zlacker

[parent] [thread] 12 comments
1. supriy+(OP)[view] [source] 2023-08-02 14:44:50
Sure, we’re to believe that, given that you’re trying to lock out Linux users[1] (which still isn't resolved yet) and pushing for device attestation[2] to lock out rooted devices at the same time.

[1] >>36197401

[2] https://www.ietf.org/archive/id/draft-private-access-tokens-...

replies(4): >>afavou+K1 >>pessim+b2 >>brooks+BP >>ftaghn+pR
2. afavou+K1[view] [source] 2023-08-02 14:52:43
>>supriy+(OP)
Your link for [1] shows that CF responsed, confirmed the bug and that they fixed it. If that’s not actually the case have you tried engaging with them again? They seemed very responsive the first time.
replies(1): >>supriy+24
3. pessim+b2[view] [source] 2023-08-02 14:55:47
>>supriy+(OP)
I have huge problems with Cloudflare, but this comment is dishonest.

[1] "Hello, Benedikt from Cloudflare and the Turnstile Team here. Thanks you so much for the report. We looked into this report and identified that there was some false positive and cleared the signal. We have investigated this report and the issue should be fixed. Please reach out to me benedikt@cloudflare.com or at our Cloudflare Turnstile Discord, if you are still encountering problems."

[2]

> Servers commonly use passive and persistent identifiers associated with clients, such as IP addresses or device identifiers, for enforcing access and usage policies. For example, a server might limit the amount of content an IP address can access over a given time period (referred to as a "metered paywall"), or a server might rate-limit access from an IP address to prevent fraud and abuse. Servers also commonly use the client's IP address as a strong indicator of the client's geographic location to limit access to services or content to a specific geographic area (referred to as "geofencing").

> However, passive and persistent client identifiers can be used by any entity that has access to it without the client's express consent. A server can use a client's IP address or its device identifier to track client activity. A client's IP address, and therefore its location, is visible to all entities on the path between the client and the server. These entities can trivially track a client, its location, and servers that the client visits.

> A client that wishes to keep its IP address private can hide its IP address using a proxy service or a VPN. However, doing so severely limits the client's ability to access services and content, since servers might not be able to enforce their policies without a stable and unique client identifier.

> This document describes an architecture for Private Access Tokens (PATs), using RSA Blind Signatures as defined in [BLINDSIG], as an explicit replacement for these passive client identifiers. These tokens are privately issued to clients upon request and then redeemed by servers in such a way that the issuance and redemption events for a given token are unlinkable.

replies(1): >>supriy+ke
◧◩
4. supriy+24[view] [source] [discussion] 2023-08-02 15:03:30
>>afavou+K1
CF (like many other companies) are responsive only when the complaint is posted on HN. Regardless, the issue wasn't solved, it came back within a few hours.

I've tried raising this issue on their forum, where I've failed to get the attention of the engineering teams, and while posting the ray ID should be sufficient, all you'd really get is clueless, unpaid volunteers asking you questions in circles like "what website do you see this on" (everywhere), "are you using adblock" (no, and Adblock has never blocked their Turnstile scripts) and "what's your user agent?" (the default Chromium one).

If I had to hazard a guess, it's their bot management script seeing "Linux" in the user agent and detecting missing video codecs (which is par for the course for standard Chromium builds), and thinking it's a headless browser. Between the the fact that differences between the JS runtime of Chromium and Chromium headless are very small these days, and the ClientHello permutation has destroyed bot management vendors' ability to distinguish different browser builds, they decided blocking all Linux users using Chromium was fair enough.

replies(4): >>afavou+k4 >>theamk+4j >>obitua+7o >>NicoJu+px
◧◩◪
5. afavou+k4[view] [source] [discussion] 2023-08-02 15:05:13
>>supriy+24
Are you sure this is a widespread, universal bug? Are you sure all Linux Chromium users are affected?

I get that it's a frustrating situation but you're viewing CF in the worst possible light ("trying to lock out Linux users" assumes an intent not on display) and I think it's counterproductive to success.

replies(1): >>freedo+Ig
◧◩
6. supriy+ke[view] [source] [discussion] 2023-08-02 15:47:14
>>pessim+b2
Please see [1] regarding the concerns around attestations and PAT and [2] for what has happened outside HN, which a simple reading of that thread wouldn't otherwise suggest.

[1] >>36972051

[2] >>36971869

◧◩◪◨
7. freedo+Ig[view] [source] [discussion] 2023-08-02 15:57:33
>>afavou+k4
I am exclusively a Linux user and have multiple machines/distros/etc and can test. Can you post a link that loading will demonstrate the issue?
replies(1): >>arp242+zD
◧◩◪
8. theamk+4j[view] [source] [discussion] 2023-08-02 16:07:09
>>supriy+24
Pretty sure you are wrong - I run Linux on both my desktop and laptops; and moreover everyone in our engineering team runs Linux as main OS as well. We haven't seen any Cloudfare-specific problems.

(I have no doubt ypu are seeing the problem on your PC; but generalizing a single point to all Linux users just screams "technical incompetence" and makes me want to ignorw the post)

◧◩◪
9. obitua+7o[view] [source] [discussion] 2023-08-02 16:27:28
>>supriy+24
You don't have to "hazard a guess", one of their engineers gave you their email address in that other thread. They also invited you to their discord. Have you tried talking to someone directly at the source?
◧◩◪
10. NicoJu+px[view] [source] [discussion] 2023-08-02 17:08:30
>>supriy+24
Had a one-time quick experience with cloudflare through the chat.

For an issue that pointed to cloudflare, but ultimately was our hoster having an issue with completing the TLS handshake...

After infra update ofc.

Tldr: had the opposite experience, for a technical issue :)

◧◩◪◨⬒
11. arp242+zD[view] [source] [discussion] 2023-08-02 17:33:32
>>freedo+Ig
https://app.ahrefs.com/user/forgot-password is the link that was used in the "Tell HN" they posted last time.

Works for me on Linux in Firefox and Chromium.

12. brooks+BP[view] [source] 2023-08-02 18:23:22
>>supriy+(OP)
There’s a fair argument to make against device attention, but casting the exclusion of rooted devices as the goal of the policy rather than a side effect is a bit disingenuous.
13. ftaghn+pR[view] [source] 2023-08-02 18:30:08
>>supriy+(OP)
> given that you’re trying to lock out Linux users

I had that issue with cloudflare bot captcha when trying to access a web novel website. It would infinitely loop into the "please click the checkmark to confirm you're human" thingamagic.

Initially I thought it was because I was a linux user, but I tried to browse the same website on Google Chrome and the issue went away. They were not discriminating against linux, but against Firefox, which is just as bad, if not worse.

I tried everything on FF: deleting all cookies/storage/history, disabling addons etc. It would still do this on a pristine FF. Ultimately, I admit, not being able to access websites did manage to encourage me to uninstall FF, despite it not being FF's fault, I'm tired of dealing with this kind of cr*p.

[go to top]