Most active commenters
  • zaphar(3)

←back to thread

Anubis Works

(xeiaso.net)
313 points evacchi | 11 comments | 12 Apr 25 22:32 UTC | HN request time: 3.246s | source | bottom
Show context
tripdout ◴[12 Apr 25 22:52 UTC] No.43668552[source]
The bot detection takes 5 whole seconds to solve on my phone, wow.
replies(4): >>43668607 #>>43668678 #>>43668723 #>>43668824 #
Hakkin ◴[12 Apr 25 23:01 UTC] No.43668607[source]
Much better than infinite Cloudflare captcha loops.
replies(1): >>43668977 #
gruez ◴[13 Apr 25 00:15 UTC] No.43668977[source]
I've never had that, even with something like tor browser. You must be doing something extra suspicious like an user agent spoofer.
replies(3): >>43669011 #>>43669040 #>>43669198 #
praisewhitey ◴[13 Apr 25 01:07 UTC] No.43669198[source]
Firefox with Enhanced Tracking Protection turned on is enough to trigger it.
replies(2): >>43669228 #>>43670028 #
1. aaronmdjones ◴[13 Apr 25 04:12 UTC] No.43670028[source]
You need to whitelist challenges.cloudflare.com for third-party cookies.

If you don't do this, the third-party cookie blocking that strict Enhanced Tracking Protection enables will completely destroy your ability to access websites hosted behind CloudFlare, because it is impossible for CloudFlare to know that you have solved the CAPTCHA.

This is what causes the infinite CAPTCHA loops. It doesn't matter how many of them you solve, Firefox won't let CloudFlare make a note that you have solved it, and then when it reloads the page you obviously must have just tried to load the page again without solving it.

https://i.imgur.com/gMaq0Rx.png

replies(1): >>43671279 #
2. genewitch ◴[13 Apr 25 09:08 UTC] No.43671279[source]
You're telling me cloudflare has to store something on my computer to let them know I passed a captcha?

This sounds like "we only save hashed minutiae of your biometrics"

replies(3): >>43672849 #>>43672901 #>>43675330 #
3. zaphar ◴[13 Apr 25 13:57 UTC] No.43672849[source]
Then don't visit the site. Cloudflare is in the loop because the owner of the site wanted to buy not build a solution to the problems that Cloudflare solves. This is well within their rights and a perfectly understandable reason for Cloudflare to be there. Just as you are perfectly within your rights to object and avoid the site.

What is not within your rights is to require the site owner to build their own solution to your specs to solve those problems or to require the site owner to just live with those problems because you want to view the content.

replies(1): >>43676185 #
4. gruez ◴[13 Apr 25 14:05 UTC] No.43672901[source]
>You're telling me cloudflare has to store something on my computer to let them know I passed a captcha?

You realize this is the same as session cookies, which are used on nearly every site, even those where you're not logging in?

>This sounds like "we only save hashed minutiae of your biometrics"

A randomly generated identifier is nowhere close to "hashed minutiae of your biometrics".

replies(1): >>43675361 #
5. aaronmdjones ◴[13 Apr 25 19:46 UTC] No.43675330[source]
> You're telling me cloudflare has to store something on my computer to let them know I passed a captcha?

Yes?

HTTP is stateless. It always has been and it always will be. If you want to pass state between page visits (like "I am logged in to account ..." or "My shopping cart contains ..." or "I solved a CAPTCHA at ..."), you need to be given, and return back to the server on subsequent requests, cookies that encapsulate that information, or encapsulate a reference to an identifier that the server can associate with that information.

This is nothing new. Like gruez said in a sibling comment; this is what session cookies do. Almost every website you ever visit will be giving you some form of session cookie.

6. genewitch ◴[13 Apr 25 19:52 UTC] No.43675361{3}[source]
the idea that cloudflare doesn't know who i am without a cookie is insulting.
7. black_puppydog ◴[13 Apr 25 22:03 UTC] No.43676185{3}[source]
That would be a much stronger line of argument if cloudflare wasn't used by everyone and their consultant, including on a bunch of sites I very much don't have an option of not using.
replies(1): >>43677520 #
8. zaphar ◴[14 Apr 25 02:24 UTC] No.43677520{4}[source]
Cloudflare doing a really good job meeting customer needs doesn't impact my argument at all.
replies(1): >>43678137 #
9. fc417fc802 ◴[14 Apr 25 04:47 UTC] No.43678137{5}[source]
When a solution is widely adopted or adopted by essential services it becomes reasonable to place constraints on it. This has happened repeatedly throughout history, often in the form of government regulations.

It usually becomes reasonable to object to the status quo long before the legislature is compelled to move to fix things.

replies(1): >>43680736 #
10. zaphar ◴[14 Apr 25 12:51 UTC] No.43680736{6}[source]
Why? This isn't a contrarian complaint but the problems that Cloudflare solves for an essential service require verifying certain things about the client which places a burden on the client. The problems exist in many cases because the service is essential which makes it a higher profile target. Expecting the client to bear some of that burden for interacting with the service in order to protect that service is not in my mind problematic.

I do think that it's reasonable for the service to provide alternative methods of interacting with it when possible. Phone lines, Mail, Email could all be potential escape hatches. But if a site is on the internet it is going to need protecting eventually.

replies(1): >>43685931 #
11. fc417fc802 ◴[14 Apr 25 20:25 UTC] No.43685931{7}[source]
That's a fair point, but it doesn't follow that the current status quo is necessarily reasonable. You had earlier suggested that the fact that it broadly meets the needs of service operators somehow invalidates objections to it which clearly isn't the case.

I don't know that "3rd party session cookies" or "JS" are reasonable objections, but I definitely have privacy concerns. And I have encountered situations where I wasn't presented with a captcha but was instead unconditionally blocked. That's frustrating but legally acceptable if it's a small time operator. But when it's a contracted tech giant I think it's deserving of scrutiny. Their practices have an outsized footprint.

> service to provide alternative methods of interacting with it when possible

One of the most obvious alternative methods is logging in with an existing account, but on many websites I've found the login portal barricaded behind a screening measure which entirely defeats that.

> if a site is on the internet it is going to need protecting eventually

Ah yes, it needs "protection" from "bots" to ensure that your page visit is "secure". Preventing DoS is understandable, but many operators simply don't want their content scraped for reasons entirely unrelated to service uptime. Yet they try to mislead the visitor regarding the reason for the inconvenience.

Or worse, the government operations that don't care but are blindly implementing a compliance checklist. They sometimes stick captchas in the most nonsensical places.