zlacker

[parent] [thread] 10 comments
1. yellow+(OP)[view] [source] 2023-08-02 16:29:12
> they run their own CDN, and by not knowing the location of the user, they can't determine the closest server to respond with.

I feel like the more reasonable answer here is to just let the user take the latency hit. Surely requests being somewhat slower is preferable to requests being outright bitbucketed, right?

replies(3): >>adql+Q1 >>godels+WM >>dotBen+fV
2. adql+Q1[view] [source] 2023-08-02 16:37:32
>>yellow+(OP)
Right but then working slow looks like archive.is issue but is ultimately caused by cloudflare.

CF is bascically saying "we can know your IP but not the site you are trying to resolve" (that will know your IP anyway once you navigate there).

replies(2): >>yellow+3z >>jrochk+ySa
◧◩
3. yellow+3z[view] [source] [discussion] 2023-08-02 18:53:37
>>adql+Q1
> Right but then working slow looks like archive.is issue but is ultimately caused by cloudflare.

Whereas not loading at all looks like archive.is issue but is ultimately caused by archive.is.

> CF is bascically saying "we can know your IP but not the site you are trying to resolve" (that will know your IP anyway once you navigate there).

Not necessarily. For example, the DNS query could go straight to CF while the eventual request to archive.is goes through a proxy or VPN.

replies(1): >>sXgC6d+0Q1
4. godels+WM[view] [source] 2023-08-02 19:44:20
>>yellow+(OP)
Forgive my naivety, but can you not just ping several servers and return the best? Could you not even guess first and then asynchronously perform this and then re-route or do so on the next user click? I am not an internet person so this may be a very dumb question.
replies(1): >>lxgr+2v1
5. dotBen+fV[view] [source] 2023-08-02 20:14:36
>>yellow+(OP)
You shouldn't assume the origin server is setup for direct traffic - either in terms of load management or security (access to origin might only be available to CDN IPs on their ACL)
replies(1): >>yellow+Nl1
◧◩
6. yellow+Nl1[view] [source] [discussion] 2023-08-02 22:03:51
>>dotBen+fV
> You shouldn't assume the origin server is setup for direct traffic

You don't need to make any such assumption; the above point stands even in the case of simply hitting the "wrong" (i.e. geographically suboptimal) CDN endpoint.

◧◩
7. lxgr+2v1[view] [source] [discussion] 2023-08-02 22:48:33
>>godels+WM
For a site with longer-lived sessions (e.g. video on demand, gaming etc.) which tolerate a bit of startup delay/inefficiency that can definitely be done.

But for a site that essentially tries to serve you static content as quickly as possible and mostly all at once, that would probably introduce more overhead than it's worth.

replies(1): >>godels+3z1
◧◩◪
8. godels+3z1[view] [source] [discussion] 2023-08-02 23:11:09
>>lxgr+2v1
In the latter case, that seems like it just wouldn't be such a big deal, right? Since the hit would only happen user side and be a small percentage of the user's time on the site?

I get that they don't want to "take the blame" but it seems like both parties are performing reasonable actions that butt heads but that one party resolves that by just not performing the service. To me that feels like a worse outcome than slow service, as it just looks like the site is down.

The next naive question I have is about the response of truncation. I understand Cloudflare is preserving privacy. Archive says that privacy is preserved because they truncate the PII. Is this truncation verifiable in the request from Cloudflare? If not, then this seems like an unreasonable expectation ("just trust me bro"). Again, personally I'd rather have the latency hit and I'm not sure I'm seeing a good argument against this.

replies(1): >>lxgr+0C3
◧◩◪
9. sXgC6d+0Q1[view] [source] [discussion] 2023-08-03 01:26:13
>>yellow+3z
Ok, really? Who is using a proxy for HTTP but not DNS in 2023?
◧◩◪◨
10. lxgr+0C3[view] [source] [discussion] 2023-08-03 15:12:50
>>godels+3z1
> In the latter case, that seems like it just wouldn't be such a big deal, right? Since the hit would only happen user side and be a small percentage of the user's time on the site?

True, but it's still the difference between being able to load all embedded resources from a server close to the user or potentially having to haul all of that across an ocean, considering TCP congestion window scaling (which is sensitive to round trip times) etc.

All that said, based on a purported comment by the maintainer of archive.is, the aim of their CDN is actually not improving responsivity, but delaying legal/law enforcement responses: >>36971650

> Archive says that privacy is preserved because they truncate the PII.

Personally, I don't have a lot of sympathy for either party here:

I think, especially given the comment linked above, Archive's latency/efficiency concerns are just pretext for quite different concerns of their own (having to deal with law enforcement).

And on the other hand, while Cloudflare's EDNS subnet truncation might help user privacy in a few edge cases (as many have said here, the visited site will get the user's IP as soon as they connect to their servers!), it also makes it that much harder for CDNs other than Cloudflare to efficiently serve content using DNS-based routing and forces them to also use Anycast, which is much harder to do.

◧◩
11. jrochk+ySa[view] [source] [discussion] 2023-08-05 18:24:53
>>adql+Q1
The current situation seems to be that for these users it's not working at all (either timeout or infinite captch loop), and it looks like an archive.is issue, no explanation is given. So avoiding service disruption looking like an archive.is issue does not seem to be the goal.
[go to top]