I guess Cloudflare is just using "7 simple bot detection methods that won’t inconvenience users". You yourself said and practice the belief that it's okay to algorithmically block people if their browser isn't bleeding edge or something seems weird. It'll only ever effect a few people, right?
It doesn't feel so good when it happens to you, does it? Maybe consider removing your "your web browser is too old or misbehaved." blocks that actually do inconvenience people.
Cloudflare's "we're checking the security of your connection" page is really scanning headers of your request similar to the "Bad Behavior" bot mess used by some blogs. The wording has always seemed deceptive to me since the connection is ... already made at the point you got handed back the toll booth page.
If you use privacy or security enhancing tools, cloudflare defaults to assuming you're a bot and hassles you at the border worse than the KGB ever wished they could.
Installing their "Privacy Pass" plugin is really not privacy - its just a different form of tracker following you around.
Here's what little cloudflare claims the "browser integrity check" does - to me its really them objecting and requiring a captcha payday if you don't let them pilfer your browser settings hard enough.
Welcome to the "Stop and Frisk" web courtesy of cloudflare and others who want to be them.
> To be fair to Cloudflare [...] Website administrators can configure exceptions in their Cloudflare accounts.
I don't know if I would let them off this easy. They don't make it clear that this needs to be done and offer basically no guidance. For example so many RSS feeds are blocked on sites that use Cloudflare. These are public resources that are designed to be scraped by bots. Also they are generally reachable so there isn't even a DoS attack risk (unless of course you configure your exception when trying to turn off bot protection for the feed). Even the Cloudflare Blog's RSS feed has this problem, from many IPs I can't even fetch their feed. How can we "be fair to them" when their own blog has this problem. Clearly they need to make doing the right thing easier and more obvious. (or the default)
check if you made it here https://www.abuseipdb.com/ if so, they tell you what naughty thing you did
Scan your computer for malware, using the ESET Online Malware Scanner. Restart your modem and see if your ISP gives you a new IP address.
> Check if you made it here https://www.abuseipdb.com/ if so, they tell you what naughty thing you did
I did check when this happened and didn’t find anything anywhere for my IP.
> For example so many RSS feeds are blocked on sites that use Cloudflare. These are public resources that are designed to be scraped by bots.
That’s the same issue as with podcasts. I’m more surprised it affected so many random apps on my phone. I guess everyone relies on Cloudflare for hosting anything nowadays.
> Scan your computer for malware […].
I log network and DNS requests. Nothing out of the ordinary.
> Restart your modem and see if your ISP gives you a new IP address.
My ISP reissues the same IP address until they eventually reboot the equipment on their end. I’d have to switch ISP to get a different IP.
For what it's worth, that's not what the bandwidth alliance is at all. It's just about lowering or eliminating data transfer costs between providers like AWS and Cloudflare. Nothing to do with sharing of IP Reputation or anything
> that's not what the bandwidth alliance is at all.
See the discussion with the CEO of Cloudflare on Hacker News:
This happened to me about three months ago. It lasted for a little over a week and then just went away. It was super annoying! Cloudflare has too much power!!
> See the discussion with the CEO of Cloudflare on Hacker News:
Unless I missed something, all that is said in that is that of the bot was hosted on the platform of the partner, they would notify that partner to try to shut it down. (Basically just an automated abuse complaint)
"If the infrastructure provider hosting the bot is part of the Bandwidth Alliance, we’ll share the bot’s IP address so they can shutdown the bot completely"
Shouldn't apply to you at all since the bandwidth alliance doesn't include residential ISPs, and that was just about shutting down abusers. It looks like the CEO of CF responded too saying they never went ahead with it anyway. Thanks for responding and your article!
If your ISP uses CG-NAT your IP address is shared with several other end users. This can cause cloudflare to be a little less than welcoming towards you as well.
> If your ISP uses CG-NAT […]
It does not.
I use Tor browser. Broadly, the popular internet has become much harder to access in 2024, in part due to Cloudflare, which must itself be a symptom of challenges with bots. Reddit is hit or miss with its own bot blocker. 4chan is blocked by CF. Youtube is basically useless at this point. Most videos fail to play through to completion. We are really deep into a process of transformation, that will only become more restrictive as internet 'safety' laws pass and come into effect. The end result will probably be no internet without government ID, just like China.
Cloudflare is sooner or later a monopolist in terms of accessing websites. This was foreseeable for years. It just has too much power.
Because it is CDN for many websites or DDOS-Shield it presumably know what websites you visited.
Cite from the privacy policy:
> Our mission to help build a better Internet is rooted in the importance we place on establishing trust with our Customers, users, and the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems.
>We keep your personal information personal and private. We will not sell or rent your personal information. We will only share or otherwise disclose your personal information as necessary to provide our Services or as otherwise described in this Policy, except in cases where we first provide you with notice and the opportunity to consent.
Of course trust with the internet community. The trust means, we have to hope that we can trust Cloudflare with our data and its algorithms.
Another thing is the sharing of our data. It is (currently) not limited to the in the policy named partners. So who knows who gets the data?
A last excerpt:
> Cloudflare processes End Users’ interactions with Customer’s Internet Properties and the Services. This information is processed when End Users access or use our Customers’ domains, websites, APIs, applications, devices, end points, and networks that use one or more of our Services, and when End Users access or use Services, such as Cloudflare Zero Trust. The information processed may include but is not limited to IP addresses, traffic routing data, system configuration information, and other information about traffic to and from Customers’ websites, devices, applications, and/or networks.
"Not limited to" when accessing a "customer website".
To conclude my trust with the name of a Cloudflare product:
> Cloudflare Zero Trust
Get notified of new replies by feed or email.
Discussions also happens elsewhere! Read and participate in 2 external discussions (385 comments).
superkuh