Hacker News new | past | comments | ask | show | jobs | submit login

> But, if we've seen your browser behave elsewhere on the Internet acting like a regular web surfer and not a hacker, then we can use your browser’s good reputation to override the bad reputation of the hacker coffee shop's IP.

Look, please correct me if I'm misunderstanding or taking your words out of context.

But what I hear you saying is that CloudFlare is fundamentally opposed to user privacy at a business and an architectural level.

I.e., if you don't agree to let CloudFlare track you around the web (perhaps by simply declining cookies) CloudFlare is likely to degrade your user experience to the point of being borderline unusable and then point the blame at you for coming from a bad network neighborhood.




Yes, reputation is a form of tracking. And if you show up to a site with no reputation of your own, from an IP that has a known-bad reputation, it is in the best interest of the site to challenge (not block) you. You are 97% likely to be malicious traffic.

Edit: 97% is a real number, not an exaggeration, based on numbers from the report linked in the article.


Yes, but Tor flips through IP addresses regularly so you'd get challenged every few minutes.

Similarly, if you block cookies/supercookies/etc to avoid being tracked ... you'll be challenged every view.


Yes, you will. But the point is, with no other information to go on, that is the best option for the website. If you don't want to be challenged constantly, you need to give the website operator some incentive to accept your traffic.


There is plenty of information to go off of. They just don't want to put in the engineering effort required to utilize it.

Is there really a constant DDoS attack on all of these sites from users with no cookies?


On a given site, not necessarily, but on some sites that cloudflare is protecting, pretty much always would be my guess... cloudflare doesn't know you're not the spammer/bot/malicious actor using the same exit node... it only knows that you don't have any cookies, and that means you look a lot like the bad guys coming from the same IP.

One could setup an IDENT-like service that delivers a hash for the source's route, and that would enable better scoring, but also could be used as a tracking measure... you can't have one without the other.

Even then, it would take either the user allowing cookies, or the TOR system to change their exit nodes.


There are a number of other ways to identify abuse.

Listed those in other responses.


Honestly, it probably would be beneficial to my productivity if I dropped all of Cloudflare's IP ranges since it'd keep me from going on HN, Reddit, etc. :P

The need for incentive you mention is silly. The website operator [much like a job searcher with a resume] wants to be in front of as many non-malicious people as possible. And while you might argue .04% of malicious traffic comes over Tor, I've operated sites where 20%+ came over some sort of proxy with poor IP reputation.

You know what?

Fuck it. I'll just build my own site that doesn't use Cloudflare for such a purpose.


Global traffic patterns don't tell the story. I've seen sites where 100% of Tor traffic was malicious, so the fact that 0.04% is typically malicious is meaningless to the people operating that site.

It all depends on what you do. I had a customer a few years ago that was forced to geo-block IP addresses from China, most African nations and Bulgaria. The nature of that customer's business made that an easy solution.

A company like Cloudflare serves everyone without a lot of context. If your site serves a Tor-heavy niche, it's not the right solution.


Privacy oriented niche, but yeah.


Even better, treat the website that does so as malicious and stop visiting it.


That's an entirely valid response. Just don't expect anything to change due to your boycott, since only 0.04% of all legitimate traffic comes over Tor. They won't miss you.


> I.e., if you don't agree to let CloudFlare track you around the web (perhaps by simply declining cookies) CloudFlare is likely to degrade your user experience to the point of being borderline unusable and then point the blame at you for coming from a bad network neighborhood.

It seems like CloudFlare is not absolutely committed to this position because they're willing to explore things like the blinded tokens approach.


Can you conceive of an alternate way to score traffic on the Internet? What might that be?


So there are two problems here, right? Spam and DoS.

Comment spam isn't a CloudFlare-level problem. If sites want to allow anonymous comments then they get the consequences of anonymous comments (or have their own CAPTCHA for them); if they want to require account registration and some vouching or proof of work or payment to get an account then they can have that as well.

DoS is a CloudFlare problem, but you don't need historical IP reputation for that, you only need what that IP address is doing right now.


Comment spam is one of the things CloudFlare advertise as protecting sites from, so yes it is their problem.


It's only their problem because they chose to claim they could solve it when their solution is the one that causes all of this trouble.

They're not in a position to do it accurately.


There are a million ways.

Order of requests for that IP in the last n minutes, timing of requests, request headers order, type of content requested, captcha content timings, specific-for-site content requested, etc


None of those sound particularly effective


Not without decreasing anonymity...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: