sounds like centralising most of the the internet behind a single easy target (Cloudflare) is a bad idea
I don't entirely disagree, but at the same time, La Liga shouldn't have this much power to shut down large swaths of the internet because of a handful of piracy sites, that probably only have a minimal impact on their income anyway.
Also, CDNs have inherent economies of scale and network effects, so it is natural that there would be just a few at the top.
Only it's not La Liga censoring, it's a court order as far as I can understand from the TF article. Should the judicial system of a country have the power to shut down large swaths of the Internet after presumably due process and in accordance with the law? IMO yes.
Now, the question really turns out to be "Is a law stating that large swaths of the Internet must be censored to stop a handful of piracy sites just?"
No. It isn't.
Yeah. I think this is the elephant in the room. I keep stumbling upon "We need to verify you are a human" by Cloudflare in many sites around the web. Crazy.
I agree that having so many sites behind one CDN (and related services) is a problem, but I don't think it is the elephant in this room. Even if there were 100 very popular CDNs having 1% of sites blocked because one user was streaming sports doesn't feel acceptable. Shared hosting has always been very popular and you have sites like Shopify, Squarespace, WordPress.com that are hosting thousands of sites.
Maybe with IPv6 it will become normal to assign each customer their own IP? But I don't see it. This also reduces privacy because we are moving towards Encrypted Client Hello in TLS but we have made no progress to hide IPs.
Sadly including on my site that kept getting overwhelmed by bots this year. I didn’t know what else to do.
Have you tried anubis?
Anubis is affective against certain kinds of bots and abuse, but wouldn't be that affective against large scale DDoS attacks. And it does have a negative impact on usability, as users have to wait for the browser to do the proof of work, which may or may not be worse than cloudflare's captchas.
Anubis is a partial mitigant of DDOS attacks, since it's less resource intensive to serve the Anubis page than the origin[1].
Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.
Yes, it's a partial mitigator, but it isn't as complete of a solution as a CDN, for a number of reasons. For one thing, with Anubis your server is still responding to requests, so a full scale DDoS could potentially take you down without having to actually complete the PoW, they just have to make enough requests.
Using a CDN for DDoS typically has multiple levels of protection:
- caching reduces load on your server
- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)
- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers
- Since the CDN fronts many sites, it can have more information about which IP addresss, and user agents are more suspicious. This one is a little controversial, because there is a conflict between getting an accurate profile of how suspicious a request is, and preserving the privacy of users.
- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.
In short, Anubis could be part of a DDoS mitigation plan, but if you are worried about a targeted attack, it probably isn't sufficient. And critical services are potentially a valuable target for attacks.
I tried to figure it out for about 5 minutes, and decided that it probably wasn’t possible on my shared hosting.
Also, if (when) their Captcha decides that you're a bad actor, there's literally no way around it. You can spend tons of time checking the box/trying again, but there's no way to "solve" it.
I’m not sure if it fits your use case, but I think that CF has a browser extension that is supposed to help with that?
The elephant in the room is actually one American company having unencrypted access to global internet traffic.
I have yet to find a platform that is as comprehensive as Cloudflare.
Bot protection, waiting rooms, cheap static assets, WAF.
Odds are if you are running a popular platform, you need all of these things.
My sarcasm well is tapped, but this is why I was sus of CDNs like Cloudflare and Akamai at the outset. Yes, they’re highly convenient and enable more sites and services to weather large attacks or traffic spikes, but we willingly sunk a huge swath of the net behind a handful of for-profit entities and yet somehow expected nothing but sunshine and roses forever.
Stop. Trusting. Companies. To. Do. The. Right. Thing.
Cloudflare could’ve prevented this if they’d taken a stand on anything but profit motives, but they’ve repeatedly chosen not to. Piracy sites pay the bills just like Porn or Government sites, after all, and companies won’t turn down money unless forced to through regulation.
You seen to be implying that Cloudflare has been abusing this position of power, but then listing things it allows? Porn, of consenting adults, is actually a great example of business Cloudflare's right to take on. You may not care for it, but legal/ethical pornography is a matter only of taste. We'd be far worse off if Cloudflare was blocking content based off of personal preference.
Didn't they kick off far right websites like stormfront? They still block from personal preference it's just preferences you agree with.
(in)famously they refused to do that until ordered to by law enforcement.
Err, no. At least not according to Cloudflare:
https://blog.cloudflare.com/why-we-terminated-daily-stormer/
TL;DR: "The tipping point for us making this decision [to discontinue service] was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology."
And that’s what he was getting at: if TDS hadn’t put words in Cloudflare’s mouth and kept paying their bills on time, there’s little doubt Cloudflare would have ever removed them as a customer.
Cloudflare’s consistent response to accusations it defends illicit or harmful content has been some variation of “they’re paying customers and it’s not our place to judge their content”. Which, sure, noble hill to die on and all that jazz, but also something of a cowardly defense for speech whose sole purpose is creating harm.
That was sort of the PR spin they put on it. If Cloudflare was drawing an ideological line in the sand, they might have discussed where that line is lest others cross it. Instead, the post talks about when they do and don't comply with law enforcement and pleads with government not to try and force them to take other websites down. Posts on Stormfront were under immense legal scrutiny and the praising of Cloudflare brings that eye on them. Reading between the lines it's very obvious that legal made the decision. GP was discussing the larger pattern, and the larger pattern is one of inaction until there's little choice left legally speaking.
…that’s not what I was saying at all? Like, remotely close?
I was saying that:
* For-profit companies like Cloudflare have a vested interest in preserving as many paying customers as possible
* Their own process for getting content taken down makes it deliberately difficult to remove content, as that would harm their business model
* We have willfully chosen to sink large swaths of the internet behind companies like Cloudflare
* As a result, the only tools left to governments and the judiciary are often draconian in nature, harming innocent parties in pursuit of criminals
* We are naive to believe that any for-profit entity will act in the best interests of society, especially when those interests conflict with their profit-motives.
Unfortunately there aren't that many competing services.
AFAIK BunnyCDN is the only service that comes close but their cloud offerings are kinda new and they charge egress.
All systems seem to converge to these monopolies.
Google, X, Facebook, Cloudflare.
All minor player are absorbed or eliminated.
I think we are partially to blame for this too though. For the last 10-20 years the whole goal of a founder was to grow a business, get acquired then exit. If founders instead focused on building a sustainable business maybe we would have a more diverse tech landscape.
To be fair, even the ones that don't want to get acquired know the bitter road ahead from the opposition aggression.
Nobody would fund a founder who wanted to build a sustainable business. It would have to be bootstrapped, and there are a lot of such businesses, but you never hear about them because they stay small.
It is the result of lack of regulation. They are all allowed to buy their competition.
Classic economies of scale. It’s a lot more efficient for one company to make one million services of lemonade than it is for one million people to make one serving each. Even if the homemade version is “better”.
This is what happens when everyone is incented to trade low-probability risk for short-term profits. Because who would bet that a giant CDN would be blocked like this?
I agree that oligopolies are more stable than polyopolies, but a huge part of why the internet collapsed in a handful of companies is how stock markets and venture capital love monopolies.
X is a minor player. Replace it with AWS
I meant for what it does.
Is there anything even remotely comparable to twitter (outside of the PRC)?
Bluesky, Threads, mastodon, even reddit I guess even though it's more atomized into subreddits.
Twitter has like 3 times the users of threads and bluesky has a tenth of threads.
It's a geometric progression (power law) and it almost always devolves into that.