Hacker News new | past | comments | ask | show | jobs | submit login

> Unfortunately, that then means all we can rely on when a request connects to our network is the reputation of the IP and the contents of the request itself.

So, essentially, Cloudflare relies on defense in depth as a security company but as a side effect of this is Tor [and IP anonymity services in general] are affected.

Fair enough but you may want to seriously consider just giving the availability to ignore IP reputation altogether [except during a DDoS] to your customers since it isn't just Tor but also VPNs, etc. that are impacted by this sort of strategy.




Customers can toggle how much they want IP reputation to be taken into account on a site by site basis. Agree that it should be a customer's choice, which is why it has been since the day we launched in 2010.

The seeming disconnect is that the vast majority of our customers ask us to provide them a way to block Tor entirely. And we've resisted that because we believe the anonymity Tor provides is a good thing. Same reason we don't allow the vast majority of customers to entirely block traffic from an entire a country, even though it's one of our top customer support requests.


For what it's worth, as somebody who used to manage a site that was under constant attack and who's users were regularly victims of phishing...I appreciate blocking Tor.

We weren't using Cloudflare but our own systems that were using IP threat rating services like MaxMind but eventually we had to totally prevent anything important from being done on the site via anonymous proxies. Bids, Listing Creation, Payments of any kind had to be completely blocked from those sources. People were using Tor to create fake listings on fake users with stolen credit cards that we were then paying charge back fees for. Using Tor to bid up their own auctions. Direct messages soliciting users to take the transactions off site.

Blocking those systems was one of the most effective things that we had to do and our users were vocally happier about it.


> Same reason we don't allow the vast majority of customers to entirely block traffic from an entire a country, even though it's one of our top customer support requests.

https://www.cloudflare.com/features-security/

> In addition to CloudFlare’s automatic detection, you can easily add an IP address, IP ranges or entire countries to your Trust and Block list.

Umm, vast majority is non-paying I take it since I believe its available on every paid plain?

https://support.cloudflare.com/hc/en-us/articles/200170056-W...

> A low security setting will challenge only the most threatening visitors. A high security setting will challenge all visitors that have exhibited threatening behavior within the last 14 days.

I'm guessing you mean the "Essentially Off" option which implies Cloudflare basically stops providing security?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: