in a similar manner, thus cannot attest and will have to suffer for it.

    It would probably be illegal for CloudFlare + Google to outright block you from accessing the internet, but they can just drown you in a sea of captchas until you give up and join the attested crowd. Hell, YouTube outright forces you to sign in if they detect a VPN, they won't even offer a captcha.

    Like 'Amusing Ourselves to Death' points out, it isn't a 1984-esque brutal fascist control that will erode our freedoms, but rather a Brave New World-esque situation where people will sign away all (digital) control because the dopamine must flow.

    • I think this is why things like the mdl ID standard are important. It allows for a privacy preserving and open approach not controlled by big companies. It's not perfect, it's controlled by government. But I'd like government to at least challenge the power of Google and Apple.

    • I haven't notice too many captchas from Linux myself... maybe about 50% more than Windows or Mac, but in general it hasn't been so bad. I do think that it could potentially get bad though.

      I'm also not sure how this can/would shake out when you can just use tools like Playwright/Puppeteer to manage a real browser. Both Google and MS do this (not as much as bare crawlers) to handle SPA-like site content.

    • > Google with SafetyNet attestation (whatever the hell its called these days) has pretty much locked down Android as tightly as iOS at this point.

      SafetyNet doesn't lock anything down, it just provides an API for applications to verify the app is running in a verifiable and untampered environment.

      2 replies →

I would think it's like Vercel and Svelte. Investing in something so small is good PR and gives them an image of goodwill but also very unlikely to result in actual market changes.

By your argument, this could still be interpreted as Cloudflare approving Ladybird. I don't see how indie genuine browsers (i.e. not bots) are "against the ethos" of restricting the web to approved browsers only.

  • "Approved browser" in this context have technical restrictions on user freedom, e.g. https://developers.cloudflare.com/fundamentals/reference/cry... I'm not talking about someone at CF just adding a random browser to an approved list. More empirically speaking, a browser can't be considered approved if you can freely fork it and not revoke the approved status.

    • I read the article you referenced, though not very carefully due to lack of time, but I don't see anything like a list of supported browsers. They even mention Firefox as supported, which can be forked just like Ladybird.

> Cloudflare clearly wants to move us to a future where only approved browsers are allowed to access the web.

It seems your confusion stems from this premise. Is it possible this is not a correct assumption?

> Cloudflare clearly wants to move us to a future where only approved browsers are allowed to access the web

CloudFlare is in the CDN business.

If CloudFlare gatekeeps who can access their CDN, then people will move to a different CDN. Because people want their websites to be accessed by as many people as possible.

Your statement does not compute.

Corporations sometimes will do seemingly good things in order to maintain their control, Google is a threat to Cloudflare and their business, what I believe however is that this will have significant pushback from the government seeing how Google seems to be pretty favorable for the current admin, not sure Cloudflare is on the same favorability.

a wide rollout of remote attestation would mean cloudflare becomes completely redundant

so I doubt they want that

a murky world where you "need" a guardian middle-man is what they want to preserve

Honestly the post tries to frame it under the banner of the open web, and offers some justifications for Omarchy that I think could all also apply to a project like Bluefin, so it feels a bit flimsy. My guess would be that it's just that someone with access to the purse strings got excited about both projects and decided to fund them, without necessarily a larger play in mind.

why you acting like cloudflare forced people to use their services????

there are a alternative on the market like akamai and fastly

people free to use their favorite cdn over CF lol

  • > People have been fiercely debating

    > whether that’s the least bad practical solution on offer for website owners

    > I don’t want to make a judgement on that

    I explicitly said I don't want to debate that. Take a deep breath, no one is taking away your favorite CDN.

    • people have hate boner for CF, you cant deny that

      but replace CF with another provider and they would do the same shit