I like Cloudflare, because it provides some very essential services with free tiers. It is big enough, so I can trust them. I can be sure that they won't inject ads into my HTML pages. I can be sure that their DNS will not replace NXDOMAIN with fake ad responses. I can be sure that they won't log my VPN traffic trying to extract passwords or something like that.
For sure I don't support their decision to ban blind users and hope to see that resolved. But that's not enough to change my mind, not even remotely.
> I can be sure that they won't inject ads into my HTML pages. I can be sure that their DNS will not replace NXDOMAIN with fake ad responses. I can be sure that they won't log my VPN traffic trying to extract passwords or something like that.
But they have built the perfect shim in the middle to do ALL of these things at some point in the future.
The only thing preventing it is a handful of moral executives, who someday will move on or retire. At that point a smart Wall Street type is going to figure out that a merger between CloudFlare and $adnetwork is going to generate a shit ton of money (think Google+DoubleClick).
I don't doubt that CloudFlare is full of smart well meaning people, but what they have built is a ticking timebomb. The solution is to have ten CloudFlares so that the path between consumers and websites isn't regulated by a single organization.
Edit: to be clear, the internet was successful because any host could talk to any other host. If people did dumb shit you could work around it in creative ways. Even in the most oppressive countries censorship is still bypassable. CloudFlare's business model is centered around convincing companies to effectively disconnect their services from the internet so they only talk to CF servers.
And yet Cloudflare is just one of many massive internet companies. Are you going to say the same about Akamai? What about all the ISPs and exchanges in the middle? What about all the clouds and datacenters?
The reality is we live in an interconnected world where everyone uses hundreds of vendors to live and work. There's a certain amount of trust involved, backed by business relationships and the law. It's not perfect but it works just fine.
If you really think Cloudflare is excessively risky then of course you don't have to use it, but it's a strange conclusion to arrive at after looking at their actions all this time.
CloudFlare positions itself as an all or nothing frontend to your site, not just a CDN you offload assets to. Even sites that fully front themselves with a CDN you can still poke around and find the origin servers.
For example you can drop requests to fbcdn.net (which last time I bothered to check was a good mix of Akamai) and still make a connection to Facebook itself and at least logged in and view HTML.
Obviously ISPs, internet exchanges, datacenters, and clouds operate very differently. But I imagine you know the difference.
What are you trying to say? You can use Cloudflare in a variety of ways, just like any other CDN.
My point is that there are lots of vendors with lots of control involved in pretty much every business transaction. There's nothing special about Cloudflare in this regard, in the same way you trust your bank or ISP or power utility or office custodial staff. Risk management is a mature process; no wild conspiracies required.
I was with you up until "The solution is to have ten CloudFlares so that the path between consumers and websites isn't regulated by a single organization."
This is hardly a solution, it just spreads the pain around. A solution would be a democratically planned organization, or group thereof, which is responsible to all shareholders including users, employees, executives, and investors.
Basically all of those companies are regulated, and none of them can cut you off, because you did something stupid. You can even murder someone, and they can't cut you off.
Well yeah, sometimes. In some countries (i believe france), they can only limit power to lightning (a couple of hundred watts limit, so not totally off) if you don't pay, and if your only cooking appliance is using electricity (electric stove), they can't even limit that.
> The solution is to have ten CloudFlares so that the path between consumers and websites isn't regulated by a single organization.
There are! Cloudflare is by no means the biggest CDN provider - plenty of others exist out there. Akamai, CDNs from Google/Azure/AWS, Fastly, at least.
What makes Cloudflare so unique in it attracting criticism like this? They're just a bog-standard CDN, the likes of which has existed long before Cloudflare. Is it just because they're the most "visible", having a free plan that people use?
The Cloudflare captcha is ridiculous really and makes sites completely unusable with a VPN. I even get captchas for different pages on the same domain! It used to be you only got captcha for form submissions. But somewhere along the line you started getting it for simply visiting web pages as well. Part of me wonders if I'm just getting played by these companies into labelling all their ML training sets for them.
There's not really any "lock-in" with CloudFlare, though. It'd take me a day, at most, to move off of their free services.
They provide me a lot of value right now, for free. If they ever started doing something shady, I trust that people like you would cause enough of an uproar/pushback that I (and other site owners) would find out about said shady activity... and then move off CF.
I'm not as concerned with the what-ifs of what a company could do in the future as I am with their track record so far.
To me saying any $X big company is a ticking time bomb is nonsense.
The fact is, a number of companies control a huge number of eyeballs. An unethical exec taking advantage of that would cause enormous PR nightmare. If you're making money with a great brand reputation, you don't mess with the recipe.
Yes, they do mess with the recipe. They've got money to mask it out and assist with conditioning the population to the new norm. And they can do this cause the service is sticky. Mass client exodus is very unlikely. And the ones that move out for morals are quickly replaced.
We have plenty of historical data to draw from here. Cynicism is the rational approach.
Corporations (beyond a certain threshold of market control) doing shady, consumer hostile things for profit is the norm. So I don't think the ticking time bomb concept is nonsense at all.
As a recent example, Google was an overwhelming net positive for years. They genuinely made the internet better. But the day they went public their eventual abuse of their market position, intentional or not, became inevitable. We're only in the early stages of seeing what that will look like.
Asking questions about whether we want to help give companies the market position to become abusive makes the most sense early, not after it's already happened.
Perhaps I wasn't clear. The fact that some corporations do shady things does not mean it is inevitable that all corporations do it.
I'm arguing against the logic: "every big company always ends up being a den of advertising evil". Cherry picking examples like Google is not proof of this.
Not every company is Google or Facebook. Is Apple selling its soul to advertisers tomorrow? Is Netflix going to insert ad breaks every 5 minutes any day now? Is Tesla going to have you watch an ad every time you start the car?
I'm not sure how we got to it being strictly about advertising. Nor did I say 'all'. But the vast majority of corporations with the market power to leverage in shady ways for profit, do in fact do just that.
> I can be sure that they won't inject ads into my HTML pages.
But they will harass your visitors with captchas for no good reason. I also sometimes run into Cloudflare's "this website is using a protection service" with no way around; it turns out it's a geoblock because it does load just fine when I use a VPN through Germany.
The internet was meant to be decentralized. The IP addresses were meant to be used for routing and for routing only, and otherwise treated equally.
>But they will harass your visitors with captchas for no good reason.
The other fun part about those captchas is they also gatekeep blind people in a way. They're using a service called HCaptcha which doesn't offer an audio alternative like ReCaptcha does. Instead they give you an "accessibility cookie" delivered to your e-mail address, which you can then use to automatically pass the captcha. (Very useful for everyone btw; give it a try.) The problem is that this cookie--and the e-mail address it's attached to--allow CF and potentially HCaptcha to track you around the internet. There's no way to anonymously browse the net through TOR or a VPN unless you create a throwaway e-mail address for that session.
HCaptcha recently expressed interest in creating a text-based alternative, but I wonder how this will stack up against modern AI. For now, it doens't bother me because I don't encounter it often and I have throwaway e-mail addresses, but it's just one more step I have to go through to remain anonymous where any sighted person could just click the traffic lights.
Depending on the service you're offering, it can make a ton of operation sense to simply blanket-ban a whole bunch of IP blocks, including some that correspond to certain countries. China and Russia, for instance, will provide nearly-zero income but a substantial percentage of exploit attempts, stolen credit card use/validation attempts, et c., for some companies. Just banning them might make a lot of sense.
I do some backend work for a small company that sells a downloadable software product.
As far as we can tell no one in China has ever bought our product in the ~15 years it has been available. None of our pages are localized for China. If someone in China wanted a product that does what ours does there are Chinese companies whose products are cheaper and probably better for Chinese users.
Yet last time I checked something like 95% of downloads of our product came from China. I took a bunch of IP addresses from the download logs and looked to see if I could figure out something about these downloaders.
All of them seemed to be at hosting companies, not end user machines. Looking at nearby IP addresses to see what else is hosted at the same hosting company they were mostly scam or borderline scam sites or porn sites. The later was a bit unexpected because at least according to Wikipedia porn and any involvement with it is prohibited in China.
I don't see any good reason I should not block Chinese downloads. We have to pay for the bandwidth they use, they are extremely unlikely to generate any revenue for us even indirectly, and they are coming from sketchy commercial IP neighborhoods rather than end users.
>What if I want to just look at a product with no intention to buy it?
Then they want you even less.
In any case, if a company doesn't want to do business with your country, that's it. What matters whether you want to buy it or not? (Not to mention a lot of the abuse towards developers comes from no buying customers as well - people who want some feature added "before they buy", who just use the trial or free version, etc.).
You can always find a competitor company that does serve you.
International customers are more trouble than it's worth when you're a small company and you as a seller are the one who absorbs the loss in cases of delayed, defective, lost or damaged items.
I find it deeply ironic and a little sad that you cite the intentions of the original designers of ARPANET and the Internet, then describe about how you've commercialized the Internet.
I'm talking about one use case of Cloudflare I've seen. I don't think I can be held responsible for the commercialization of the Internet when I make and freely distribute monkey movies.
If 99% of spam/abuse came from one location, and it wasn't a place I offered a service to at all, I could use something like Cloudflare to restrict their access.
Europe has GDPR, and a bunch of american news sites (even articles posted here) just block you, some even without giving a reason ("this site not available in your country").
> But they will harass your visitors with captchas for no good reason.
It is up to you to harass your visitors or not. CloudFlare does not enforce it. You can disable the firewall if you don't want that kind of protection.
They enable what exactly? It's a useful tool and should definitely be activated in some use cases.
We might argue about whether it should come turned on by default or not, but as far as I remember the default setting is not a strict but a moderate protection level anyway.
Not sure what point we're trying to make here. Any other firewall/CDN/WAF enable you to do the same thing, to the point of many also providing ready-made protection profiles... what makes this specific member of that group special? Can you clarify?
The Internet wasn't meant to be used for outrageous amounts of fraud and abuse. Sometimes you have to put a captcha on ASNs or CCs because many of them simply don't care about keeping the bad guys off their networks.
Be careful with that. To be trustworthy, a party has to be willing and able to act in your best interest.
As a company (or any group) grows, their ability increases, but beyond a certain point, history shows that their willingness to act in your best interest decreases.
For companies and countries this trend often correlates with political and/or economic power being concentrated among a few individuals.
For sure I don't support their decision to ban blind users and hope to see that resolved. But that's not enough to change my mind, not even remotely.