New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Cloudflare is so many different things. You need to be specific (including in the title) in which product or functionality of CF you're taking issue with.
I don't get many of these, I'd assume it's because you're on a VPN?
I think when I am off VPN, I get "verify you are human".
It is the type where you just click a checkbox and go....
When I am on a VPN, I always get a captcha that has puzzles that never match...
Like when the one that says click on square images that contain a bike. I select every square image that the bike is inside of! That is always considered wrong!
Am I supposed to only select square image that is the base of the bike and not the handles and seat?
Its free , it cheap , it efficiency
Lose 99,99% Bot > Lose 1% visitors
Also CF Captcha is not that hard even you are using VPN compare to gCaptcha and only show when user are abusing network , suspicious activity . Heck even i get instant check all the time on VPN so it just skill issue
I don't think cloudflare uses recaptcha anymore, so this must've been a long time ago? Hcaptcha does not have these types of tests.
Losing some visitors or losing all due to DDoS? It's the answer to this question.
Most of the time I just click the box and it let me through
Google is worse. I’ve selected all of the busses 34 times, am I human yet!?
There's a site where you can check, how human Cloudflare thinks you are.
https://cloudflare.manfredi.io/en/tools/connection/
You are not a verified bot and you are 86% human.When I checked earlier it thought I was 98% human.
So has Cloudflare become the pinnacle of technology and DDoS protection? There's nothing better that doesn't piss off your site visitors?
On a VPN & proxy = You are not a verified bot and you are 93% human.
On home network = You are not a verified bot and you are 76% human.
It doesn't add up =/
Yes, and this is after solving how many hundreds of Cloudflare challenges from the same IP address. They're starting to reach google-level aggravation. I've done what I can to minimize google usage, I guess it's time to do the same for Cloudflare.
But you can't...
I've read that that 30% of the internet uses Cloudflare "protection", it is annoying but they can't be avoided..
I've found the 'your web browser is out of date' screen the most fustrating though.
We actually wrote a blog post about this on our blog the other day -- Cloudflare actively MITM's basically the entire internet. So yeah, it doesn't just have these issues, it's actually a huge problem for internet security/privacy as a whole in the process.
https://blog.ipv6.rs/understanding-tls-mitm-and-privacy-policies/
You could try this extension: https://github.com/cloudflare/pp-browser-extension
I would also check if you have any exotic browser settings that Cloudflare doesn't like.
I'd like to find a way to block all of the Cloudflare challenges, so it will just give an error page and I don't have to look at it. Those sites are just broken, so they can cease to exist.
Add these ranges to your firewall: https://www.cloudflare.com/ips/
Someone could probably build a userscript that gives you an error when encountering their challenge.
Edit: Found this FireFox addon: https://addons.mozilla.org/en-CA/firefox/addon/bcma/
https://addons.mozilla.org/en-CA/firefox/addon/block-cloudflare/
https://addons.mozilla.org/en-CA/firefox/addon/cloud-firewall/
Interesting. While I don't care for Cloudflare in general, I don't really want to block every site that uses them. Just when challenges are presented instead of the site.
Also your blog post says that you offer a SNI proxy which doesn't decrypt -- but nothing prevents you from decrypting. You could easily issue a LE cert because your customers still need to point DNS records at you. If your problem is that the MITM proxy can't be trusted then neither can an SNI proxy.
I'm not saying that there aren't privacy problems with CF, but I think the blog post you linked is just factually dubious.
DNS CAA record prevents that issue (at least with LE TLS certificate). However I am not sure if they require setting their own NS.
Also, such MITM can be easily detected due to certificate change (also, it is public information when certificate is issued).
Yes, but the target audience for the blog post is people who don't know what CF actually does, CAA records aren't likely something they understand, same with MITM detection via certificate changes.
If you want to write a blog post about this stuff I think it's very important to give full context about the various options rather than just shilling your own product because "it fixes the problem that I mentioned in this blog post!"
Do you have a static IP? If so, please provide it in a DM and I’ll gladly block you from all of our sites.
The web site owner can dial down the security level whilst getting the other numerous benefits of cloudflare without the Verify you are human prompts. So whilst it may be default it isn't forced, and I suspect many switch to 'High' or higher without understanding the implications
But since you are a unwelcomed VPN user
, you should be banking credits at all times.. https://developers.cloudflare.com/waf/tools/privacy-pass/ will certainly help
Just use low protection settings with Cloudflare and if your site gets attacks it automatically enabled higher protection ...
We regularly get DDOS attacks but whenever the site is under attack, Cloudflare automatically enabled captcha verification etc... for our site ....
Not sure if this is how it works for their FREE Tier, atleast for the paid one it works this way, never had problem of captcha ....
If you get the privacy pass extension you get to skip 10 captchas for every one you do inside of the extension.
I use a public VPN (Mullvad), but I rarely get this unless the site owners enforce it by enabling “I'm under attack” mode or with a Page Rule. And when I get it, I just need to click the checkbox to solve the challenge which uses Turnstile, their own Captcha alternative.
I find it's so much better now compared to a few years ago when they were still using reCaptcha, and then hCaptcha. But I'm not sure whether they still use hCaptcha or not, haven't seen it for a hot minute.
And, Google, when they don't like your IP, is 100x worse.
And I'll use Cloudflare to do it
I think it's a situation where both site admins and visitors have been lulled into a sense that what Cloudflare is doing is normal and necessary. But there are other CDN's and DDoS protection services, and I'm not seeing the same sort of thing from anyone else, except maybe google (which is a whole other thing).
Because the benefits outweigh the costs.
There's a chance I am a bot.
Yes, I am having this issue too. But only when my I am using a vpn/proxy.
I think majority now uses turnstile which is less hassle and more convenient than hcaptcha and recaptcha. Can't blame site admins as DDoS attack is a real threat to their infra and having cloudflare DDoS protection is better than none at all.