Cloudflare is actually pretty upfront about which browsers they support. You can find the whole list right in their developer docs. This isn't some secret they're trying to hide from website owners or users - it's right here https://developers.cloudflare.com/waf/reference/cloudflare-c... - My guess is that there is no response because not one of the browsers you listed is supported.
Think about it this way: when a framework (many modern websites) or CAPTCHA/Challenge doesn't support an older or less common browser, it's not because someone's sitting there trying to keep people out.
It's more likely they are trying to balance the maintenance costs and the hassle involved in allowing or working with whatever other many platforms there are (browsers in this case). At what point is a browser relevant? 1 user? 2 users? 100? Can you blame a company that accommodates for probably >99% of the traffic they usually see? I don't think so, but that's just me.
At the end, site owners can always look at their specific situation and decide how they want to handle it - stick with the default security settings or open things up through firewall rules. It's really up to them to figure out what works best for their users.
They do not support major browsers. They support "major browsers in default configuration without any extensions" (which is of course ridiculous proposition), forcing people to either abandon any privacy/security preserving measures they use, or to abandon the websites covered by CF.
I use uptodate Firefox, and was blocked from using company gitlab for months on end simply because I disabled some useless new web API in about:config way before CF started silently requiring it without any feature testing or meningful error message for the user. Just a redirect loop. Gitlab support forum was completely useless for this, just blaming the user.
So we dropped gitlab at the company and went with basic git over https hosting + cgit, rather than pay some company that will happily block us via some user hostile intermediary without any resolution. I figured out what was "wrong" (lack of feature testing for web API features CF uses, and lack of meaningful error message feedback to the user) after the move.
Although I sometimes have problems with Cloudflare, it does not seem to affect GitHub nor Gitlab for me, although they have other problems, which I have been able to work around.
Some things that I had found helpful when working with Gitlab is to add ".patch" on the end of commit URLs, and changing "blob" to "raw" in file URLs. (This works on GitHub as well.) It is also possible to use API, and sometimes the data can be found within the HTML the server sends to you without needing any additional requests (this seems to work on GitHub more reliably than on Gitlab though).
You could also clone the repository into your own computer in order to see the files (and then use the git command line to send any changes you make to the server), but that does not include issue tracker etc, and you might not want all of the files anyways, if the repository has a lot of files.
"Challenges are not supported by Microsoft Internet Explorer."
Nowhere is it mentioned that internet access will be denied to visitors not using "major" browsers, as defined by Cloudflare presumably. That wouldn't sound too legal, honestly.
Below that: "Visitors must enable JavaScript and cookies on their browser to be able to pass any type of challenge."
> * If your visitors are using an up-to-date version of a major browser *
> * they will receive the challenge correctly. *
I'm unsure what part of this isn't clear, major browsers, as long as they are up to date, are supported and should always pass challenges.
Palemoon isn't a major browser, neither are the other browsers mentioned on the thread.
> * Nowhere is it mentioned that internet access will be denied to visitors not using "major" browsers *
Challenge pages is what your browser is struggling to pass, you aren't seeing a block page or a straight up denying of the connection, instead, the challenge isn't passing because whatever update CF has done, has clearly broken the compatibility with Palemoon, I seriously doubt this was on purpose.
Regarding those annoying challenge pages, these aren't meant to be used 24/7 as they are genuinely annoying, if you are seeing challenge pages more often than you are on chrome, its likely that the site owner is actively is flagging your session to be challenged, they can undo this by adjusting their firewall rules.
If a site owner decides to enable challenge pages for every visitor, you should shift the blame on the site owners lack of interest in properly tunning their firewall.
So.. no new browsers should ever be created? Or only created by people with enough money to get CloudFlare onboard from the start? Nothing new will ever become major if they're denied access to half the web.
You can create a new browser, there are plenty of modern new browsers that aren't considered major and work just fine because they run on top of recent releases of chromium.
There are actually hundreds of smaller chromium forks that add small features, such as built-in adblock and have no issues with neither Cloudflare nor other captchas.
Fair enough, but... if Cloudflare's challenge bugs out who is going to fix it? Aren't they responsible for their own critical tools?
Because in the end, the result is connection denial. I don't want to connect to Cloudflare, I want to connect to the website.
I read that part. They still do not indicate what may happen, or what is their responsibility -if any- for visitors with non-major browsers.
Not claiming this is "on purpose" or a conspiracy, but if these legitimate protests keep getting ignored then yes, it becomes discrimination. If they can't be bothered, they should clearly state that their tool is only compatible with X browsers. Who is to blame for "an incorrectly received challenge"? The website? The user who chooses a secure, but "wrong" browser not on their whitelist?
Cloudflare is there for security, not "major browser approval pass". They have the resources to increase response times, provide better support and deal with these incompatibility issues. But do they want to? Until now, they did.
I think the issue is that Cloudflare tends to be a toggle-and-forget, it's very easy to use and it works for most people.
The problem with this setup, is that it sacrifices on both security (because it needs to keep false positives at a minimum, even if that means allowing some known bots) and user experience (because situations like the one you have will occur from time to time). When you enable a challenge page on CF, it will work as-is and you have no ruling over it, the most you can do is skip the page for the browsers having false positives.
If CF gave site owners a clearer view of what they are blocking and let them choose which rules to enforce (within the challenge page), it would be much easier to simply say that the customer running CF doesn't want you visiting their page/doesn't care about few false positives.
So you're saying that which browsers are supported on the Internet should be determined by a single, for-profit company? That's a very interesting and shorthsighted take.
I love how so many of these apologists talk about stuff like "maintenance costs", as though it's impossible to write code that's clean and works consistently across platforms / browsers. "Oh, no! Who'll think of the profits?!?"
If you had any technical knowledge, you'd know that "maintenance costs" are only a thing when you code shittily or intentionally target specific cases. A well written, cross-browser, cross-platform CAPTCHA shouldn't have so many browser specific edge cases that it needs constant "maintenance".
In other words, imagine you're arguing that a web page with a picture doesn't load on a browser because nobody bothered to test with that browser. Now imagine you're making the case for that browser being so obscure that nobody would expend the time and money. Instead, why aren't you pondering why any web site with a picture wouldn't be general enough to just work? What does that say about your agenda, and about the fact that you want to make excuses for this huge, striving-to-be-a-monopoly, for-profit company?
I think it's pretty clear you have never worked on fraud protections or bot detections, otherwise you'd understand the struggles of supporting many environments with a single solution, you already have an opinion on this and by the way your messages are typed, it doesn't seem like any rational will change your ideas.
This is the internet and everybody is a field expert the moment they want to win an argument, best of luck with that.
BunnyCDN DDoS protection is made to protect their servers and the customers, it's not meant to serve your service as a shield against attacks.
This is a common misconception with many providers, they have DDoS protection to ensure that an attack against them won't cause your website/service being unavailable, however, if an attack targets your service, it most likely won't be filtered by their system.
It usually does cover volumetric attacks since those usually bring everything down with it.
As to layer 7 or other types of attacks, it’s a tough call. You need specialized services. Cloudflare does great for its price. It’s not like the big cloud providers reliably solve this problem either.
Banking sites and anybody who suffers from any sort of attack, whether it's scraping, DDoS, bots, bruteforcing...
Does everybody get those attacks? Probably not, however, Cloudflare centralizes the attacks into a single IP reputation database so, if at some point, a certain node was abused on x site that uses Cloudflare, anybody who is routed through that node will have a poor experience browsing CF sites.
This approach of centralizing IP reputations has its own flaws and benefits, Tor Nodes aren't inherently given a bad reputation, it just happens that if 90 people are using the tool for all the good things, 2 assholes can abuse the IPs and have them blacklisted on almost any website, whether it's Cloudflare, Imperva, Akamai, PX, you name it. Cloudflare is the most known name but there are tons of other E2E/B2B providers that don't show up as often.
We report each DDoS attack our company receives to a special department our police has, your country likely has something similar and I guess it doesn't hurt reaching out to them.
From my experience they will get back to you quickly (usually in <1-2 hour) and they can try helping out if you are still under attack / need some consultation.
Will we ever get compensated for the wasted engineering time to stop these attacks? probably not, but if the police ever finds them and they have extra logs of companies that reported issues, its likely an aggravation of the case.
You're right, I guess I'm still thinking on a few experiences I had way in the past when the Internet was still early and contacting them was a waste of time: they couldn't understand you nor had the time to do so. It's true they now have many more resources and experts in their departments and, as you say, may at least give some good advice on what to do during the panic stage to try and at least mitigate it. Providing them with logs and proof would have been a good idea too.
Oh my, the attack caused so much wasted time and stress that it's still haunting me and the team, specially when thinking that it may not stop there and the attacker/s is just waiting for the next chance to hit us. The days after the attack the first thing I did after waking up was check the servers to see everything was safe. And our roadmap was severely affected too, prioritizing many security features we had in the backlog.
Things are significantly better now, I can't comment on how good the aid is if you are under attack since we always had a team ready to handle DDoS, however, their follow-up has always been fast.
Regarding security features, if you are on a cloud such as GCP, AWS or Azure things are complicated since you can't easily route the traffic elsewhere(you can have BGP connections to DDoS mitigation inside GRE/L2TP tunnels only when attacks occur and it would be cheap to rent on a monthly/yearly basis). Voxility is an example that comes to mind and they are very affordable in general terms.
HTTP or HTTPs attacks are easier to handle with Cloudflare, however, there are other interesting solutions such as Stackpath.
We were under a DDoS attack about a month ago too, but were lucky that it didn't manage to affect our business. With that in mind, we took it as a (precious) learning experience - how often do you get the chance to learn about DDoS defence 1st hand?
I realize we were lucky that the attacker didn't find any of the soft spots (or at least none that hurt us). We do prioritize security though, always.
I hope all goes well for you and that in time this is just another learning experience. Maybe next time you'll smile when an attack is thwarted because of what you've all learned.
We get attacked several times a month, we rely on Cloudflare & Corero to mitigate attacks.
Cloudflare handles HTTP/s attacks and Corero handles network level attacks.
Both require tweaking and are far from being 1-click setup tools (despite some marketing attempts that try to make it seem that way), however, if you can manage them, they are very powerful and considerably cheaper than other alternatives.
Thank you, I didn't know about Corero, will check them out. CF we use, and as you said, they are a tool. Plenty of ways they could be better, but they are still the best (in moderate price range) we know.
This is what hCaptcha is currently doing, they are switching the image category every 24-72 hours.
How useful is it? Not very. Modern ML models such as mobilenet, resnet or yolo require only a few hundred images for it to be accurate to solve those captchas.
You don't need few million samples, with 500-700 images per category you are more than ready to solve current captchas.
It's identity, which is why Google shows "Your computer or network may be sending automated queries" message on recaptcha if you trigger too many heuristic and IP reputation signals to be classified as a bot. That's why, for Google, you get to carry around your reputation in the form of your Google Account, and for Cloudflare, they have private access tokens[0] (which might be the only reason you don't get blocked by every CF site on iCloud Private Relay), and otherwise Cloudflare's big ambition is "human attestation" via WebAuthn credentials[1,2].
Google accounts give you a good score and tend to deliver easy captchas while dealing with Recaptcha; however, for this reason, google accounts are being sold and bought constantly.
People have tried similar fight tactics in the past. SMS and phone verification have failed because the return on investment is far greater than the price barrier it adds to get any of those "virtual identities".
iPhones might work but then, for how long? If you guarantee that an IPhone won't get captchas, it's a good investment to buy many old(or new) ones and sell token access to skip any captcha.
Many farms already have thousands of phones scrolling through youtube videos to get views, likes, and other stats for videos/channels.
The same "logic" applies to yubikeys and similar auth hardware; attackers can exploit it similarly.
Companies will tell you that they have abuse policies and actively fight abuse/bot farms, but again, they are not solving a problem but solving the problem with tape.
ReCAPTCHA was very useful for a while, it did genuinely stop bots reasonably well, but none of the "newer" versions seem as efficient as the older versions used to be. Progress stopped after V2.
...which really sucks when you try to use any of those sites via tor (no cookies, "bad" IP) or at a place with a shared external IP (public access points).
Open google.. captcha... every page has a 5 second cloudflare page before opening the page itself.
Bots have the time, they can wait and do other stuff in the meantime, but we, humans get bothered by that.
I've also wondered about the more speculative future of CAPTCHas - e.g. how to prove you are human when ML get better and better. Would be fun to add to the near future sci-fi I'm sometimes writing. I'd imagine CAPTCHAs could go towards social proofs ("Carl is asking you to verify he is human, are you sure?", doing things in the physical world ("Go out and make <this gesture> to the Google satellite") or being asked more and more difficult world reasoning questions, those that GPT (so far) struggle with.
The reason people do this, by the way, is because it's common if you're hosting via CF to whitelist their IPs and block the rest. This allows their SYN flood to bypass that.
I run a fairly popular service and have received DDoS attacks from Cloudflare's IP range (~20gbps). I can confirm they respond to SYN+ACK with an ACK to complete the TCP handshake. Through some investigating it seems like a botnet using Cloudflare WARP (their VPN service).
Why are you assuming amplification attacks aren't a thing?
I think you're probably right about the spoofing but it comes off a little dismissive when the possibility of a site that queries other sites, could be tricked into doing something it shouldn't, is always going to be in the realm of a possibility.
Adding raw TCP is a big deal, it skips all the existing security stack that focuses on HTTP/S.
There is Spectrum and Transit to provide network level protection but... only a few can afford that.
Does this mean that TCP workers would be exposed to network level attacks or would it use transit/spectrum?
If it turns out to be protected; I'd say there would be little to no reason to use Spectrum unless the pricing turns out to be atrocious for long lived connections (which is kind of the point of having TCP workers in the first place).
I hope I did not come out as rude; I'm genuinely curious about what's the plan behind all of this.
Edit: I pointed out there would be no use for spectrum since one could "easily" build a reverse proxy with a tcp worker.
The exact details aren't all nailed down but I'd expect for incoming connections Workers would integrate directly with Spectrum. I don't know what that might mean for pricing, but I imagine we'd find a solution where cost doesn't block people from building cool things.
Just adding some light to the escalations; there were bomb and shoot threats over the last few days.
The userbase on the site upped the tone of their "jokes"/threats after the last blog post and thats what caused the final suspension.
I don't know what happened prior to today, but earlier today there was a bomb threat which was apparently removed by the site's moderators within minutes, but it hit Twitter anyway. The fact that this isn't mentioned anywhere by the people currently leading the "campaign" already proves there's an agenda.
People have always posted (usually fake) threats in kiwifarms threads. They have always been removed promptly. The same is true of basically every large website on the internet. When cloudflare made their post saying they wouldn't remove kiwifarms, the site already had that reputation.
There are "bomb and shoot threats over the last few days" on FB, Messenger, Telegram, Signal, CoD/CS lobbies etc everyday. Like Kiwifarms the content is removed when reported. What is the issue?
There absolutely were not, and this is a gross exaggeration. One user made a clearly satirical comment about posting IRA soldiers with bombs at every cafe in the Ulster area. This was screenshotted by Keffals and posted to Twitter as a serious threat. Everyone else posting in the thread understand it was an extremely dumb joke. The post was removed by the KF owner within minutes. If that is why the site went down, I’ll be amazed and disappointed.
I think the point is that this isn't even KF's first go at the bomb threat thing. They've organized bomb threats, swatting, stalking vulnerable people at hotel rooms they've fled to, and worse things besides... and CF was always OK with. Always.
Until now.
When KF forced CF into a choice between protecting KF and protecting the victims of KF, CF chose KF, repeatedly.
Until now.
I'm glad CF has made the right choice, finally. But it clearly is not going to come from within, it's going to have to come from continued public awareness.
> But Kiwi Farms has made the harassment orders of magnitude worse. It's escalated from attacking me for being autistic, to attacking and doxing my friends, and trying to suicide bait another, just to get a reaction from me. I lost one of my best friends to this. I feel responsible
The behavior from just the Daily Beast story alone exceeds the harm caused by things like spamming, for which CloudFlare does ban email users. CloudFlare even runs a dedicated service that "crawls the Internet to stop phishing, Business Email Compromise (BEC), and email supply chain attacks at the earliest stages of the attack" [1].
One could only wonder how magical the Internet would be if CloudFlare could stop doxxing and account hijacking attacks at their earliest stages! Or... you know, at least not facilitate those attacks coming from within their own network. Because once this all crosses into harassment, stalking, doxxing and mass online bullying, it stops being about "speech" and starts being about facilitating and organizing criminal activity.
Ok, the investigative journalist's thread shows literally no proof or even evidence that kiwi farms was involved in the swatting, and the man with the note apparently posted it on /pol/(?) so not even kiwi farms was on that one. Neither of the other two links said anything about swatting.
I'm serious here, and genuinely trying to understand this underlying consensus that the one to blame for it is that website, but I just don't see it.
Where they uploaded the first pic is hardly the issue, that KiwiFarms was organizing the online harassment campaign, including doxxing and swatting, is the issue.
And I couldn't help but notice you seemed to miss Near's tweet. Do you think they were unclear as to the source of their misery?
No, her personal statement isn't enough, how could she know who did it? I'm sure in the heat of the moment someone going thru something like that would make assumptions and galvanize their position somewhat, it's completely understandable, but it's hardly evidence. Also the article doesn't say anything about the timeframe between her dox being posted and the incident.
The admin explicitly saying for people to stop "encouraging SWAT pranks" when speaking apparently(?) about two other elements is a bit closer but still quite weak, its an open forum from what I gathered so far surely there would be archives or some screenshot or something for said "pranks" towards the streamer being discussed right? especially if there is mention of him actually having to deal with the FBI in previous times.
I didn't overlook the tweets, I just couldn't find a single mention of swatting there.
Yes, the evidence for a causal link in swatting is weaker, but evidence exists: discussion of swatting on the site, proximal links in time between people being doxxed and being swatted, etc.
And then we have screenshots of them figuring out her hotel room immediately after the swatting and engaging in harassment.
There's plenty of evidence for the site being used to coordinate unlawful harassment, and moderate evidence for them being used in highly dangerous harassment (e.g. swatting).
I think you're engaging in motivated reasoning. It's like if someone is known through extensive evidence to have assaulted others 100x, and there's moderate quality evidence they murdered someone-- arguing that they shouldn't be in jail because you personally don't find the murder evidence convincing enough. OK, um, we disagree about the murder thing, but what about all the other crimes?
>discussion of swatting on the site, proximal links in time between people being doxxed and being swatted, etc.
what is this proximal link? and if that link is something like 3 days or a week or something, on an open forum, i'm not sure it's that relevant, literally anyone can watch the website without participating for what I understand.
>And then we have screenshots of them figuring out her hotel room immediately after the swatting and engaging in harassment.
I saw the bedsheet investigation, but what harrassment did they engage in? the situation where the orders happenned was in a second hotel, and after a big of digging it wasn't even kiwifarms that got the dox on that one, it was Vile on doxbin[0], and he also admitted to being the one making the orders.
> There's plenty of evidence for the site being used to coordinate unlawful harassment, and moderate evidence for them being used in highly dangerous harassment (e.g. swatting).
what is the evidence for this unlawful harassment, and what is the moderate evidence for the swatting? if all you have is what was posted above for the swatting then we'll agree to disagree, which is fine, what is however the plenty of evidence for the former? And no, that twitter thread really doesn't cut it afaic.
> I think you're engaging in motivated reasoning. It's like if someone is known through extensive evidence to have assaulted others 100x, and there's moderate quality evidence they murdered someone-- arguing that they shouldn't be in jail because you personally don't find the murder evidence convincing enough. OK, um, we disagree about the murder thing, but what about all the other crimes?
Well, here's the thing, I know little about kiwifarms in particular and everyone is saying that there is extensive evidence of other crimes, articles are being written saying that they were the one responsible for swatting people and a thousand other things, and the citation/source rabbit hole just leads to a dead end, or ends up circular, so yes i'm going to have my doubts and at least want to see some of this extensive documented harassment trove, archiving things on the internet is but a couple clicks away.
I'll leave the thread for today for it is getting too late, have a good one.
- Moderators on KF felt the need to address the topic of swatting.
- People dox'd on KF were definitely swatted-- the missing evidence is to what degree the actual swatting was coordinated on KF. It's relatively indisputable that KF was in the causal chain.
- Harassment occurred, coordinated on KF to someone immediately after relocating from a swatting.
What about to people like me, who have only ever heard of kiwi farms in passing, who don't really know anything substantial about any of this stuff and want to know more? Is it obvious to us? I'd like to see what everyone's talking about when they talk about this site, and if they're right, without actually going there. Can you help me out with that?
A hypothetical court. I was just using it as an example of how the argument wouldn't hold muster in situations where it would really need to.
> What lack of evidence?
You posted this:
> No one is answering you because it's obvious to even the most intermediate observer where this work is coming from.
Again, "well, it's just obvious, dude" is not evidence. It's similar to a "god of the gaps" argument. If there's evidence Kiwi Farms did it, then Kiwi Farms did it, and if there's not evidence that Kiwi Farms did it, then Kiwi Farms still did it. That makes no sense.
>They've organized bomb threats, swatting, stalking vulnerable people at hotel rooms they've fled to, and worse things besides
all of these things are against site rules, users who do them are banned (and mercilessly mocked).
the MTG swatting was so obviously a false flag, whoever did it said "YES I AM FROM KIWIFARMS AND THIS IS MY EXACT USERNAME", there was no actual discussion of a swatting attempt in the thread prior to that; nobody would just straight up admit who they were while committing a crime like that, especially after null repeatedly said he hands over people's info to law enforcement if they post illegal shit.
remember, the site is currently being DDoSed, which is a crime. people want it gone. so is it that impossible that the DDoSers would also do other illegal crap (like swatting) and blame it on KF to get their way?
Oh shit maybe we're all wrong then! Can I ask, then, what is the purpose of the site, if it's not to co-ordinate the harrassment of individuals by sharing their personal information?
Ok have fun doing whatever it is you do that isn’t doxing on your forum when it’s back online (after the doxing and the threats took it offline) I guess.
I dont have an account there... My HN is also not some driveby throwaway. You are putting words in my mouth now because you are out of arguments. This is a discussion forum.
The purpose is to document the bizarre (and oftentimes outright creepy and/or illegal) behavior of the terminally online. You know, stuff like helping your friend sell his bathtub brewed hormones to minors without their parents finding out. Or running a Discord server called Catboy Ranch that has several minors on it, and you send them personalized collars that declare them your property. Just ordinary, innocent stuff that is no one else's business, clearly.
What are you talking about exactly? As far as I've been able to find, they don't even have a history of harassment, let alone something illegal, not as a forum/community. As we saw with this "threat" here.. it was reported and deleted as soon as the mods saw it and the user perma banned.. Just like every other attempt by a "member" to post something illegal or interact with someone off site.
these were obviously (stupidly poor taste) jokes, and they were removed as soon as the site admin was made aware. death threats are against the rules of the site. what exactly makes this so urgent that KF has to be blasted off the internet?
Turnstile/Challenges per se don't rely on the UA at all.