I'd say this too. I'm giving LetsEncrypt 100% credit for making HTTPS so ubiquitous and free.
But CloudFlare certainly made things worse for "webmaster" era of the Internet, with everything centralized to CloudFlare. I live in Vietnam, and CloudFlare has made things super annoying with their captcha challenges everywhere.
Credit where it's due, CloudFlare pushed HTTP/2 and 3 adoption. More websites are available over IPv6, and their 1.1.1.1 DNS is actually quite nice.
I don't think they have a CAPTCHA. CAPTCHAs make the users work, Google does this with their reCAPTCHA. The user has to to free work to help Google with their training of machine learning models. I absolutely hate to do work to increase Google's already outrageous profits and leave the page immediately unless it is very important for me to visit it.
Cloudflare has something called Turnstyle where the browser needs to do work. It's a bit of energy waste, but smooth for the user. Unless their algorithm comes to an incorrect decision and doesn't let you in. Then it's infuriating. For me in Europe that seems to be rare, but I have no idea how well it works in Vietnam.
> I don't think they have a CAPTCHA … Cloudflare has something called Turnstyle
I believe CF Turnstyle was only released in 2024. I believe they used reCAPTCHA up to 2020, and then switched to hCaptcha. I believe hCaptcha continues to be offered.
Right, 1.0 might have been last year. But it was available (maybe called beta?) probably since 2018 at least. I have used Gitlab since 2018 and IIRC it had Turnstyle from the beginning. Gitlab have configured(?) it such that it comes at every login, but because it works automatically it has never been a problem for me. It wouldn't have worked on some phones, but I don't use phones for Gitlab.
I wasn't aware that they have (had) alternative solutions. Probably because I've rarely seen them. Or if they used reCAPTCHA I got mad on Google, not noticing that Cloudflare had injected it.
Overall, certainly. There are some negative things people talk about that you might agree with, but look back at what the market was that they disrupted and continue to disrupt. I think that without Cloudflare your registrar would be GoDaddy and your SSL certificates would be from Verisign and your rents would be huge. Backbone wise, that would depend on your region.
My registrar were different before and after godaddy existed and plenty of varieties existed. I find less exist now than during GoDaddy's heyday. But less people care about domain names as they stopped becoming a lottery ticket.
My worries were paypal would take over but then came stripe.
SSL certificates were from Verisign until letsencrypt offered thek free. I didn't see Cloudflare changing that market.
Before them we had uunet and other backbone providers.
Cloudflare made their name from ddos protection attacks. They made that market.
For DDOS there was and still is Prolexic/Akamai. Cloudflare did not made that market, they just took a big chunk of it. There are other big players too, like Google.
I mean, maybe we would have found another solution to DDOS, but as someone who has had a pretty significant attack (on a service which is a clear public good) mitigated for free… it’s pretty nice being able to keep your services online in a hostile environment.
They're pretty reviled by people who go out of their way to be private via things like VPNs and locked down browsers, because that constantly trips their bot detection and makes using the web miserable.
And in places where CGNAT is in use, so that many people are on the same IP address, and botnets are active on that address.
I live in India in such a situation, and most of the time it’s not too bad, but I still encounter Cloudflare CAPTCHAs pretty frequently. At times, it’s been almost half the web is blocking you. And occasionally, it actually is blocking you, not just a CAPTCHA. It’s also not rare, when being more aggressively blocked, for a site to break because it tries loading scripts from another domain, which is then CAPTCHAing so that scripts just won’t load.
Back when I lived in Australia, I practically never got Cloudflare blocks.
The mechanism may be understandable and even justifiable to a considerable extent, but the poor definitely end up suffering more from Cloudflare than the rich.
> The legal system is too slow and private companies have a dubious record of what they police. What’s a good model to follow?
Get the legal system in shape. Yeet everyone above pension age out of public office so that we finally may get people into power who grew up with smartphones instead of old farts who let their secretaries print out e-mails and type audio recordings into letters. Then, do the same for police leadership and DAs, yeet the brawns and get the brains. You can't prosecute IT crimes if your average police officer doesn't even know what a proxy or a money mule scam is or if the DA is too goddamn lazy to file a subpoena because the damage is less than 950 dollars.
Then, crack the whip on domestic telcos, ISPs and hosters. Whoever hosts anything connected with more than 200 users has to have a 24/7/365 abuse hotline that has the manpower and authority to investigate abuse claims and remediate them (i.e. disconnect whoever is causing the problem until this party has remediated the issue on their end) in less than four hours.
Then, crack the whip on manufacturers of smart devices. Mandate that every Thing sold with an internet connectivity get at least security updates for a decade, and that the full source code for everything in it including signing keys for firmware be submitted to Library of Congress or whatever archive and released when the manufacturer either goes bust or declares end of life for that Thing.
And then, get the State Department into shape. Countries from which malicious traffic operates or where money from scams gets exfiltrated to get half a year to get their shit in order and be good netizens, or they get cut off from Western nations. No SWIFT, no Internet, no SS7.
The Internet at its fundamental core (cough BGP) runs on the assumptions of a high-trust society, which has led to issues all over the place as the world has shifted towards a no-trust-at-all lawless society and as it is impossible to uproot probably trillions of dollars worth of infrastructure, drastic action needs to be taken to restore the Internet to a high-trust place again.
> Then, crack the whip on domestic telcos, ISPs and hosters. Whoever hosts anything connected with more than 200 users has to have a 24/7/365 abuse hotline that has the manpower and authority to investigate abuse claims and remediate them (i.e. disconnect whoever is causing the problem until this party has remediated the issue on their end) in less than four hours.
I think this makes small-scale hosting unaffordable. It would probably cost circa $150k to staff that hotline, which is then the lower bound on labor cost for the provider. That implies a $750/yr bill to each of those 200 customers before technical costs.
>Then, crack the whip on manufacturers of smart devices. Mandate that every Thing sold with an internet connectivity get at least security updates for a decade, and that the full source code for everything in it including signing keys for firmware be submitted to Library of Congress or whatever archive and released when the manufacturer either goes bust or declares end of life for that Thing.
This is much needed as to not have a bunch of e-wast. Of course pretty sure this will cut into next year's new model's profit. Do we really this new model of phone/computer every few year?
> or they get cut off from Western nations. No SWIFT, no Internet, no SS7.
How do you propose to disconnect them from the internet? As long as there is a country that peers with them that the west peers with, they will be reachable.
This is easy for the phone calls if the politicians cared: Every provider knows who the previous hop was for a call. You report every abuse and your previous hop has two options. 1. They're covered by local law and can point at their previous hop or direct customer. 2. They're abroad and it's their responsibility to deal with their previous hop.
Nobody wants to get disconnected from being and to call the US. This would solve the spam/scam calls issue pretty much immediately.
I always figured a better idea was to put a token tax on voice/VOIP telephony. A few cents per minute or even per connected call that crosses the border.
This makes the unsophisticated scams that rely on spray-and-pray and low-take-rate uneconomical, AND provides friction against offshoring legitimate customer-service.
Yeah, you can argue people will encrypt their way around being easily taxable, but it's the "tax evasion/AML" concept-- you create something easy to prove and to prosecute, even if it would be harder to hunt down the underlying scam.
They also help the groups which sell DDoS services. And sell the DDoS protection. Even if we ignore their morally messed up choices, their business is both making things worse for everyone and sells the cure.
There's a ton of sites that ISPs wouldn't sell service to if it wasn't for Cloudflare making it difficult to determine where those sites were. It's basically /dev/null for abuse reports.
