as someone who has to live behind a great firewall, I find myself using Expressvpn and other VPN products by necessity - as a result I end up staring at cloudflair pages much more often than I would expect. i can’t help but feel that cloudflair is making vpn users’ lives miserable for their own gain. is there any evidence either way?
Comments
Bender•8mo ago
I believe this is a losing battle. Miscreants hide behind VPNs to abuse sites. Many sites are behind CF. CF must then find a balance between anti-bot and not harming legit users. Such a balance does not really exist and that results in the phrase, "And this is why we can not have nice things..."
To answer your question I suppose they are as reasonable as they can get considering many sites can use CF free accounts and people can choose whether or not to enable the anti-bot capabilities. The alternative would be for more sites to build their own anti-bot measures but that can get expensive very fast. I do not see how they would gain by blocking VPN users unless one could pay to get around the anti-bot measures which would defeat the purpose of blocking bots in the first place as some botters would pay-to-play using stolen credit cards.
Another alternative would be for sites to find a way to create a group of "trusted users" and provide said users a way to bypass CF. i.e. each site having their own paid VPN gateway or the trusted users put up a paid bond to access a dynamically scaled HAProxy Anycast mesh. However by paying using a traceable source that defeats the purpose of a VPN and so I return to the phrase, "And this is why we can not have nice things". Short of finding all the miscreants and dropping them into an ancient style Roman Colosseum Pay-Per-View Gladiator Tournament with no rules this problem will likely always exist.
coderatlarge•8mo ago
thank you for the context. It feels like in the last year or two the focus on Geo detection and Geo blocking has grown substantially. For example, many websites seem like they won’t take any traffic at all from certain countries. and they will go to some lengths to try to detect the source country of the connection even when a VPN is in the path. I don’t really know how they do this, but it’s evident from various language features in browsers that get triggered.
Bender•8mo ago
I don’t really know how they do this, but it’s evident from various language features in browsers that get triggered
One clue comes from accept-language. If a person sets the primary language to en-US or en-GB they might also have additional languages that were automatically set based on their OS preferences. Another clue comes from cookies. Many sites use CF so there will be session cookies from CF that were set by other sites but are shared by their insight domain and others and this is even before we talk about javascript. To use sites that use CF usually requires enabling javascript and that gives mountains of data away. There are others here that know much more about this than I.
coderatlarge•8mo ago
thanks for the note. i don’t speak the local language so maybe it’s gotten enabled in some indirect way. and js there isn’t much anyone can do about it seems when interacting with a “modern” web page.
i have this day-dream that i’ll learn enough about linux networking to setup one of my boxes as a filter for all my traffic and properly encrypt and observe and properly filter out stray traffic that may be giving me away, but that’s probably a fool’s errand too on some level. also i suspect macos leaks info in various hard to secure ways.
Bender•8mo ago
To answer your question I suppose they are as reasonable as they can get considering many sites can use CF free accounts and people can choose whether or not to enable the anti-bot capabilities. The alternative would be for more sites to build their own anti-bot measures but that can get expensive very fast. I do not see how they would gain by blocking VPN users unless one could pay to get around the anti-bot measures which would defeat the purpose of blocking bots in the first place as some botters would pay-to-play using stolen credit cards.
Another alternative would be for sites to find a way to create a group of "trusted users" and provide said users a way to bypass CF. i.e. each site having their own paid VPN gateway or the trusted users put up a paid bond to access a dynamically scaled HAProxy Anycast mesh. However by paying using a traceable source that defeats the purpose of a VPN and so I return to the phrase, "And this is why we can not have nice things". Short of finding all the miscreants and dropping them into an ancient style Roman Colosseum Pay-Per-View Gladiator Tournament with no rules this problem will likely always exist.
coderatlarge•8mo ago
Bender•8mo ago
One clue comes from accept-language. If a person sets the primary language to en-US or en-GB they might also have additional languages that were automatically set based on their OS preferences. Another clue comes from cookies. Many sites use CF so there will be session cookies from CF that were set by other sites but are shared by their insight domain and others and this is even before we talk about javascript. To use sites that use CF usually requires enabling javascript and that gives mountains of data away. There are others here that know much more about this than I.
coderatlarge•8mo ago
i have this day-dream that i’ll learn enough about linux networking to setup one of my boxes as a filter for all my traffic and properly encrypt and observe and properly filter out stray traffic that may be giving me away, but that’s probably a fool’s errand too on some level. also i suspect macos leaks info in various hard to secure ways.