top | item 40180879

(no title)

gwittel | 1 year ago

I’m really mixed on this. Anti bot stuff is increasingly a pain point for security research. Working in this space, I have to work against these systems.

Threat actors use Cloudflare and other services to gate their payloads. That’s a problem for our customers who are trying to find/detect things like brand impersonation and credential phish. Cloudflare has been completely unhelpful. They just don’t care.

discuss

heipei|1 year ago

Seconding this. Evading detection has become a real cake-walk since threat actors are able to sign up for a free Cloudflare account and then put their phishing site on their 2-hours old domain behind a level of protection backed by a $20B company. Funny that you almost never see phishing on Akamai ;)

Disclaimer: We operate in this space so we obviously have an interest in being able to detect these threats going forward.

spacebanana7|1 year ago

Other than being the cheapest & easiest to use, is Cloudflare doing a particular evil here?

As a webmaster I don’t want non-user traffic except search engines. It’s a waste of money and often entails security, privacy and commercial risk.

Without Cloudflare I’d achieve only slightly less effective results using an AWS WAF, another CDN, or hand rolling solutions out of ipinfo etc.

throwaway48476|1 year ago

Cloudflare is the ultimate example of creating the problem and selling the solution.

KTibow|1 year ago

I think you can get a bot allowed by all of Cloudflare at https://docs.google.com/forms/d/e/1FAIpQLSdqYNuULEypMnp4i5pR.... The blog post I read didn't make it clear if it would apply to all of Cloudflare or just customer sites though.

rashkov|1 year ago

Why not Akamai?

madacol|1 year ago

I feel like we'll eventually arrive to some kind of micro-payment mechanism to solve this issue