New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It's honestly surprising to me how people that I bet come from a technical background and are relatively smart don't get the concept of false positives and that's it okay so long as it's profitable.
Feels like I've mentioned several times now that the people developing these systems are well aware that there will be false positives, and so long as the positives outweigh the negatives, it's worth it, yet again and again these types of comments come:
I don't know if I'm explaining it in a weird way, but to me it dosen't seem that complicated.
I just don't agree with this approach. Being that one "false-positive" is not something I wish to encounter as a user either.
Yeah, it's likely going to add some points to some score. Maybe more maybe less, who knows? As long as it isn't enough to cross whatever threshold there is it's not like anyone is going to notice anyways.
It's kind of surprising that Linux user agents get used in such a way though. All rouge crawlers i've written claimed to be the most common browser of that time running on the most common OS of that time (aka Windows). Using anything else seems massively stupid. You want to blend in as best as possible not stick out like a sore thumb after all...
I can't think of any counter measure that won't have any false positive.
Easy. Just protect your whole site with htaccess and have an error page telling users to call you. Once they've done a little 15 minute questionnaire you sit down, create a personal account for them and in the evening you send them a registered letter containing their account data.
A solution I imagine people that consider an automated system broken for having false positives find resonable.
Well, it's a very smooth solution, you have to admit that. In little more than a week people will be happily browsing your site checking if it has that information they were looking for.
Not to mention you'll quickly amass the biggest collection of broken English known to man and be on the phone 24/7 (which sooner or later will lead to an even smoother solution as there'll be no time left to build any sites anyways).
IF I'd do this, I'd hire Calin to take the calls and respond to the emails. His instructions: "Give them a hard time and make sure they're honest."
Hahaha, i'd literally pay to watch that
This depends on the ownership and control of a server and context. In this case, we're referring to end to end meaning 'server <-> client' wherein Cloudflare is not.
The point is that you don't know these people.
You can monitor SSL certificate issuance, but I agree with this. SSL in and of itself is really broken generally.
I hope this clarifies the points more clearly. The real point, though, is that Cloudflare is a massive MITM. Take for example ChatGPT -- it's going through Cloudflare.
Cloudflare blocks or challenges bad requests from hitting my website. #cloudflare
This ain’t twitter and those ain’t my nameservers
Yeah, that's actually a way bigger topic than their filters. Well, this and the fact that they create a huge single point of failure.
cloudflare dont work with cpanel roundcube. it will work until once get not working.
Risk/Safety software engineer here. @emgh is exactly right. When you're working with huge systems (in my case, one of the top dating apps) I can assure you those decisions ARE taken. I'm the circumstances, it's better to block 99.999% of the bad traffic even if it means 0.001% of the traffic is going to be a false positive.
It's not that anyone's after you. It's just that it's just way too complicated and expensive to accommodate you, given the very few amount of people that are using your settings.
There are a lot of complaints about cloudflare. I don't think the false positive rate is 0.001%. It's likely much, much higher. And sometimes, they go after everyone. There is apparently some setting where everyone has to pass through the gauntlet.
Like I said before:
There are other CDN's and DDoS protection services that don't have nearly as many problems as Cloudflare. Even google is an order of magnitude better, though when google sinks their teeth in, they don't let go.
I'm using roughly ~2TB monthly traffic from free tier tunnel and it's been fine. my file transfers are always chunked at 100mb. further read:
https://old.reddit.com/r/selfhosted/comments/130szje/has_cloudflare_recently_changed_their_tos_re_use/
https://blog.cloudflare.com/updated-tos/
I'd say just use it to figure out the limit, they're giving warnings depends on your account / as they like it. your first slap in the wrist is with cloudflare r2 offering, if you don't want it then reduce your usage to not go over the usage in that month.
recaptcha is way harder than hcaptcha imo
Are you saying that if you fetched a 100MB file via Cloudflare even if it knowns the Content-Length (sent by origin perhaps) or the object store metadata provides, it still uses http-chunked?
I use a captcha solver browser addon, but it cannot get past the new cloudflare "just click it"-captcha. It just locks me out. What even is the point of making an unsolvable captcha?
You mean a captcha that's not solvable by a machine, and can tell humans and computers apart?
I would call that a working captcha.
It sounds solvable..?
I agree. Hates that fire hydrants
The decision to render a cloudflare captcha page or not is mainly based on your IP (residential IP vs commercial), and JA4 fingerprint of your SSL client (browser).
Once cloudflare captcha page is rendered, it uses further browser information and cookies to decide if an interactive challenge should be used.
What? It obviously doesn't work, if it locks me out. I am not a machine.. I think.
I meant that I cannot hand-solve it either. The manual click does not work. I am just stuck.
You wrote that you couldn't get in using a captcha solver browser plugin. To me, that says you were trying to use a machine to get around a captcha. I admit I've never used such a tool, so I don't know what else it could mean.
Before or after you try to use the automated, non-human method?
If you think CloudFlare panel login captcha check button is bad, then you need to see GitHub puzzles of torture, 20-25 missing piece challenges in a row and then you fail.
Micro$oft
I hated the 'rotate the animal' a lot more.. Made me feel special because I could rarely pass them... Between not telling which angle was correct or doing them too fast or too slow.