Whenever one of those Turnstile checkboxes show up I'm unable to get past it. It's been that way on most of my computers for over a year. I check it and it just reloads with a blank checkbox again. It's an eternal loop of death.
My Firefox installations are not even Arkenfoxed. I just use couple of privacy oriented add-ons and a few about:config tweaks.
> Cloudflare verifications are destroying the web.
This line of thinking assumes that without captchas, things that were captcha-walled would remain but be unprotected. I think the actual counter-factual is that those things would either require a nominal payment or some other harder-to-spoof-at-scale action first.
I run a service that provides arbitrary compute (Jupyter notebooks) on demand. Without a captcha, there was a period where it would have been overwhelmed by crypto miners to the point that it wouldn’t be available to anyone else.
Let's start with the low-hanging fruit though. How many people have their personal blog behind cloudflare? A lot of things really don't need it, aside from being told by cloudflare that they need their protection.
Generously offering free services that incur costs for the hoster are much harder to solve, no doubt about that. You essentially can't have anonymity because, if you did, any normal user will look indistinguishable from a cryptobro. You'll need to either have them cover the costs or have pseudonymity at best.
But in instances where anonymity is fine, I share the experience from the person you're responding to: just to read resources, to browse read-only material like a normal person, cloudflare is a barrier to the open web.
> A lot of things really don't need it, aside from being told by cloudflare that they need their protection.
Anything that has a dynamic backend of any kind (or, let's be real, even stuff that's static-built) will get relentlessly hounded by hackers the very same second it's online on the Internet. Be it spammers trying to sell you dick enlargement pills or questionable supplements, pedos looking for a place they can use to host their shit, botnet operators looking for good connectivity to abuse in DDoS attacks or whatever, targeted attacks against your site by extortion gangs (very common in business), or (particularly if you're active in the gamer/streamer scene) pseudo-"trolls" that just want to cause you harm for the lulz.
The problem is, as I've written multiple times here, that our governments are doing nothing against the bad actors, their ISPs and the countries that allow them to operate. That needs to be fixed, and then we won't have to rely on Cloudflare and friends any more.
I run so many dynamic things of many different kinds and cannot confirm this in the slightest.
There's the obvious things like public forums or contact forms where spammers submit messages, but "anything that has a dynamic backend of any kind" is just not true. Most things don't lend themselves for making money.
I do agree that we could do better about tackling the abuse that does happen, both by law enforcement and by sysadmins simply banning IP ranges whose abuse center doesn't make any attempt to solve the problem.
As someone who works for the government and whose team is doing nothing but fighting against bad actors, I don't think that's true. We're not doing nothing, that very unfair assessment.
It's like saying "we shouldn't have to lock our doors, but the governments are doing nothing to stop the robberies". And the internet is much more wild than the real world, IMO. The biggest obstacles to the safe internet I see are:
* Globality. Aspiring Russian cybercriminal can hack from their own basement with no OPSEC and VPN without any fear of repercussions as long as they don't bother anyone in Russia (and neighboring countries). Before COVID we used to have literal "wanted posters" (as a joke) in our office with names, addresses and photos of known cybercriminals that we could nothing to arrest, because they resided in another (usually Russian-speaking) country. Even in Europe it's not trivial, because Europol has relatively high requirements to start an international investigation and extradition, and "regular" cybercrime doesn't qualify - so one can send malware across the border as long as they want without any (real) fear.
* Velocity: there is no such thing like "bad actor ISP". I mean ok, there are so called bulletproof hostings, but in general the bad actors buy things like anyone else. The typical phishing campaign starts with criminal buying a domain (using fake data), cheap (or usually free/demo) hosting account, getting a letsencrypt certificate, uploading some fake login form HTML, now just send a few hundred thousand emails/SMS and you're done. Next day tweak some things and do the same, just with a different domain. The typical phishing campaign is live only for a few hours. There's no way a lawful country can make a proper legal decision in a few hours. And this is assuming no international cooperation - usually the server and domain are hosted by another country than the attacked country, so we're talking about contacting another country to make a legal decision in a few hours timeframe.
* Censorship fears: Ok, so a proper timely expropriation is not possible. What we have in practice is a list of more and less formal blacklists, like Google safe browsing, (extremely annoying and opaque) spam blacklists, and many lists of unsafe domains (my country provides one). In most cases the lists are DNS based, and they work great. In my country, our list is also applied by some ISPs automatically (so home users are protected as long as they don't change theit default DNS). It would work even better if every ISP applied it, and blocked malicious plaintext DNS requests on the wire, but I can already feel HN readers becoming tense as they read this (I don't like it too). We all hate censoring the internet, and want to preserve the right of normal people to be scammed by visiting a phishing website.
* Money: Having a dedicated abuse team cost money and brings no revenue. Just look at how google does it, and they are drowning in money. Imagine how responsive are smaller providers. In many cases you could as well try to contact /dev/null.
* Privacy: This rant is getting a bit long. I'll just mention that one of my colleagues (frustrated when a known criminal managed to turn off his computer and was let free later, since his disks were encrypted and there were no strong enough evidence to jail him) said "law abiding people have no reason to encrypt their disks". Of course I strongly disagree, but I share the frustration. With god-mode on the internet (the ability to read all the communication, get into any server and take down any domain) I could do so much more to help people in my country. I guess that's also what drives NSA and similar agencies to get more and more power. Unfortunately, we live in a democracy, so we have to make compromises, and I think the compromises we make (i.e. that my powers as someone fighting cybercrime are reasonably restricted) are good ones.
Personally, I think a big issue is that there are no legal repercussions for ISPs/hostings that repeatedly host malware/phishing. Even if they respond to abuse and take down something (maybe even block the account - the horror!), the same happens few days later and there's nothing that can be done. I think financial fines for gross negligence would really help to align the incentives here.
> As someone who works for the government and whose team is doing nothing but fighting against bad actors, I don't think that's true. We're not doing nothing, that very unfair assessment.
I'm just looking at the dozens of billions of dollars lost to scams in the US alone each year [1]. And that's just scams, not the other forms of cybercrime. And Europe isn't much better off.
(I won't copy your points for a quote since they're too long)
> Globality
Agreed. But Western governments, united, could mandate their ISPs and phone traffic to cut off all traffic from these countries. Most international carriers are based in the US and Europe. Guess how long India would take to dismantle their scam callcenters if cut off? A week tops. Russia wouldn't cave, but I see no reason for this country to be connected to the Internet at all, at least not as long as they are invading Ukraine. And China? They've been running rampant with espionage campaigns for years. It's time to accept this declaration of war and retaliate.
> Velocity
Oh hell yes there are bad actors. Phone providers providing connectivity to scammers and spammers, residential ISPs not acting against abuse reports and thus allowing compromised residential devices (e.g. cheap IoT crap) to continue to attack infrastructure... if I had anything to say, I'd mandate that three credible abuse reports should yield in the disconnection of any Internet participant, and that ISPs were to assist their customers in cleaning their devices. As for domain providers: mandate verification of domain names, and boot off providers that repeatedly violate this requirement. The only thing that reverses profit incentives is serious sanctions.
> Money
See above. Fine providers that don't respond to abuse requests similar to GPDR, up to 10% of yearly worldwide revenue. If they don't comply and show no credible efforts to become a good citizen of the net, cut them off.
Yes, I agree with you there. I think having static content be captcha-walled is generally dumb. Arguably cloudflare makes it too easy to do this (I think it’s on by default if you use them for DNS?) so I can see blaming them for it.
Just to add another reason why captchas are useful - a platform I operate was recently targeted by stolen CC testers that registered thousands of accounts to make the cheapest possible purchase on our site. I had to deal with the fallout, taking dozens of calls from angry people, refunding the transactions (of course you lose the transaction fee) etc. The only way to effectively stop them was a captcha on the checkout, and this is also what our payment processor, PayPal, required we do to reinstate our account.
There's no other signal that can be used, user agent was random, IP was random etc.
You don't even need Firefox or anything privacy-oriented. These checkboxes were forever hit-or-miss for me on a Chrome with the default settings (!). My ISP is using IPoE tunneling which has a side-effect of a shared IPv4 address among bunch of households and surprise-surprise no one in Cloudflare is aware that countries beyond US exist.
At this point I'd honestly take CAPTCHA over this bullshit.
> Cloudflare verifications are destroying the web.
Seconded.
At least for me, on Tor.
A lot of sites are behind Cloudflare.
The other killer problem of course are cookie-consent banners, and the considerable proportion of sites which have taken to emitting full-page modal dialogs the instant you view the site, or after you scroll down, or when you move the pointer upwards to pick another tab.
The amount of stuff you have to wade through to get to or use a site has reached the point where casual browsing isn't viable, not with Tor, not for me.
Cloudflare exposes Tor as a country that can be blocked, so a website operator could choose to block Tor for their website just as they could block any other country.
However, on my phone I cannot get past it. It's just an endless loop. The phone is an older model for the Indian market and the Firefox lags behind. So what, it's perfectly usable on 90% of the sites I want to visit. (Which excludes everything full of ads) I hate today's wasteful computing à la Android.
Edit: The article says there would be a report problem form. I have never seen that.
Yes. Not sure that these checks are always the result of a conscious choice though. They just come with the Cloudflare package.
I wonder what percentage of collateral damage they're expecting. I know I'm not alone.
They're saying 15% of people don't even attempt to complete the captchas. I wonder how many false positives are they getting with Turnstile. Hopefully less than 15%…
Only that most website operators are not in the know about the issues they will cause, if the use cloudflare or any third party hosting that in turn makes use of cloudflare.
I wonder how many site operators are aware of the underlying issue with leasing your site to CF, how much false positives and false negatives Cloudflare has, and if there are any alternatives.
My Firefox installations are not even Arkenfoxed. I just use couple of privacy oriented add-ons and a few about:config tweaks.
Cloudflare verifications are destroying the web.