I'm going to repost what I commented on CloudFlare's blog, since they don't appear to have published it (yes, I was a little angry. I've had to put up with these CAPTCHAs for the last week):
Ha, so much irony, CloudFlare.
The company that is determinedly CAPTCHA-walling as much of the internet as it can get its hands on supports Network Neutrality...? Reeaally?
You support network neutrality, as long as your users don't use Tor. And don't use a VPN. Or any other kind of shared IP. Or have cookies disabled.
No, your support of network neutrality is utterly, utterly shallow. You might pragmatically support it, as it pertains to you not having to pay any more for your data pipes, but you share none of the principles behind it - that all people should have the same access to content.
Oh look - I try to access BattleForTheNet.com: "Please complete the security check. Please enable cookies".
An IP address is not a person. Somehow Twitter, Facebook, Google, can figure this out... Why can't you?
Edit: Also, is anybody else affected by these CAPTCHAs? I can't believe it's just me. Literally half of all news articles and such I try to read, I'm getting CAPTCHA-walled by CloudFlare. It's quite scary to suddenly realise how much control this single company has. (Not to mention incredibly annoying. I've taken to simply avoiding several news sites I used to browse.)
Your blog comment has been posted; we don't moderate things that are criticism (or anger) only spam. But the moderator does need to be awake.
As the for CAPTCHA problem you are seeing, having you tried contacting CloudFlare Support about it? We can look at the IP you are coming from and see what's happening.
To expand on the CAPTCHA problem, I had to complete a CAPTCHA to go to torrentfreak.com.
I got nothing where the CAPTCHA box should have been ([0]). After some time, I refreshed and got [1]. I wrote the CAPTCHA, was given a large bunch of text ([2]) and I copied it to the input field right below. Then, I submitted the form but it still didn't work (would just bring me to the CAPTCHA again). I guess this form of CAPTCHA is for JS-less browsers, but apparently it doesn't work. I had to enable JS for both TorrentFreak, Cloudflare and Google (reCAPTCHA) in order to make show the CAPTCHA and be able to contine.
The above happened right now. It also happened with Reddit (except [0]) a week ago or so. This is all on a vanilla (i.e. no addons) TBB.
> having you tried contacting CloudFlare Support about it?
I could do - but I'm kind of angry that I even have to. What about the less technically literate, who might barely know what CloudFlare is, let alone figure out how to contact their support? (Yes, I use a VPN, but there's plenty of ways a non tech person might have a shared IP.) And why should I have to go to this effort, just to get read access to a website?
And what if I'm on a different IP tomorrow? Begging for my IP to be unblocked is no long term solution. (What about when malicious activity comes from it tomorrow, after you unblocked it? You'll just block it again.)
Just now, in my other browser tab:
>Please complete the security check to access coinmarketcap.com
(btw, Disqus is giving you different comments depending on whether https or not, that's why I missed my comment being published.)
I'm asking because I work for CloudFlare and specifically I'm about to start working on the reputation system that deals with things like the CAPTCHA that you are seeing. So, I'm personally interested in understanding what you are seeing because we should not be blocking people who are legitimate.
If you don't feel like contacting CloudFlare Support you could always just email me directly: jgc (you guess the domain name :-)
All someone needs is to have read something on some social media website, followed a link, and installed some software. Boom, they're accessing the Internet through TOR.
> there's plenty of ways a non tech person might have a shared IP
e.g. some mobile internet, university/school campuses, workplaces, shared wifi points. All of which might have some abuse. I guess perhaps not the amount of a VPN/Tor.
That being said, there's more people than ever using Tor lately. And I'm sure CloudFlare are more than aware of Tor already. And lots of relatively casual users signing up for VPNs to get to blocked file sharing sites etc.
Just now, in my other tab:
> Please complete the security check to access torrentfreak.com
I can understand not allowing me to post anonymously - but to go as far as refusing me read access? Really?
Actually tackling the problem, hmm. Storing a single cookie on the cloudflare domain so I only have to auth with CloudFlare once, would be better than nothing. I don't like the tracking aspect of that though. Maybe there's some kind of advanced crypto which will solve this in a privacy conscious manner one day.
Unless IPv6 takes off fast more IP addresses are going to be shared. It's simply a terribly crude measure to assume IP address = person.
> I can understand not allowing me to post anonymously - but to go as far as refusing me read access? Really?
Read access still consumes resources - you may want to read up on what "denial of service" means and check your outrage. CloudFlare sits between you and the host server, and it's their responsibility to cut off DoS attacks before it can affect the host server. Their heuristics may not be perfect but it's not exactly a simple problem to solve.
> Read access still consumes resources - you may want to read up on what "denial of service" means and check your outrage. CloudFlare sits between you and the host server, and it's their responsibility to cut off DoS attacks before it can affect the host server. Their heuristics may not be perfect but it's not exactly a simple problem to solve.
It's hardly rocket science to determine when a DoS attack is occurring based on the overall traffic level. And until it is there is no need for countermeasures.
Blocking of read access is not something I've often experienced before, and certainly not at this scale. Usually it's just one admin blocking an IP here and there, but now, with this job outsourced... To be able to impede an IP from accessing such a huge swathe of sites is a unique and new innovation, and a scary centralisation of power.
The ability to block threats is far greater, sure, but so too is the potential for collateral damage.
I'm actually working with Tor Project to fix the captcha/etc. problem; it's not intentional, and we're trying to figure out a way to special case Tor exit nodes and other shared IPs to prevent accidental blocking.
(We have the advantage of only really caring about http/https through Tor, so we can do more advanced heuristics for abuse, blocking URLs, etc.)
Ha, so much irony, CloudFlare.
The company that is determinedly CAPTCHA-walling as much of the internet as it can get its hands on supports Network Neutrality...? Reeaally?
You support network neutrality, as long as your users don't use Tor. And don't use a VPN. Or any other kind of shared IP. Or have cookies disabled.
No, your support of network neutrality is utterly, utterly shallow. You might pragmatically support it, as it pertains to you not having to pay any more for your data pipes, but you share none of the principles behind it - that all people should have the same access to content.
Oh look - I try to access BattleForTheNet.com: "Please complete the security check. Please enable cookies".
An IP address is not a person. Somehow Twitter, Facebook, Google, can figure this out... Why can't you?
Edit: Also, is anybody else affected by these CAPTCHAs? I can't believe it's just me. Literally half of all news articles and such I try to read, I'm getting CAPTCHA-walled by CloudFlare. It's quite scary to suddenly realise how much control this single company has. (Not to mention incredibly annoying. I've taken to simply avoiding several news sites I used to browse.)