The author was blocked from accessing a work website due to issues with Cloudflare’s browser integrity checks. Despite having credentials to prove his identity, an attempt to bypass the checks by disabling fingerprinting in Firefox resulted in Cloudflare blocking all access. He could still access the site on Chrome, showing the block was based on his browser configuration. This left the author unable to complete important work tasks and questioning how much control individuals really have over authentication in an increasingly centralized web ecosystem dependent on remote attestation. It highlights the need for transparency and user agency in how identity verification is implemented online.

  • Big P
    link
    fedilink
    arrow-up
    34
    ·
    1 year ago

    I don’t think that’s what happened to the author. Cloudflare generally doesn’t leave you on that page if it detects a suspicious browser. Plus, how is cloudflare supposed to use your corporate VPN and your certificate to verify your identity? They don’t have an omnipotent view of all corporate VPNs that exist. The check that cloudflare does on that page is pretty javascript heavy and I assume it was just temporarily broken in Firefox. Which is an issue in itsself, but it’s not the massive deal that the author makes out.

    • d3Xt3r@lemmy.nz
      link
      fedilink
      arrow-up
      22
      ·
      1 year ago

      I can’t speak for the author but I’ve experienced this issue a few times, with increasing frequency of late, on Firefox and even other apps (not Chrome). Especially if I’m browsing under private mode (which I often am, just because I don’t like any cookies/cache to be saved for random sites). Now, it’s not like it’s some random site who’s Javascript broke or something, perfectly functioning sites would stop working and display that CloudFlare access denied message, when they previously worked just fine.

      The other app I’d experience issues with is Tachiyomi, a manga reader and scraper. Whilst it works fine for the most part, every once in a while I’d get blocked by CloudFlare, which prevents Tachiyomi from searching/accessing various manga sites. But if I access the said site via Chrome, it’d work just fine.

      It’s not just CloudFlare. Sometimes, when again browsing via Firefox’s private mode and say I needed to run a Google search, Google sometimes throws a captcha at me because it finds my activities “suspicious”.

      Just so you know, there’s nothing unusual about my internet setup - I’m just a standard home user, with a static-ish IP from a well known ISP. My public IP has been the same for over an year now, and I don’t run any web/mail servers or anything that my ISP or a website would dislike.

      What it is, is just plain discrimination. Just because I have my privacy filters up and blocking all tracking and crap, it’s seeing me as suspicious. If this sort of stuff is going to be the norm, I can only imagine how much more bleak our future would be if Google’s WEI went into effect.

      • Big P
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Google sometimes throws a captcha at me because it finds my activities “suspicious”.

        To be fair, google does that to me too and I use chrome

  • tiwenty@jlai.lu
    link
    fedilink
    arrow-up
    25
    arrow-down
    1
    ·
    1 year ago

    I hate it when in selfhosted circles they recommend CF. Why in hell would you want to be tied to them when you are wary enough to selfhost ¯_(ツ)_/¯

    • redcalcium@lemmy.institute
      link
      fedilink
      arrow-up
      18
      ·
      edit-2
      1 year ago

      It’s popular because many people don’t have static IP, behind a CGNAT, or simply don’t want their residential IP address exposed, so their option is either use a vps as a tunnel (cost money) or use cloudlare tunnel (free). Obviously the free one get more use.

      • tiwenty@jlai.lu
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        I totally understand the appeal. But I don’t usually see people explaining the drawbacks and alternatives. Only a plain and simple “just use CF tunnel” for instance.

    • bob
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      Who would you recommend as an alternative DNS provider?

      • tiwenty@jlai.lu
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        1 year ago

        Tbh I don’t think as a DNS provider they are too bad, it’s pretty simple and one or another will do the job. I was more thinking about the techs talked in the article, or features such as tunnels and all.

      • Scary le Poo@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Use a pihole with unbound so that you become your own DNS. It’s waaaay better and it’s easy as hell to set up. You don’t even need a raspberry pi. It can be set up using in windows using wsl.

        https://github.com/DesktopECHO/Pi-Hole-for-WSL1

        If you have an old spare computer that can be left on all the time, you could set it up on that computer and point your router DNS at it so your entire network benefits from it.

    • upstream@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Someone I know who works in payments told me they had to go to CF because of the insane amount of DDoS attacks they were facing.

      While having three ISPs and mitigating a boatload of DDoS on their own infrastructure they were simply unable to cope with the persistence.

      They first tried another provider, but they handled less DDoS than their own internal systems.

      Cloudflare wasn’t even sure they wanted them as a customer.

      Some of the biggest attacks mitigated by Cloudflare last year (they wrote about it) was this client.

        • upstream@beehaw.org
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Depends on what you mean by self-hosted. Because basically they are. No cloud providers meet their security requirements (required for their level of PCI certification).

  • LoafyLemon@kbin.social
    link
    fedilink
    arrow-up
    20
    ·
    1 year ago

    I feel like this is way overblown. If you tamper with browser headers and user agents, you will be blocked.

    If you use incognito mode or TOR, you won’t be blocked, and in fact, cloudflare offers onion routes for your website so the traffic is fully secured.

    If it weren’t for cloudflare, I would have to pay three times the server costs and put twice as much time into managing it.

    • Squiddles@beehaw.org
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      The author explicitly says that they didn’t tamper with headers or user agent. I’m neutral/not knowledgeable on the rest of your comment, but wanted to clarify that point.

    • conciselyverbose@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      The problem is that they’re a monopoly abusing their position to make it impossible to have the basic privacy you should be unconditionally entitled to to browse the internet.

      It should be blanket illegal to block/discriminate against traffic based on the browser used in literally all contexts.

      • LoafyLemon@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        The situation is analogous to being at sea – if you don’t respond to calls and signals, you are viewed as a potential threat. Altering user agents doesn’t decrease your visibility; in fact, it has the opposite effect. It amplifies the uniqueness of your digital fingerprint, thereby making you more identifiable.

        By default, Firefox uses a single identifier for all users, making it difficult to pinpoint individual users, which aligns with the recommended approach as described above.

        • conciselyverbose@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          if you don’t respond to calls and signals, you are viewed as a potential threat

          This is unconditionally unacceptable behavior and an inexcusable and unforgivable violation of privacy. It is not and cannot under any circumstances be your business what a user does on their own computer while connected to your site. There are no exceptions.

          Willfully terminating a connection for anything resembling that in any way should automatically get your domain seized with no path to ever getting it back.

          • LoafyLemon@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Oh, it’s quite evident that you’ve never had the joy of owning or managing a website. Your perspective is truly enlightening, showcasing your vast experience in the world of cybersecurity.

            • conciselyverbose@kbin.social
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              It’s perfectly possible to understand how the internet works without being a piece of shit who thinks they’re entitled to dictate the software choices of their customers.

                • conciselyverbose@kbin.social
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  1 year ago

                  Escalated like running arbitrary code on someone else’s computer to decide if they’re allowed to visit your site?

                  It’s not possible to be an acceptable human being and think that’s OK.

      • crab@lemm.ee
        link
        fedilink
        arrow-up
        13
        ·
        1 year ago

        I can’t speak for everyone, but they increase the security and performance of websites for free. I’m sure a lot of people would like to move away from Cloudflare, but every time I try to find an alternative, none of their competitors even come close. Let’s say I moved one of my websites to Bunny CDN and transferred 1TB per month, that could increase my website cost by $120 per year.

        The sad reality is that Cloudflare can basically do whatever they want until another competitor offers a good free alternative, which is unlikely because Cloudflare has a monopoly. We would effectively be asking millions of websites to pay to use a service with less features.

        I’m still looking for a good alternative, so if anyone has one then please let me know.

  • Sh4d0w_H34rt@geddit.social
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    Been dealing with Cloudflare crap for a while now, thought they just had a hatred of TOR traffic. With Google truing to push website DRM I can only see things like this getting worse.