So wait, "we shipped a bug, so we made a browser extension that lets you circumvent the bug". That's cloudflare's answer? I'm not impressed.
EDIT: people seem to be confused as to what bug cloudflare shipped. The bug is not having people solve captchas because their IP has a bad reputation. It's having them solve it over and over again.
You can put it however you want it, but if my app's UX is fine without cloudflare and it's shit with cloudflare, for a small but significant percentage of my users, then CF has a bug.
You seem to be confused about what your rights are around website availability. Hint: you have no rights. Absent specific coercion by government, the owner of the website had all the rights. If she wants to require you to solve a Where’s Waldo first, that’s her prerogative. Your choice is to accept the terms or go elsewhere.
It's discrimination by country/region.
It's like saying: oh, you are from Africa or Asia. The chance is higher you are a criminal, so do this test first.
Which is completely legal and encouraged. Here's an example: if you've ever shipped an ad-monetized free app, you've probably disabled regions like Russia, Iran, North Korea, etc.
You know why? Because the ad-revenue is worthless (and often malicious) and the users will be more trouble than they are worth. Same thing is happening with net traffic from other low value regions. One star reviews because users from $banned_region are complaining about lag due to their crappy wifi and/or some other issue you have no control over (defective ram in their 6 year old 2nd hand phone comes to mind)? Sign me up!
Another example: on Ebay, one bit of bog standard anti-fraud advice is prohibiting international bids. This is because the overwhelming majority of bidders living in certain countries are fraudsters. The tiny slice of legitimate traffic attempting to make international purchases is not worth the massive increase in exposure to fraud risk.
And the problem is worse because, apparently, even solving the captchas repeatedly from a given IP address doesn't make it whitelisted, either. So, it fits the very definition of discrimination against a whole wider group, where the individual actions of any individual actors don't matter.
I’ve lived in Vietnam for the past 5 years and experienced these issues first hand. I’m also part of the team responsible for maintaining a relatively aggressive set of Cloudflare WAF rules at my current employer.
In these developing countries, great swathes of users are accessing the internet behind carrier-grade NAT.
This makes it increasingly likely that any individual user is sharing a public-facing IP with one or more bad actors.
In my experience, I’ve never had to solve more than one CAPTCHA per domain, and frankly clicking a checkbox isn’t that hard.
As far as discrimination goes, this is a much friendlier solution than just immediately rejecting connection requests from certain CIDRs, which is what would otherwise be happening.
>"In these developing countries, great swathes of users are accessing the internet behind carrier-grade NAT."
Do you have any citations that CGN is any more prevalent in developing counties than in say Western Europe or the US? The last report from RIPE that I read indicates CGN usage in substantial in both the RIPE and APNIC regions.[1] How would IPv4 resource exhaustion be an economic issue?
>"In my experience, I’ve never had to solve more than one CAPTCHA per domain, and frankly clicking a checkbox isn’t that hard"
I imagine if you are personally "responsible for maintaining a relatively aggressive set of Cloudflare WAF rules" as you stated, you've probably become quite proficient at solving CAPTCHAs. I think people that don't mind jumping through hoops are a minority. Also just even if something isn't hard does not mean its any less annoying and degrading of the user experience. Those things are not mutually exclusive.
>1.The IP address you are on has shown problematic activity online recently in one of our data sources. If you would like to look your IP up, then please look your IP up at Project Honeypot. If the IP address shows data for malicious activity, you can see why there. You can also attempt to whitelist your IP directly on that page by connecting from that IP. If no bad activity is seen from the IP address after a two-week period, then the challenge behavior will stop against that IP address.
Probably because those IP’s cycle, or get shared between a number of people. If you know that the IP has switched between illegitimate and legitimate 10 times before, you can’t just assume that it’s now valid after one captcha.
Discrimination by country/region often makes tremendous sense.
I tell Cloudflare to block all traffic from China because my services derive zero contribution and zero potential value from the Chinese market. The maximum potential positive contribution from China is near zero. The overwhelmingly likely contribution from China is attacks from within the country.
So, to summarize, in my particular case China provides nearly zero positive value and China is simultaneously one of the biggest attack origin countries. It would be the wrong decision to not aggressively discriminate against their traffic: I lose, in real terms, absolutely nothing from blocking all Chinese traffic.
I’ve been in the same boat with my startup, 99% of SSH logins and lame, phpmyadmin-style attacks came from China. However I would ask is what you’re doing really good for humanity? I don’t personally think it’s ethical to block entire countries or regions from a service. China may not provide value to you, but you may provide immense value to people in China.
Maybe it would help you to travel the world more, but once I did I had a different view of things. The internet is truly a global entity, and the more we can do to keep the Internet unified the closer we can bring the planet together. To me that’s a much more important goal than short term profits or mitigating trivial attacks with poorly thought out geo-restrictions.
Are you saying that OP is trying to do denial of service attacks? Stopping random users from accessing web sites isn't thwarting a DOS attack. If they classify random users as part of some bot net, it sounds like their algorithms are buggy.
I completely agree the website owner has the right to run whatever they want, so thanks for saying that as its something that too often gets overlooked.
At this point I basically refuse to use things with recaptcha or the stupid little cloud flare dots. I just close the tab and move on. I am just so tired of little dots, storefronts, cars, etc...
You calling this a "bug" makes it sound like you expect Cloudflare to violate your privacy by tracking which websites you've visited in order to determine that you're not a threat. It sounds like the point of Privacy Pass is the only information it gives Cloudflare is that you've solved a Captcha recently but otherwise provides no information about where you did it (beyond the fact that it's a Cloudflare property).
Given the fact that they've resorted to providing an extension to do this, this suggests that they've deliberately engineered their services to not have access to that data internally, and that's a good thing.
If captchas are a bug, try running your own popular web service, and good luck keeping away the spam.
An extension is easy to install and is a reasonable way for the CDN to verify that you're not a spammer without requiring you to repeatedly prove it whenever your IP changes.
EDIT: people seem to be confused as to what bug cloudflare shipped. The bug is not having people solve captchas because their IP has a bad reputation. It's having them solve it over and over again.
You can put it however you want it, but if my app's UX is fine without cloudflare and it's shit with cloudflare, for a small but significant percentage of my users, then CF has a bug.