1. 31
  1. 11

    I’m a CloudFlare engineer and came across this post last night as well.

    Both of the issues that slashgeek raises (POP connectivity and unfair CAPTCHAs) are ones that we are always working to improve, both for our customers and for internet users regardless of their nationality. It’s no good that the service fell short for slashgeek and the users of his ISP.

    CloudFlare’s position has always been that it should make the internet work better for everyone. If we’ve failed to do so here, then we’ll have work to do to remediate it. I’ve pointed our communications team to the thread so they can follow up on this.

    1. 8

      Wow, I had no idea that CloudFlare makes it that much more annoying for non-EU/US/CN internet users to use sites behind their services. I should have taken the time to be more aware of this, as much of my extended family lives in SE Asia (mostly the Philippines).

      I’m now seriously reconsidering using it for any future web apps. I mean, yes, there are abusers in areas that don’t have CF data centers, but punishing an entire segment of internet users seems all sorts of terrible to me (plus, it’s not as if potential spammers/DDoSers don’t operate from within the EU/CN/US regions).

      This has some serious implications for knowledge access across the globe.

      1. 5

        So it’s not just Tor Browser, but also when your ISP uses (carrier grade) NAT… and/or shares the IP addresses between various customers…

        1. 1

          But if the ISP is already doing a carrier-grade NAT, or has a long-latency connection, then they should just run a transparent web proxy, and problems fixed.

          Oh, wait, I forgot, the best (faux-)security practice for every static web-site advocated by CloudFlare et al is to install an HSTS policy and require https connections from all clients, making it impossible (or at the very least very non-trivial) to deploy a transparent caching proxy. Nevermind, then – just move to urban Europe or North America, problem solved.

          1. 1

            Proxies are terrible. They are far more complex than NAT, which means they break. AT&Ts proxy used to somewhat regularly decide that certain upstream sites weren’t available and refuse to allow me to connect.

        2. [Comment removed by author]

          1. 21

            It’s not discrimination, it’s economics

            I’m fairly sure these two things are not mutually exclusive (in fact, often quite overlapping).

            1. [Comment removed by author]

              1. 10

                I think perhaps I would most precisely call this systemic oppression. Which is a term that, at least to me, does not necessarily mean anybody planned it, and I doubt anybody thought seriously about the social negatives in either of these cases.

                1. 8

                  Is the usual term “structural”?

                  1. 1

                    Sure looks that way. Thanks, hadn’t noticed the synonym.

                2. 6

                  “Discrimination” does not imply intent – merely outcome. Often systems can be discriminatory without any sort of intent involved.

            2. 4

              It is also ruined for me. Not because I am on blocklist, but because it prevents me from using web scrappers and bots for processing the HTML.

              It was problem few months back, when I written semi-automatic web analyzer for czech webarchive.

              1. 2

                I also had a problem with it in regards to captchas, and I’m not even in Asia, nor am I using a shared IP address (nor is CGN involved).

                Funny enough, it seems like all the presidential candidates are using it for their web-sites, I recall getting these capchas every single time when I tried to visit Trump and I think either Sanders or Hilary web-sites (or even all of them), and completing a captcha on one didn’t alleviate the need to do so on the others. Now it seems like it’s only still reproducible on http://www.donaldjtrump.com/ , they even have a new fancy design for the captcha page now, which is now custom-made specifically for Trump with all the regular site elements.

                As an internet engineer, I also don’t even understand why is there any need for any captchas on something like a front page of a pretty-much static websites like those of the candidates in the first place (nor why does it have to repeat every day, even when my IP address never changes and is not shared with anyone (and certainly no CGN involved)). Security-theatre, indeed.

                However, I also have to say that CloudFlare’s competition is oftentimes even worse – I finally became an NMA (Motorists.org) member after receiving a speeding ticket in Austin, and I couldn’t login to manage my account or access my benefits, receiving a lousy “ERROR: That action is currently not allowed.” upon trying to login into their WordPress-based website.
                Long story short, but even after exchanging many emails with the President of the association (it’s a pretty small group, so, I guess he actually acts as a secretary as well), who claimed to have gotten his “IT guys” involved (sounds like a bunch of those WordPress junkies that have no clue what they’re doing or how things really work), the issue could still not be resolved, even after providing many screenshots and much IP-address information, and letting them check whether the IP-address is blocked by their “Sucuri” “firewall” (seriously, a “firewall” nowadays can refer to a WordPress plugin?!).
                They claim my IP is not actually blocked, and still have no idea why I’m receiving the error (in all browsers, no less), yet somehow accessing their site with the same browsers from a different IP address doesn’t exhibit the issue. Well, that’s WordPress for you!