As a user that gets the Cloudflare thingy, unless it is a website that I really need, I just close the tab as soon as I their captacha starts the loading stuff. If the site admin/masters do not care about the end user, I do not care about their site either. Users should vote with their feet (or clicks?).
Be honest about your User-Agent and get you blocked, pretend to be Chrome and all the problems go away. It creates a strong incentive for people to lie about User-Agent.
Even when using Firefox (with RFP) I often get captchas that say "You have been blocked" after you solve it. I don't bother with sites asking for captchas anymore. If I see a captcha, I close the tab, since there is no guarantee I'll be getting the page if I solve it anyways. Sorry, I'm not training your AI for free. I hope someone will sue captcha providers for accessibility, which if it succeeds, will break captchas forever.
What a disgrace. People from Cloudflare have been trying to attract the open web community for years now, including posting on HN (hi, jgrahamc!), but they're interfering with a major part of the open web. Now all alternative browsers have to play the user agent faking game.
Will Cloudflare people try to get us to believe that they "didn't know" or say that it only affects a tiny number of people, or somehow try to gaslight us in to thinking that non-mainstream browsers are a threat to something or another?
For a company that has so many of their employees on this site, they sure do seem to be clueless when their supposedly amazing tech marginalizes people or otherwise creates issues. Even when they respond in these threads, it takes ages for them to address things, and often the problems are never permanently fixed and come up again after some time.
It reminds me of this fortune(6):
As far as we know, our computer has never had an undetected error.
-- Weisert
This has been going on for so long, other parties feel justified in their similar decisions. E.g. try this accessible-for-some-browsers search result page behind the fastly "Client Challenge": https://pypi.org/search/?q=pip
Does Cloudflare’s almost completely single point control switch of a bottleneck, on a lot of the Internet, get discussed enough? At this point I just give up before trying if I see their captcha and already start to write that site off, if it starts showing that transient “verifying your humaneness” splash screen.
UA strings, just like any other client information forwarded to the server (see: android/iOS data accessible by JS & the server) only exists to build a profile to better filter who you want to serve ads to. It's always ads. Anything else is an excuse, period.
That's what'll trigger the CF captcha as well: if you don't give up client data. Run a site on Chrome bundled with your Anroid? Never going to get captcha, since Google will gladly serve any of your data when it's asked.
Hey, HN mentioned on general news! Is that a first?
"According to some in the Hacker News discussion of the problem, something else that can count as suspicious – other than using niche browsers or OSes – is something as simple as asking for a URL unaccompanied by any referrer IDs. To us, that sounds like a user with good security measures that block tracking, but it seems that, to the CDN merchant, this looks like an alert to an action that isn't operated by a human."
Not saying MITM is a bad term but Cloudflare is the single biggest MITM.
Major issue is that reaching their support is next to impossible. Payment for my domain is not going through and now I am waiting for my domain to get expired and be available in market again, so that I can buy it from other vendor.
I'm surprised they haven't started blocking Firefox too, since its market share continues to drop.
Cloudflare is gathering the filler for the masses so we can get to the content faster and easier. Next milestone is automating and search result filter. God speed.
Hate to be that guy, but it’s about time to stop advertising the User Agent. Where needed the same could be done exposing capabilities, and it wouldn’t have to be on every single http request. Benefits: less bandwidth, blocking by capabilities would require JS. Negatives: revisit screen readers, which could keep using UA, no more stats by browser (don’t care).
The forum link in the first paragraph is a broken link.
The one about Pale Moon from 2015 suggests the user did something custom and it was seen by CloudFlare (which is acting as a WAF) as something like an SQL Injection[1].
All of the CloudFlare hate on this site is tiresome and borders on Crying Wolf.
Websites aren’t forced to use it. It’s affordable and gives DDoS protection. If reducing false positives for bot/malicious traffic detection were more reliable, this would already be solved.
Unfortunately I think it's just statistics killing browser diversity, not conspiracy or collusion.
The math doesn't care about our freedom of choice. Tech savvy users making alternative choices on their web experience are an extreme minority in the sum total of HTTP requests. But the outcome is the same: a narrowing web where only mainstream options function reliably.
The ironic part, as everyone here understands, is that those who actually understand technology enough to use alternative browsers or privacy tools are the ones getting locked out. We're punishing ourselves for our technical literacy by implementing these strategies at these companies. And it really does help the average person who does not think about their browser choices.
It's worth noting that Ladybird, the most promising and growing independent browser implementation, is not surprisingly getting hit by this too: https://github.com/LadybirdBrowser/ladybird/issues/226
Seeing https://news.ycombinator.com/item?id=43321145 and https://news.ycombinator.com/item?id=43322922 also showing up in a close timespan to this makes me really suspicious that there was some part of a hidden plan to close off the Internet which suddenly took a significant step.