Cloudflare launches free Recaptcha alternative and free ratelimiting rules
(Yeah, this is another one of those Cloudflare threads.)
First off, they're bundling ratelimiting to all plans, including the free plan, without incurring usage based pricing. On the free plan, you're only limited to blocking windows of 10 seconds, though I guess it could still be useful to protect search endpoints and the like.
https://blog.cloudflare.com/unmetered-ratelimiting/
They're also launched Turnstile, a Recaptcha alternative that doesn't have image/audio based challenges at all, and is based on browser fingerprinting and remote attestation. Pretty good user experience, and I don't mind the fingerprinting as all such protection products need to tell attackers from regular users.
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
The remote attestation and lack of a fallback challenge does concern me though. If their fingerprinting fails you're stuck in an infinite loop of "verifying" animations without being ever able to pass the captcha.
Further, on Apple devices, they can ask Apple to vouch for the "realness" of your device through a mechanism called Private Access Tokens (similar to TPMs on Windows). While this gives people a good user experience, once PATs are implemented by Microsoft and Google, I could see them eventually locking out anyone not using a tech stack provided by big tech, like Linux users, or those on rooted devices.
Comments
As a normal user based in a normal country with a normal internet connection, I have a terrible experience most times I go near a cloudflare site. Often 2 rounds of captchas, on some sites after it's given me the 4th round I just close it as I've lost interest in reading whatever article I was trying to read.
@stevewatson301 points out the eventual dangers of relying on proprietary tech, but I cannot understand why providers willingly put themselves at the mercy of a third party that frequently prevents genuine visitors from accessing their site.
Captchas maybe make sense when a particular site is under high load and your heuristics detect it's maybe a DDoS, but the rest of the time, they're just a nuisance for everyone. This thing will be similar. I don't want my "device" to vouch for anything, I want the site to follow standard, open protocols.
It is the fact that without Cloudflare, you have to use one of the DDoS protection services available elsewhere, and most of them don't offer layer 7 & cost a premium. Sure, you can survive without layer 7 protection with enough resources, but to keep site alive, you have to pay more. You might think that sites without the Cloudflare page are not being attacked, but Cloudflare does mitigate most of the attack traffic behind the scenes. Even LES & LET utilizes Cloudflare. At the end of the day, if you use Cloudflare, you can keep cost to a minimum. No sane service website owners with even the slightest amount of traffic will keep sites up unprotected on the internet. You can say that low-end intertwines with Cloudflare unless the provider provides DDoS protection.
It depends on the settings from the site owner, if the site is currently under attack and if your ISP or the way you connect to the site, is flagged as risky.
Maybe worth changing your ISP or such, try a VPN etc.
For example WebHostingTalk is the only site I know, which has pretty aggressive CF settings, which I have seen a few captchas within minutes. All other CF websites, are fine for me at least.
Free NAT KVM | Free NAT LXC
Is it still the case? They used to serve hcaptcha challenges but they’ve since replaced it with their managed challenge “platform” that automatically lets you in based on fingerprinting, and sometimes a single click on a checkbox.
Cloudflare has often blocked legitimate functionality and visitors on my website. I just turn the security level to “essentially off” these days and put up protections at the backend.
They already had a free rate limiting thing before? I played with it a couple weeks back.
I mostly see it when trying to read articles linked to from hacker news. I guess that might be enough visitors all to the same URL that it might look like a DDoS, but probably at least every few days there's one article that I want to read that I give up on because of the captchas.
Didn't know that was an option. In that case, I might look at it, but I'd pretty much dismissed it due to negative experiences as a user...
The issue is that you don't know you're on a CF site unless something goes wrong.
I've been using CF for years. It has a lot of pros.
However, just yesterday, after some redesign, I bothered @Ympker to check if the damn GDPR popup works OK. Apparently, he had problems using a VPN server from Malaysia. Resulted in CF check, then a 404 page!?!
Had to do some "tweaking" and double checking. But that doesn't make CF much different from most other security-related solutions - it does add some "inconvenience" and false positives and getting it right between security and user-friendliness is always a ballancing act.
The way I see it, just like Google, CF is a big brother that, for now, just smiles warmly at us, but that could change any day. Yet, I can't do anything to change that - I can only see what the situation is like at the moment and do the best I can (i.e. people won't stop using Google and CF if I stopped using them, and vice-versa for my using them).
So, even for those not on a budget, it makes very little sense to not use Cloudflare nowadays.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
This. This is something some people have a hard time understanding.
I usually tell them that "the inventor of the electric bulb probably worked in candle light". That means that even if you try to make the world better, you still have to accept it the way it is now.