> I'm not running my own ISP and I'm not in a country known for originating DDoS attacks (Sweden), yet just using Firefox on Linux seems to be enough to be forced to click on traffic lights many times an hour.

I'm in the same situation. Linux, Firefox, Sweden, with a residential IP that has been mine for weeks/months. Who's massively DDoS'ing with residential Telia IPs?!

You know, after reading your comment I decided to install and try chromium for few minutes and you're absolutely right. It did not ask captcha once. I opened the same websites where cloudflare always asks me for captcha on firefox so I thought this was common, after finding this out, I am feeling annoyed.

Same situation except for Linux: in Sweden, macOS, and Firefox.

The difference is: I can't get past Cloudflare's captcha for the past 2-3 years (on Firefox), have to use Chrome for the few sites I do need/want to see behind this stupid wall.

By now I've sent hundreds of feedback through their captcha feedback link, I keep doing it in the hopes at some point someone will see those...

Agreed. Same with Firefox on FreeBSD. Constant captchas. It identifies as Linux by the way (it seems to be compiled that way by the maintainers) which is probably better (a 2% desktop marketshare OS vs a 0.01% one is probably better here)

I run a little wiki and, holy shit, the bots have gotten advanced. Like, it used to be no big deal, then like a year and a half ago, it exploded. It's basically quadrupled the costs for me to run the site. It's not even worth it to ban IPs anymore, because they are routing their traffic through different IPs -- in different countries -- just to scan my site, repeatedly, every damn day. It's an obscure golf course wiki, but no... better check every other day to see if anything has changed!

At the same time, the bots are dumb as hell. I have honey pots that basically are as simple as "if you visit this obscure, hidden URL you're banned" or "if the same obscure page for a course is visited for four different courses in a row, then ban all the IPs that were part of that." But they keep coming... like, an infinite number of IPs. I genuinely don't want to use Cloudflare, but I understand why people do. It's absolutely crazy out there.

> It is not CloudFlare that is ruining the Internet, but the spammers and attackers.

Spammers have been around since forever and it used to be the webmaster/sysadmin's responsibility to deal with spam in a way that would not hinder user experience. With Cloudflare all that responsibility is aggressively passed on to the user, cumulatively wasting _years_.

As for attackers, I wonder if Cloudflare publishes data showing how many of the billions of websites it "protects" have experienced a significant attack. They don't offer free protection to save the internet, but rather for control -- and no single company should have this much control.

> It is not CloudFlare that is ruining the Internet, but the spammers and attackers.

"Your face ran into my fist!"

> It is in the interest of CFs customers to be as accessible as possible, after all.

But since in reality there is friction, there is no magic mechanism to make those interest force CF to implement a better system as, for example, the customers might not have enough knowledge / tech expertise to understand they're losing 1% due to crude CF filters and ask for a fix

> It is in the interest of CFs customers to be as accessible as possible, after all.

Well this is where your argument goes a little wrong IMO. When you're on something more niche (eg Firefox on Linux) they just don't care as much about making it work for you because there's so few of us blocked in the process.

And this problem should really be solved with a proper solution, not this fiddly black magic ruleset stuff. The email thing you mention is a good example. DKIM and SPF are good things that makes things more secure in an understandable way. Specifying your legit mail handlers is not a workaround, it's good security. In some ways Altman has a good idea with his WorldCoin eyeballs. But I don't support it for obvious reasons. I don't want my internet identity tied to a single tech bro and some crypto. If we do this kind of thing it has to be a proper government or NGO effort with proper oversight and appeals process.

I've tried to make my Linux Firefox identify as edge on windows and that makes it a lot better on some sites (especially Microsoft breaks a lot of M365 functions on purpose if you're not using the "invented here" browser). And many sites don't give me captchas then. But in some cases Cloudflare goes even more nasty and blocks me outright which is really annoying. If I use Linux a lot more sites break but Cloudflare sticks with captchas.

Anyway I think the age of the captcha is soon over anyway. AI will make it unviable.

> All these annoying restrictions were forced to be implemented by attacks of all kinds.

Ps it's not always attacks but also to block things that are good for consumers but bad for the sites' business model. Like preventing screen scraping which can legit help price comparison sites.

>It is not CloudFlare that is ruining the Internet, but the spammers and attackers

That's unaccountability thinking. If I have pests in my rosegarden and as a reaction I napalm the backyard of everyone in my neighbourhood, that is not the bugs' fault.

Moreover, the most hilarious thing here is that Turnstile is easily bypassed by "patchright" (patched playwright runtime) + xvfb + good residential IP pool. So it's hurting real users and not protecting against bots.

(Note I share your sentiment, however)

Is there any data that’s supports this suggestion users with older devices are actually being discriminated? (% of users actually using older devices incapable of upgrading to browser versions supported by cloud flare)

I just find it hard to believe users are actually getting denied access because their device are old. Surely you can still run new versions of Chrome and Firefox on most things [1].

——————

[1] Don’t get me wrong I use Safari and I find it inflammatory when a site tells me to use a modern browser because they doesn’t support safari (the language more so). But I wouldn’t call it discrimination seeing as I have an opinion to run firefox/chrome from time to time.

What are the symptoms of being shadowbanned? I see an awful lot of "click here to prove you are human" boxes, click then, the page reloads, and I'm left with the captcha again. It's been very very frustrating.

I wish there were more information and guides being spread of free and open source systems worldwide, there is tremendous potential in upgrading "end of life" systems to use a Linux-based operating system. That way we could avoid unfathomable amounts of e-waste being dumped for no other reason than them not being commercially viable anymore and poor people could keep using their computers

Without a market CloudFlare wouldn't be able to ruin the internet. You can thank all of the incessant AI bots for that. I can't even browse GitHub anymore without logging in.

Oh this is still very true! I am from Banglaore, India. There are sites that outright block me. And in a day, I at least encounter 20-25 times where I need to click on "human checkbox" due to my region or IP. In mobile it's worse. All sites that have "strict" mode on, will either block or show the "human checkbox".

Even sites that I manage with Cloudflare, I see the same. Even if I use relaxed mode on, If I visit the site via mobile, it can trigger the Cloudflare human validation.

> Turns out a lot has changed in the last decade and I think it’s likely that the article should be updated on what it’s like right now.

Yes, every one-pager running on Vercel/Netlify sits behind Cloudflare now because no one wants to risk an insane cloud bill in case of an attack. People have become hopelessly dependent on managed cloud services.

However, to be fair, there's less captcha solving nowadays, since they introduced their one-click challenge (but that's not always the case).

s/is ruining/has ruined/ ?

More recently: https://news.ycombinator.com/item?id=42953508

Today I looked up a word definition on tfd.com (usually a lightning-fast website), it took 3 cloudflare screens each 10 seconds to load. Why?. Because I'm in South East Asia? I aborted mission and pasted the word in a search engine and had a definition in <5 seconds. Sad to see some of my favourite sites becoming unusable.

The shorter the average interaction with the site, the worse the burden cloudflare becomes. E.g. looking up a definition is usually a 5-10 second job, Cloudflare can make it take almost an order of magnitude longer.

In defence of motorcylces and traffic lights, those captchas are annoying too, but they do help humanity in a tiny, tiny way. By contrast, watching a cloudflare loading spinner is stupefyingly useless.

(apologies for ranting. I find it disproportionately irritating even though it's only a few minutes per day, possibly due to the sheer repetition involved).

Yup, the CloudFlare CAPTCHAs are a nuisance, but they're so much better than the Google reCAPTCHAs they replaced. Those things must be designed to make you give up.

I didn't realize the article was from 2016. I still have to click motorcycles and traffic lights sometimes. So nothing has changed at all! I didn't know they were using those motorcycles and traffic lights for almost 10 years already

Processing a micropayment takes more resources than serving a simple Web page, even if the payment fails. You would have to put in similar filters, or you would get DoSed using the micropayment service.

Genuinely curious, is there a way of tuning how this protection is triggered? If there is, perhaps filter out those ISPs/countries from which most attack originate? Not a cloudflare user myself -- for me it's mostly been a nuisance.

So, guilty by default, right? We developed human rights and laws through centuries of debates, pain, suffer, revolutions, fights etc just to get mega-corps doing whatever they feel right, externalizing the trade-offs on innocent peoples.