I live on the opposite side of the globe and have no problems using Cloudflare. Also, my SaaS is deployed on Cloudflare and we have users in hundreds of countries who use it with no problem
> my SaaS is deployed on Cloudflare and we have users in hundreds of countries who use it with no problem
How would you know you have a problem if you outright ban non-conformant users? Is your customer support function not behind cloudflare, and accessible to users without an account?
In what way do we "outright ban non-conformant users"?
You are making a lot of assumptions with that statement
Our security level setting is low enough that almost nobody would actually get blocked from the site. Anybody could access the contact page and email us or use the live chat
We use Turnstile in a couple of places and we have gotten a couple isolated reports about users being unable to perform actions behind Turnstile but it was always that they had some sketchy extension installed. And the extra security and bot protection we are getting makes those very low false positive rates worth it (we have tens of thousands of users so a couple reports in the last couple years is fine...)
> In what way do we "outright ban non-conformant users"?
You have literally replied to a thread in which we discuss how Cloudflare bans non-conformant users (who live in 3rd world countries, use linux and possibly other non-conformant computer practises according to Cloudflare's product managers). So you outright ban them by using Cloudflare.
-----
You also literally contradict yourself with the following two statements:
> I live on the opposite side of the globe and have no problems using Cloudflare. Also, my SaaS is deployed on Cloudflare and we have users in hundreds of countries who use it with no problem
and
> We use Turnstile in a couple of places and we have gotten a couple isolated reports about users being unable to perform actions behind Turnstile but it was always that they had some sketchy extension installed. And the extra security and bot protection we are getting makes those very low false positive rates worth it (we have tens of thousands of users so a couple reports in the last couple years is fine...)
Make up your mind, which is it? Do you have no problems using Cloudflare and your users in hundreds of countries use it with no problem or not?
-----
These being said, what percentage of lurkers actually contact random online services to let them know that something is wrong? Almost nobody does that.
Personally, I've only contacted Troy Hunt on haveibeenpwned and his blogs, letting him know on several separate occasions that his websites are inaccessible to some users, as far as I could tell, from 3rd world countries. He has deleted all of my comments, he probably deletes all comments critical of his service, since there's only praise allowed in his blog posts. To be able to contact him, I had to borrow a Macbook and use a US vpn, because all of his services are behind enless Cloudflare captchas.
How many website visitors of yours, not users, would be able or willing to do go to that length to contact you about your dysfunctional Cloudflare WAF?
This has nothing to do with Cloudflare WAF. Like I said our security level is very low and the Turnstile handling is done in a Worker
And I'm sorry if you think that 2 users in 2 years having an issue when we have tens of thousands of paying users tips the scale of whether or not it is an overall net benefit for our company. If it wasn't for Cloudflare we simply wouldn't be able to provide the free versions of the software in the same fashion that we do now
It sounds like you're upset at somebody who improperly configured Cloudflare on their sites and now you are blaming the company and everybody that uses it without having a solid understanding of the tech
See, this is what makes Cloudflare's practises work. You are under the impression that 2 users in 2 years have had issues when, actually, 2 users in 2 years have bothered to jump through lots of hoops to finally contact you about your issues.
Your SaaS business seems profitable, so keep it up! But don't go around claiming only 2 users have had issues, you most definitely don't have a 100% support contact rate for Cloudflare related issues.
This is not just 3rd world countries. CloudFlare has broken the Internet and made it slower with all the stupid captchas. We were better off without them.
I think there is much more to it than just your location. Based on the cursor and UI, are you using Linux on Firefox? I'm not saying it shouldn't be supported, but I just think that there's definitely more factors at play here than "3rd world countries"
And depending on your definition of third-world country, I'm in one as well, and I don't have this sort of issue
I must be missing something. You have 2MB of data for "is my 6 character SHA1 prefix in any breach". Why can't you distribute that to every edge nodes ?
I can see a fairly simple improvement to updating the entire HIBP dataset; version it and slowly roll traffic onto the new version by prefix, e.g. take the 6-hexit prefix mod 100 and if the result is < rollout_percentage then the cloud flare workers fetch from the new version, otherwise the old. Rollout_percentage can be a simple function of Unix timestamp for example.
A shame they can't push updated data to the caches directly without flushing them. They could otherwise potentially bypass the origin almost entirely by just pushing data once per breach to each edge node.
Alternatively these dumps could be made public and you could get privacy for free instead of having to query a service.
It's frustrating how secretive this is all treated and how to get anything useful you have to go on telegram instead of there being an open way of checking.
> The response from each search was coming back so quickly that the user wasn’t sure if it was legitimately checking subsequent addresses they entered or if there was a glitch.
That's sad - and far too common. We're so conditioned to web sites and even apps being unusably slow and plagued by latency thanks to Electron and multi-megabyte JS bundle slop that the exception, software that is actually responsive and slim, is being judged as abnormal instead of an ideal to follow...
If anything we're conditioned by millions of years of evolution to expect things to take time. Things happening instantly in a digital void is relatively new.
The majority of users seem to prefer slow animations for anything that changes, and flight/hotel search pages have used artificial delays for decades.
Users might prefer slow animations, but they absolutely loathe low responsiveness. We have been conditioned by nature to expect immediate feedback from our actions in the physical world. Sure, turning a page might be quite slow, but the moment you hold the paper between your fingers it immediately moves and you get that feeling of control over the object.
> The majority of users seem to prefer slow animations for anything that changes
Tech conditioned people to this expectation. Tech could have also gone and say "no, screw you, we will not introduce artificial slowness Just Because" and in 5-10 years people would have adapted. Swim or die.
It's just the same with IT in general. In the Nordic and Baltic countries, even beggars have credit-card terminals because no one carries cash any more. Most if not all public service is done exclusively online - and yet we do not hear the horror stories of elderly people dying because they can't apply for social security that people are drawing up here in Germany.
People have the capacity to change and adapt, and one does not have to coddle adults.
I would say it's neither... it's not preference, but also not really conditioning...
The point of those fake animations or fake spinners is showing that "it worked" in the absence of "success" feedback.
I work with offline-first apps and we did some user testing. We have to be careful about things like navigating between pages, because if it's too fast the user will not register the change, and will assume it was an error.
Now THIS is the fault of tech industry, and where I agree that it's conditioning: a lot of tech products simply fail silently, or have very long timeouts, so users are conditioned to translate "lack of response" with "failure".
There are alternatives to animations, however: different designs between pages, changes close to the mouse pointer, or in the case of list refresh showing the "last refreshed 1 second ago"... or even showing a popup with "Successfully loaded". Often this is hated by designers (although the "success popup" is also hated by users), which is why people look for alternatives.
> Most if not all public service is done exclusively online
I'm from Poland (so close) and I find this true here too, but in 99% of the cases there is a human fallback. You can file your tax return online, but nothing stops you from driving to tax office and filing a paper form there, with a pen.
> yet we do not hear the horror stories of elderly people dying
Well, that's because 100% of the time, elderly people will use public and private healthcare by a phone call with a human. Even if apps and such are available.
> Nordic and Baltic countries, even beggars have credit-card terminals
Oh, haven't seen that here (Riga). Actually I was out in the capital few days ago and people play music on streets... I can't tip them because I have no coins and they have no terminal or QR code that would lead to a page that enables tipping.
Most places have cc terminals and buying stuff from hands also support sending money to bank account instantly using only sellers phone number, but some parts are still coins only. My wallet doesn't support coins unfortunately.
HIBP has been rendered unusable to people in 3rd world countries because of endless CF captcha loops.
https://imgur.com/a/K5z1X2R
Yep, Cloudflare is a great service... for the US parts of the internet.
The road to hell is paved with good intentions.
Incidentally I first read the title as "I have been pwned by cloudflare workers and caching".
I live on the opposite side of the globe and have no problems using Cloudflare. Also, my SaaS is deployed on Cloudflare and we have users in hundreds of countries who use it with no problem
> my SaaS is deployed on Cloudflare and we have users in hundreds of countries who use it with no problem
How would you know you have a problem if you outright ban non-conformant users? Is your customer support function not behind cloudflare, and accessible to users without an account?
In what way do we "outright ban non-conformant users"?
You are making a lot of assumptions with that statement
Our security level setting is low enough that almost nobody would actually get blocked from the site. Anybody could access the contact page and email us or use the live chat
We use Turnstile in a couple of places and we have gotten a couple isolated reports about users being unable to perform actions behind Turnstile but it was always that they had some sketchy extension installed. And the extra security and bot protection we are getting makes those very low false positive rates worth it (we have tens of thousands of users so a couple reports in the last couple years is fine...)
> In what way do we "outright ban non-conformant users"?
You have literally replied to a thread in which we discuss how Cloudflare bans non-conformant users (who live in 3rd world countries, use linux and possibly other non-conformant computer practises according to Cloudflare's product managers). So you outright ban them by using Cloudflare.
-----
You also literally contradict yourself with the following two statements:
> I live on the opposite side of the globe and have no problems using Cloudflare. Also, my SaaS is deployed on Cloudflare and we have users in hundreds of countries who use it with no problem
and
> We use Turnstile in a couple of places and we have gotten a couple isolated reports about users being unable to perform actions behind Turnstile but it was always that they had some sketchy extension installed. And the extra security and bot protection we are getting makes those very low false positive rates worth it (we have tens of thousands of users so a couple reports in the last couple years is fine...)
Make up your mind, which is it? Do you have no problems using Cloudflare and your users in hundreds of countries use it with no problem or not?
-----
These being said, what percentage of lurkers actually contact random online services to let them know that something is wrong? Almost nobody does that.
Personally, I've only contacted Troy Hunt on haveibeenpwned and his blogs, letting him know on several separate occasions that his websites are inaccessible to some users, as far as I could tell, from 3rd world countries. He has deleted all of my comments, he probably deletes all comments critical of his service, since there's only praise allowed in his blog posts. To be able to contact him, I had to borrow a Macbook and use a US vpn, because all of his services are behind enless Cloudflare captchas.
How many website visitors of yours, not users, would be able or willing to do go to that length to contact you about your dysfunctional Cloudflare WAF?
This has nothing to do with Cloudflare WAF. Like I said our security level is very low and the Turnstile handling is done in a Worker
And I'm sorry if you think that 2 users in 2 years having an issue when we have tens of thousands of paying users tips the scale of whether or not it is an overall net benefit for our company. If it wasn't for Cloudflare we simply wouldn't be able to provide the free versions of the software in the same fashion that we do now
It sounds like you're upset at somebody who improperly configured Cloudflare on their sites and now you are blaming the company and everybody that uses it without having a solid understanding of the tech
It's more like a lot of people hate CF and that too much of the internet relies on it. It's not like they hate anyone specific.
> 2 users in 2 years having an issue
See, this is what makes Cloudflare's practises work. You are under the impression that 2 users in 2 years have had issues when, actually, 2 users in 2 years have bothered to jump through lots of hoops to finally contact you about your issues.
Your SaaS business seems profitable, so keep it up! But don't go around claiming only 2 users have had issues, you most definitely don't have a 100% support contact rate for Cloudflare related issues.
There are not a lot of hoops. They would simply click the contact page and then use the email or live chat like I explained earlier.
The WAF does not block anybody from accessing the site which I have been trying to explain to you.
You are not listening because you are taking one experience with one site and then projecting that on to me.
You mean Australia/NZ? :)
No
This is not just 3rd world countries. CloudFlare has broken the Internet and made it slower with all the stupid captchas. We were better off without them.
Is it really cloudflare doing this or endless bot attacks making these kind of tools necessary?
Do other services have the same problem? Like the https://amibreached.com/ ?
I think there is much more to it than just your location. Based on the cursor and UI, are you using Linux on Firefox? I'm not saying it shouldn't be supported, but I just think that there's definitely more factors at play here than "3rd world countries"
And depending on your definition of third-world country, I'm in one as well, and I don't have this sort of issue
[dead]
The author of this article set those settings himself.
I must be missing something. You have 2MB of data for "is my 6 character SHA1 prefix in any breach". Why can't you distribute that to every edge nodes ?
I can see a fairly simple improvement to updating the entire HIBP dataset; version it and slowly roll traffic onto the new version by prefix, e.g. take the 6-hexit prefix mod 100 and if the result is < rollout_percentage then the cloud flare workers fetch from the new version, otherwise the old. Rollout_percentage can be a simple function of Unix timestamp for example.
Yeah a full cache purge seems like a non ideal solution vs what you wrote.
A shame they can't push updated data to the caches directly without flushing them. They could otherwise potentially bypass the origin almost entirely by just pushing data once per breach to each edge node.
They could by storing the results as files in R2 and letting cloudflare workers just return these.
Alternatively these dumps could be made public and you could get privacy for free instead of having to query a service.
It's frustrating how secretive this is all treated and how to get anything useful you have to go on telegram instead of there being an open way of checking.
They are; https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader
(2024)
> The response from each search was coming back so quickly that the user wasn’t sure if it was legitimately checking subsequent addresses they entered or if there was a glitch.
That's sad - and far too common. We're so conditioned to web sites and even apps being unusably slow and plagued by latency thanks to Electron and multi-megabyte JS bundle slop that the exception, software that is actually responsive and slim, is being judged as abnormal instead of an ideal to follow...
If anything we're conditioned by millions of years of evolution to expect things to take time. Things happening instantly in a digital void is relatively new.
The majority of users seem to prefer slow animations for anything that changes, and flight/hotel search pages have used artificial delays for decades.
Users might prefer slow animations, but they absolutely loathe low responsiveness. We have been conditioned by nature to expect immediate feedback from our actions in the physical world. Sure, turning a page might be quite slow, but the moment you hold the paper between your fingers it immediately moves and you get that feeling of control over the object.
> The majority of users seem to prefer slow animations for anything that changes
Tech conditioned people to this expectation. Tech could have also gone and say "no, screw you, we will not introduce artificial slowness Just Because" and in 5-10 years people would have adapted. Swim or die.
It's just the same with IT in general. In the Nordic and Baltic countries, even beggars have credit-card terminals because no one carries cash any more. Most if not all public service is done exclusively online - and yet we do not hear the horror stories of elderly people dying because they can't apply for social security that people are drawing up here in Germany.
People have the capacity to change and adapt, and one does not have to coddle adults.
I would say it's neither... it's not preference, but also not really conditioning...
The point of those fake animations or fake spinners is showing that "it worked" in the absence of "success" feedback.
I work with offline-first apps and we did some user testing. We have to be careful about things like navigating between pages, because if it's too fast the user will not register the change, and will assume it was an error.
Now THIS is the fault of tech industry, and where I agree that it's conditioning: a lot of tech products simply fail silently, or have very long timeouts, so users are conditioned to translate "lack of response" with "failure".
There are alternatives to animations, however: different designs between pages, changes close to the mouse pointer, or in the case of list refresh showing the "last refreshed 1 second ago"... or even showing a popup with "Successfully loaded". Often this is hated by designers (although the "success popup" is also hated by users), which is why people look for alternatives.
> Most if not all public service is done exclusively online
I'm from Poland (so close) and I find this true here too, but in 99% of the cases there is a human fallback. You can file your tax return online, but nothing stops you from driving to tax office and filing a paper form there, with a pen.
> yet we do not hear the horror stories of elderly people dying
Well, that's because 100% of the time, elderly people will use public and private healthcare by a phone call with a human. Even if apps and such are available.
> Nordic and Baltic countries, even beggars have credit-card terminals
Oh, haven't seen that here (Riga). Actually I was out in the capital few days ago and people play music on streets... I can't tip them because I have no coins and they have no terminal or QR code that would lead to a page that enables tipping.
Most places have cc terminals and buying stuff from hands also support sending money to bank account instantly using only sellers phone number, but some parts are still coins only. My wallet doesn't support coins unfortunately.