Comment by marticode
6 hours ago
As a user I do care, because I waste so much time on Cloudflare's "prove you are human" blocking-page (why do I have to prove it over and over again?), and frequently run on websites blocking me entirely based on some bad IP-blacklist used along with Cloudflare.
Unfortunately the internet sucks in 2025.
If you have a site with valuable content the LLM crawlers hound you to no end. CF is basically a protection racket at this point for many sites. It doesnt even stop the more determined ones but it keeps some away.
Yep for anyone unaware of how awful things truly are, look up what a "residential proxy" is. Back in my day we called that a botnet.
Oh, they're still botnets. We just look the other way because they're useful.
And they're pretty tame as far as computer fraud goes - if my device gets compromised I'd much rather deal with it being used for fake YouTube views than ransomware or a banking trojan.
You can make a little bit of cash on the side letting companies use your bandwidth a bit for proxying. You won’t even notice. $50/month. Times are tough!
1 reply →
CF would be a protection racket only if CF is the cause of the problem CF is charging money to solve.
And yet half the HN front page every day is promoting LLM stuff.
"The internet sucks", yes, but we're doing it to ourselves.
Would you rather not have LLMs?
18 replies →
Unfortunately the problem isn't just "the internet sucks" it's "the internet sucks, and everyone uses it" - meaning people are not doing stuff offline, and a lot of our lives require us to be online.
1 reply →
But that's not a problem caused by Cloudflare.
That's a problem caused by bots and spammers and DDoSers, that Cloudflare is trying to alleviate.
And you generally don't have to prove it over and over again unless there's a high-risk signal associated with you, like you're using a VPN or have cookies disabled, etc. Which are great for protecting your privacy, but then obviously privacy means you do have to keep demonstrating you're not a bot.
You might say the problem CloudFlare is causing is lesser than the ones it's solving, but you can't say they're not causing a new, separate problem.
That they're trying counts for brownie points, it's not an excuse to be satisfied with something that still bothers a lot of people. Do better, CloudFlare.
Do better, how?
If you have any ideas on how to protect against bad actors in a way that is just as effective but easier for users, please share it.
Because as far as I can tell, this isn't a question of effort. It's a question of fundamental technological limitations.
I just realized, why don't they have some "definitely human" third party cookie that caches your humanness for 24h or so? I'm sure there's a reason, I've heard third party cookies were less respected now, but can someone chime in on why this doesn't work and save a ton of compute?
Because people will solve the challenge once, and then use the cookie in automation tools. It already happens with shorter expiration cookies.
Thanks, I'm now shaking my head at my naivete :)
https://developers.cloudflare.com/waf/tools/privacy-pass/
Are you really posting this today?
Yes, there are several, and the good one (linked below) lets you use the "humanness" token across different websites without them being able to use it as a tracking signal / supercookie. It's very clever.
https://github.com/ietf-wg-privacypass/base-drafts
https://privacypass.github.io/
I assume that will be for Apple (and eventually Alphabet) to implement via digital IDs linked to real world IDs.
https://www.apple.com/newsroom/2025/11/apple-introduces-digi...
Don't worry, Sam Altman is selling the protection too -- https://en.wikipedia.org/wiki/World_(blockchain)
Congrats, you now know what it's like to be a daily Tor user trying to hit normie sites from exit node IPs xD
Why would anyone be a daily Tor user and trying to hit clear-net sites on top of that? This sounds like a bizarre usecase.
Privacy through uniformity, operational security by routine, herd immunity for privacy, traffic normalization, "anonymity set expansion", "nothing to hide" paradox, etc.
I.e., if you use Tor for "normie sites", then the fact that someone can be seen using Tor is no longer a reliable proxy for detecting them trying to see/do something confidential and it becomes harder to identify & target journalists, etc. just because they're using Tor.
2 replies →
In addition to the reasons in sibling comment, this also acts as a filter for low-quality ad-based sites; same reason I close just about any website that gives me a popup about a ToS agreement.
I hate it as much (and the challenge time seems to be getting longer, 10s lately for me, what the hell?)
But we can all say thank you to all the AI crawlers who hammer websites with impossible traffic.
I mean, it was a problem before AI crawlers with just bots and attacks in general.
It wasn't nearly as bad.