Comment by nosianu
5 hours ago
It is not CloudFlare that is ruining the Internet, but the spammers and attackers. On the second level, that catching and punishing them is impractical or even impossible depending on their location.
Businesses were perfectly fine to accept the low security of 1990s email, webserver, and all the other configurations and software. They did not suddenly out of nowhere ask for more restrictions (such as email sending restricted to using the email server "officially responsible" for that domain- it used to be you could do the same as with physical mail, where you can drop letters into mailboxes writing a "From" address that was not in the same city as the mailbox location). They certainly did not volunteer to make everything much more difficult -- and expensive -- to set up and use. It also leads to a lot more work for their IT staff and a lot more user problems to respond to.
All these annoying restrictions were forced to be implemented by attacks of all kinds.
Because it is so difficult, compromises needed to be made. CFs methods are of course full of them, such as taking country and IP ranges into account. Feel free to make practical and implementable and affordable suggestions for alternative solutions. You may even get a reward from CF if you can come up with something good that allows them to cut back on restrictive policies while at least maintaining the current level of security. It is in the interest of CFs customers to be as accessible as possible, after all.
> It is not CloudFlare that is ruining the Internet, but the spammers and attackers.
Spammers have been around since forever and it used to be the webmaster/sysadmin's responsibility to deal with spam in a way that would not hinder user experience. With Cloudflare all that responsibility is aggressively passed on to the user, cumulatively wasting _years_.
As for attackers, I wonder if Cloudflare publishes data showing how many of the billions of websites it "protects" have experienced a significant attack. They don't offer free protection to save the internet, but rather for control -- and no single company should have this much control.
I've been on the Internet since 1992, directly connected at home (student dorms at the time) vial ethernet cable and university ATM backbone since 1994.
At that time I was an admin of said student network, and at the same time built TCP/IP based network and email infrastructure at a subsidiary of a large German company as a side job.
So I was an admin of routers, switches, various services (email, Usenet server, webservers, fax server).
Funny enough - we only added a firewall in front of the student network to protect against our own student's experiments rather than against outside intrusions, at least initially (for example, one person setting up their own Usenet server brought down DNS by flooding it with queries)!
We never had any problems with spam or attackers. "you just didn't notice the attacks!" - NO. When you go online today you get an eternal stream of automated intrusion attempts, visible in all your log files.
Today does not even remotely compare with the easy-going Internet of the 1990s.
Usenet, forums, email - they were all very much usable with minimal or zero spam, and very basic user management. Today, with such a basic setup like we used to have, you would be 100% and chock-full of spam shortly after putting such a server online.
> Spammers have been around since forever
Is the fallacy here not obvious? Yes, spammers have been around since forever, but it's not the same amount of spammers. Whether it's two spammers or two million spammers does make a difference.
I think we're long past peak spam. A lot of them seem to have given up due to the rise of SPF and DKIM, and also because people don't really use email so much anymore as a serious form of communication.
I remember some clients in the mid 2000s. They got several spam emails per minute on some accounts. Not kidding. I haven't seen anything like that in recent years.
1 reply →
The responsibility is passed to Cloudflare, and that's the point. Not every site can make a capable solution by themselves.
The responsibility now lies on the user, who has to click through confirmations to prove they are human, thus making their experience a lot worse. It has been my experience the last ten years.
> It is in the interest of CFs customers to be as accessible as possible, after all.
But since in reality there is friction, there is no magic mechanism to make those interest force CF to implement a better system as, for example, the customers might not have enough knowledge / tech expertise to understand they're losing 1% due to crude CF filters and ask for a fix
It is, but do they even know about the problems?
The data Cloudflare shows people in the number of requests it "protected" you from and the number of requests it thought legit. There is no indication of the number of false positives, and IIRC of the number of people asked to pass a captcha. The wording implies zero false positives and I think many people simply assume its negligible.
> It is, but do they even know about the problems?
No, that's what I said - they may lack knowledge.
>It is not CloudFlare that is ruining the Internet, but the spammers and attackers
That's unaccountability thinking. If I have pests in my rosegarden and as a reaction I napalm the backyard of everyone in my neighbourhood, that is not the bugs' fault.
> It is in the interest of CFs customers to be as accessible as possible, after all.
Well this is where your argument goes a little wrong IMO. When you're on something more niche (eg Firefox on Linux) they just don't care as much about making it work for you because there's so few of us blocked in the process.
And this problem should really be solved with a proper solution, not this fiddly black magic ruleset stuff. The email thing you mention is a good example. DKIM and SPF are good things that makes things more secure in an understandable way. Specifying your legit mail handlers is not a workaround, it's good security. In some ways Altman has a good idea with his WorldCoin eyeballs. But I don't support it for obvious reasons. I don't want my internet identity tied to a single tech bro and some crypto. If we do this kind of thing it has to be a proper government or NGO effort with proper oversight and appeals process.
I've tried to make my Linux Firefox identify as edge on windows and that makes it a lot better on some sites (especially Microsoft breaks a lot of M365 functions on purpose if you're not using the "invented here" browser). And many sites don't give me captchas then. But in some cases Cloudflare goes even more nasty and blocks me outright which is really annoying. If I use Linux a lot more sites break but Cloudflare sticks with captchas.
Anyway I think the age of the captcha is soon over anyway. AI will make it unviable.
> All these annoying restrictions were forced to be implemented by attacks of all kinds.
Ps it's not always attacks but also to block things that are good for consumers but bad for the sites' business model. Like preventing screen scraping which can legit help price comparison sites.