Author Topic: PLEASE disable Cloudflare on the forum  (Read 13608 times)

0 Members and 1 Guest are viewing this topic.


Offline bobmaloney

"The crows seemed to be calling his name, thought Caw."
- Jack Handey (SNL)

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
@xeroc @bitsapphire just spent FIFTEEN minutes between captcha loops and "Cannot contact reCAPTCHA. Check your connection and try again", captchas loading VERY slowly (happens frequently) to be able to access the forum.

I'm almost ready to give up at this point. This forum is the central point of contact with this community, and as someone concerned with being private, I'm being CENSORED from acessing the forum normally by this company CLOUDFLARE.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Unfortunately still no changes on this front. Lately I don't really visit the forum any longer due to this captcha bs.

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
cloudflare is pissng me off and I use a regular ISP. that thing occasionally bans IPs from my ISP for whatever reason (we do not have static ips, so it's easy to catch one)

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
@bitsapphire saddened to see that weeks later this has not been addressed.

Meanwhile, the tension between Cloudflare and the Tor community has been increasing: https://blog.torproject.org/blog/trouble-cloudflare

Strongly recommend (quick read) https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf - as linked in the above blogpost.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
The choice of CA is not so much related to using a reverse-proxy-style (mitm) service such as Cloudflare.

Of course, it's still important to choose a decent CA due to other reasons (quality of OCSP responders, for instance).


As for previous DDoS, do you remember what sort of DDoS it was? Except for the really overwhelming ones, they can be simple to thwart.

1Gbps (or more) connection helps, enabling TCP syncookies under load will kill all syn floods attacks, and a decently configured firewall that drops unecessary probes and responses to closed ports is also necessary.

You can also rate-limit at the firewall how many new connections over a period of time a single ip can make.
Putting up a high-quality load balancer (even if it's just one backend server (the forum) behind it) such as HAProxy in front of the webserver can also significantly help in a DDoS scenario -- and just in general -- by doing protocol-level checks, adding security rules, and most importantly in this case, gaining the ability to queue incoming connections (rather than just dropping them) so that the backend webserver(s) never have to deal with more that they can eat.

If you want to go REALLY hardcore, then using varnish in front of the webserver and caching the dynamic content on the forum (some VCL mastery needed to make sure the cache is invalidated in a timely/correct manner) such that the webserver doesn't even see most of the requests since they are served static from varnish..

My point is, there is a LOT one can do to mitigate a DDoS attack, and force the attacker to really throw several gbit/s at you rather than relying on simpler to execute ddos techniques (and at that point, if you can detect a pattern in the ddos, getting in touch with the provider and blocking these traffic patterns will help in a pretty good portion of cases!).. the hardware investment, unless you want to start doing DNS round-robin load balancing and having backend webservers in multiple datacenters with a replicated database also in multiple locations, is negligible.

So, a good relationship with the upstream provider helps. Many times in the past, for me, it was a matter of calling the datacenter, giving them a list of IP ranges, or a range of UDP ports, or whatever pattern could be detected in the DDoS, and ask them to temporarily block traffic upstream. Most of the time that immediately brought the customers' site back online.



edit: Aware of letsencrypt, but haven't played with it yet. Good initiative. Cursory rtfm seems to indicate the official client requires root to run, which I would say is an unacceptable thing on a producting server (for the purpose of generating/updating ssl certs). There seems to be a -nosudo variant around on github, anyway, I would recommend not running it as root in the production machine.
« Last Edit: March 12, 2016, 03:14:34 pm by karnal »

Offline bitsapphire

We're going to change the certificate provider. Totally agree with you @karnal . Just so you know why we didn't change it so far:
- Other SSL providers made the mobile app randomly drop the connection (still don't know why)
- We had 2 ddos attacks in the past, since we have Cloudflare that hasn't happened anymore.

We're currently testing "Let's Encrypt" because they are the only ones we know that won't sell user data. We still need a ddos solution, if anybody has any idea, we're open to hearing it.
Register and get your personal Moonstone Wallet Beta here: https://moonstone.io/login-register.html

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
I cant do anything about it. This domain is under bitsapphire's control

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Eerily timely.. http://betanews.com/2016/02/27/tor-dark-web-surveillance/

And yes @cass, piwik is the good stuff. We should use it here. Nothing but good things to say about it, other than still not supporting postgresql.

And on a more general note, very happy to see the positive impact the thread appears to have had. Thanks @xeroc for trying to contact the right people. Thanks to everyone for participating.

Offline cass

  • Hero Member
  • *****
  • Posts: 4311
  • /(┬.┬)\
    • View Profile
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline btstip

  • Hero Member
  • *****
  • Posts: 644
    • View Profile
  • BitShares: btstip-io
Hey Tuck Fheman, here are the results of your tips...
  • karnal: has been credited 1 GREATIDEA
  • karnal: has been credited 5 PERCENT
Curious about ShareBits? Visit us at http://sharebits.io and start tipping BTS on https://bitsharestalk.org/ today!
Created by hybridd

Offline Tuck Fheman

#sharebits "karnal" 1 GREATIDEA
#sharebits "karnal" 5 PERCENT
Lucksacks.com - The Largest Cryptocurrency Freeroll Poker Site in the World!

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Paging @taulant @bitsapphire

Offline dannotestein

  • Hero Member
  • *****
  • Posts: 760
    • View Profile
    • BlockTrades International
  • BitShares: btsnow
http://blocktrades.us Fast/Safe/High-Liquidity Crypto Coin Converter

Offline cass

  • Hero Member
  • *****
  • Posts: 4311
  • /(┬.┬)\
    • View Profile
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Dear forum admins,

I've brought this up before, many months ago. Cloudflares' quest to eradicate privacy and anonimity online has taken on a whole new level since.

Most users here don't realize there is a company in the middle (Cloudflare) who is scooping all you write, including private messages, since when you connect over TLS to bitsharestalk.org, it's actually to Cloudflare that you're connecting. They own the private key to the certificate and can therefore read everything you do here (including snatching your password and any and all PMs you send).

At the very least I hope that from Cloudflare to the bitshares forum webserver, the connection is TLS-secured, or all your passwords and PMs are transiting parts of the internet in cleartext.

Anyway, this is really mostly an issue for people who use Tor and VPNs, because in their infinite wisdom, Cloudflare has declared that every Tor/VPN user is a criminal or a proto criminal and therefore has to be subjected to endless harassment to be able to read content online.

As someone who browses the internet exclusively through Tor, let me tell you, it is disconcerting how many websites out there use this companys' service, possibly without realizing that they are endagering all of their users' privacy (give all your site data to a US-owned company, great idea these days!!! straight to the NSA..). The situation is becoming a bit like google analytics being ever-present, so Google has a pretty good view of what a large chunk of the internet does.

This forum is no exception;

 (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-46762057-4', 'auto');
  ga('send', 'pageview');

But I digress (and it's easy to opt out of this pervasive tracking with extensions such as ghostery and/or RequestPolicy).


Anyhow,
May I give you a very abridged version of the events over the last year or so, from a day-to-day Tor user (and there more than are a few around here):



Rather than straight loading the forum as would happen on an uncensored connection, Tor and VPN users are subjected to extra checks.

In the beginning, it was possible to solve their captchas with javascript off. It was an annoyance, to be sure, but because I'm involved with this community, I endured the pain. Most other sites, though? Can't count how many articles I haven't read because I couldn't be bothered typing yet another captcha.

Things moved on. At some point, the captchas became plain and simply plain impossible for humans to solve with javascript turned off. And Cloudflare knew that, of course. it was by design, I suspect. So now we had to turn javascript on in order to have a chance of solving the captcha, and of course, the captcha is served from google, so now we are being forced to talk to googles' servers too.

It stayed there for awhile, but I guess the endless abuse from pedophiles and terrorists continued, so they upped their game; Now it's gone up to a stage where (I'm serious) there is a matrix of squares, and solving the captcha consists of selecting "all images with pool tables", "all images with pool chairs", "all images with sweets", "all images with bodies of water" (this one is particularly funny, for some fucked up reason when you click a square with a body of water, it'll neatly disappear and reappear, at which point you have to select it again if it's another body of water, sometimes this goes on for 3-6 times in a row).

But once isn't enough, apparently the terrorists have been developing very efficient software to automatically solve the captchas, because you'll be blasted with 2, 3, 4, 5 rounds of these retarded questions, until His Cloudflarianess deems you are worthy of visiting the website (5 minutes later).

And because you might've turned into a pedophile bot since the last captcha, it'll also regularly re-prompt you to solve them as you browse the same website, in the same session.

Oh, and Javascript HAS TO be turned ON. This time they didn't even bother pretending to accomodate, no javascript = images can't be clicked = captcha can't be solved = no website for you!



I used to visit this forum several times a day during work breaks and what not. Now I'm lucky if I come once every 3 days. Sorting flowers and pool tables, I have better use for my time.


So please, one more time, disable this horrible thing from the forum, the user experience is beyond reproachable and also in terms of privacy and freedom, it's a pretty bad move to use them.

Thank you.
« Last Edit: February 28, 2016, 11:53:09 am by karnal »