The broken thing is that anyone can send any unsolicited traffic anywhere, making Cloudflare a requirement for hosting a website. If we had properly authenticated traffic only that verifiably comes from a human, we would not need all these error prone defenses with false positives.

>If we had properly authenticated traffic only that verifiably comes from a human (...)

Sounds very dystopian and DRM-y for me. You would have to enforce this at the OS or even hardware level (because otherwise bots will just lie). And probably mandatory by law.

Unfortunately I don't think we can force devices to differentiate between "user-originated" and automated traffic without changing internet fundamentals and locking it down.

Yes, that is the point. The options we have are changing these fundamentals, or continuing down the path of ever more aggressive stochastic methods for filtering out most of the bots.

At some point balance will tip where an internet with only authenticated traffic will be seen as more usable and preferred by the masses, then anonymity is over. New AI systems generating unfathomable amounts of human-like garbage to flood all UGC platforms might actually become the tipping point fairly soon.

So far actual humans have no problem copy pasting AI crap. Verification that they are in fact real humans is not going to fix that.

> The broken thing is that anyone can send any unsolicited traffic anywhere, making Cloudflare a requirement for hosting a website.

If a Cloudflare-like service is a required part of internet infrastructure, then each ISP and hosting provider should offer their own, equivalent service. By law, if necessary, if the economics don't work out otherwise. Because having a single company be the arbiter and monitor of who may visit any website is, well, bad.

But they can't. The service only works because of Cloudflare's scale and view of large portions of internet traffic.

Cloudflare is not a requirement for hosting a website.