deCloudflare/PEOPLE.md



- The FFN RSS/Atom feeds seem to be hidden behind Cloudflare CAPTCHA. This makes it ... rather impossible ... for my RSS feed reader to read the feeds. Can you exclude the /atom/ URLs? ([bob_vul](https://twitter.com/Bob_Vul/status/1372326154154110978))
- Today the CloudFlare gods have smiled upon me, and decided that every website I have to complete a captcha. Wouldn't be as bad if hCaptcha had any quality control. Say what you want about Google, but reCaptch at least worked. Isn't having gatekeepers to the internet great? ([jamescun](https://twitter.com/jamescun/status/1371918897839017991))
- Oh, that's changed. You used to be able to paste in the URL from any codepen editor page, but now Cloudflare gets in the way. Curiously, my Safari just hit the same Cloudflare page, but let me through after the CAPTCHA - never had that before (and I tried Safari before Flow). ([_piers_](https://twitter.com/_Piers_/status/1371492006258688000))
- Hi guys, could you please contact me as i have been receiving alot of cloudflare captcha’s and it is preventing me from using streamlabs obs and playing pc games. It is really annoying given i am paying a hefty sum for an issue like this. Please contact me. ([danialku](https://twitter.com/danialku/status/1370790115908317187))
- hey guys, i have an issue where whenever i log into streamlabs obs i get a pop out from cloudflare. after completing the captcha and logging in, i got signed out almost immediately. i redownloaded and the issue is still present, however when i use vpn, i could log in. ([danialku](https://twitter.com/danialku/status/1370756451455565827))
- At some point I have actually attempted to put a fair amount of my own efforts into studying this sort of thing, and often I found that the choice of implementation CAPTCHA systems -- where often used in practice -- was largely avoidable but not completely. ([_rvklein_](https://twitter.com/_rvklein_/status/1370642884572106752))
- Eyesight is a problem with captcha. Even wearing glasses, I usually take a few goes. ([rmf719630](https://twitter.com/rmf719630/status/1369981269552037890))
- Failed captcha 4 times in a row. Now blocked from logging in. wtaf ([alanb](https://twitter.com/alanb/status/1369247947716767749))
- I love that ditched Google Captcha because: data and privacy things... And I hate that ditched Google Captcha because: their alternative it horrible, annoying and probably the worst they ever did to the internet! ([nloenne](https://twitter.com/nloenne/status/1366142509232099333))
- fuck you for suspicious internet, fuck you for the captcha. ([selvicekun](https://twitter.com/selvicekun/status/1365274076940394500))
- De hecho es como te proteges en cloudflare, prohibes visitas de ciertos países (normalmente rusia y china pero depende de donde llegue el ataque), y pones captcha para otros. También puedes hacer throttling. Tendría que ver más el detalle. ([ddshore](https://twitter.com/ddshore/status/1365000938205765639))
- De hecho es como te proteges en cloudflare, prohibes visitas de ciertos países (normalmente rusia y china pero depende de donde llegue el ataque), y pones captcha para otros. También puedes hacer throttling. Digo, la verdad estoy hablando sin saber porque no he visto el sitio. ([ddshore](https://twitter.com/ddshore/status/1365000438433554432))
- Hello, I can't add my newly registered domain and the error message is: "This web property is temporarily restricted from being added to Cloudflare at this time." Can you help me? ([fatihguner](https://twitter.com/fatihguner/status/1372886809341005834))
- The error message is stupid. Cloudflare is on high alert, a majority of the users can't touch the site. ([silvea12](https://twitter.com/Silvea12/status/1372625689417945088))
- Else an SSL Handshake Failure or Error 525 will haunt you 😅 ([sach_8in](https://twitter.com/Sach_8in/status/1372562414646951939))
- Hey I am getting a 520 cloudflare error on your website. Are you undergoing maintenance or something? ([robinhyll](https://twitter.com/robinhyll/status/1372548633371967491))
- 403 error from Cloudflare when trying to buy shopping on your app (android)... Can you get your tech guys to take a look? ([gardnose](https://twitter.com/gardnose/status/1372452712890126337))
- Getting a cloudflare error when trying to access your site. Can you confirm there are tech issues and if so, is someone working on it? ([carambasson](https://twitter.com/Carambasson/status/1372300397583405056))
- I saw the classic Cloudflare error page. I was like what's going on. 👀 Happy that PH is back. ❤️ ([thisissubhendu](https://twitter.com/ThisIsSubhendu/status/1372084189437161472))
- Doesn't work from RU: Error 1020 Cloudflare Ray ID: 630fe3f3dac58498 • 2021-03-16 18:02:04 UTC Access denied ([dderss](https://twitter.com/DDERSS/status/1371885117858320394))
- Something up with your carpark booking site? Login takes a couple minutes to process. Forgot password spits out a CloudFlare error. And when I managed to login and get to the details page for parking I see an error under the form. It's impossible to book. ([acoopernz](https://twitter.com/ACooperNZ/status/1371628930650664962))
- I'm a user: Getting a 502 bad gateway error from your host trying to get my list sent to - rayid 62fffd13a29d9d89 so you can troubleshoot ([docsmooth](https://twitter.com/docsmooth/status/1371185775304380421))
- hey guys, I can’t visit your website. I keep getting an error 1020 access denied notification with “This website is using a security service to protect itself from online attacks” and something about cloudflare. :’( ([falleri](https://twitter.com/falleri/status/1371041706724970502))
- I think Cloudflare is great but its MITM approach is not very privacy-friendly, there are more privacy-friendly ways (for us) to provide security and reliability to our customers and users. We're probably a special case since we're very privacy-focused and a bit overzealous. ([ardewes](https://twitter.com/ardewes/status/1372149329092345858))
- I started using Cloudflare in 2015 because they offered free TLS certificates (back then a simple cert cost 100's of € per year), but obviated that need. Also, privacy is our main concern at so using a MITM service like became inacceptable. ([ardewes](https://twitter.com/ardewes/status/1372130942047895555))
- Using decentralized compute (ex Workers) to generate nonce can reduce compute times as cost. Nonce can be cached by SW. It is still unguessable for an attacker. A MITM attack could defeat this so hash based still useful. Or SW could rewrite CSP header at each load ? ([denistruffaut](https://twitter.com/DenisTRUFFAUT/status/1371704256311521281))
- could always play true MITM with encrypted brower to proxy. and encrypted traffic to fast. But able to manipulate bytes in the middle as they please. I can't tell for sure if it's CloudFlare, but just based on cookies prefixed with cf. that's my guess. ([wlaurance](https://twitter.com/wlaurance/status/1368705326623694850))
- Its amazing how E2E ssl adds the remote IP in the HTTP headers. Thats not how E2E works, this is called hop-by-hop. Interesting they are also CA and DNS over HTTPS provider. What a nice position to build a MiTM for any website... and I mean.. ANY website. ([idafanatic](https://twitter.com/idafanatic/status/1353102502279979016))
- Cool, yeah I’d like to avoid using their SSL certificates, just for the sake of removing one central point of failure and potential mitm attack 😁 ([eordano](https://twitter.com/eordano/status/1350982516535140355))
- Why using cloudflare on this website ? 😭 It blocks tor users and acts as a giant MitM 😟 ([eban_non](https://twitter.com/eban_non/status/1342970517486231555))
- HTTPS scan: should you enable it? What does CKTN has to say?! - Never enable HTTPS scans unless you need to (e.g. for ad-blocking) - Intercepting into HTTPS is basically a MITM like sing Cloudflare which gives them full control and in-sights into everything ([ckstechnews](https://twitter.com/CKsTechNews/status/1336487238012727296))
- Depending on what you are doing it might be worth checking out as they offer SSL but will be a MITM, which is fine for many applications. Free also. ([rharpur](https://twitter.com/rharpur/status/1325552682241765378))
- It's extreme, but the threat vector isn't "MITM breaking TLS" - it's a misconfigured device that handles your TLS. For example, when Cloudflare or AWS ALB manage your certs, they can see everything unencrypted and in theory could leak data (like what happened to Cloudflare). ([e1g](https://twitter.com/e1g/status/1323310230181171201))
- Da war ein zomg breiter lauter hamster macbook air i nzzki. That means cloudflare your mitm cdn when trying ([macmelonmac](https://twitter.com/MacMelonMac/status/1315463711293943808))

- uhm... That's not cloudflare's fault. You should read up on what a Cloudflare 522 error is. ([butwhyt68749305](https://twitter.com/butwhyt68749305/status/1372957365759213568))
-												PEOPLE.md

											
										
										
											2021-03-19 00:56:11 +00:00
-												PEOPLE.md

											
										
										
											2021-03-19 16:21:37 +00:00
+								- The FFN RSS/Atom feeds seem to be hidden behind Cloudflare CAPTCHA. This makes it ... rather impossible ... for my RSS feed reader to read the feeds. Can you exclude the /atom/ URLs? ([bob_vul](https://twitter.com/Bob_Vul/status/1372326154154110978))
-												PEOPLE.md

											
										
										
											2021-03-19 07:39:11 +00:00
+								- Today the CloudFlare gods have smiled upon me, and decided that every website I have to complete a captcha. Wouldn't be as bad if hCaptcha had any quality control. Say what you want about Google, but reCaptch at least worked. Isn't having gatekeepers to the internet great? ([jamescun](https://twitter.com/jamescun/status/1371918897839017991))
 								- Oh, that's changed. You used to be able to paste in the URL from any codepen editor page, but now Cloudflare gets in the way. Curiously, my Safari just hit the same Cloudflare page, but let me through after the CAPTCHA - never had that before (and I tried Safari before Flow). ([_piers_](https://twitter.com/_Piers_/status/1371492006258688000))
-												PEOPLE.md

											
										
										
											2021-03-19 05:20:48 +00:00
+								- Hi guys, could you please contact me as i have been receiving alot of cloudflare captcha’s and it is preventing me from using streamlabs obs and playing pc games. It is really annoying given i am paying a hefty sum for an issue like this. Please contact me. ([danialku](https://twitter.com/danialku/status/1370790115908317187))
 								- hey guys, i have an issue where whenever i log into streamlabs obs i get a pop out from cloudflare. after completing the captcha and logging in, i got signed out almost immediately. i redownloaded and the issue is still present, however when i use vpn, i could log in. ([danialku](https://twitter.com/danialku/status/1370756451455565827))
 								- At some point I have actually attempted to put a fair amount of my own efforts into studying this sort of thing, and often I found that the choice of implementation CAPTCHA systems -- where often used in practice -- was largely avoidable but not completely. ([_rvklein_](https://twitter.com/_rvklein_/status/1370642884572106752))
 								- Eyesight is a problem with captcha. Even wearing glasses, I usually take a few goes. ([rmf719630](https://twitter.com/rmf719630/status/1369981269552037890))
 								- Failed captcha 4 times in a row. Now blocked from logging in. wtaf ([alanb](https://twitter.com/alanb/status/1369247947716767749))
 								- I love that ditched Google Captcha because: data and privacy things... And I hate that ditched Google Captcha because: their alternative it horrible, annoying and probably the worst they ever did to the internet! ([nloenne](https://twitter.com/nloenne/status/1366142509232099333))
 								- fuck you for suspicious internet, fuck you for the captcha. ([selvicekun](https://twitter.com/selvicekun/status/1365274076940394500))
 								- De hecho es como te proteges en cloudflare, prohibes visitas de ciertos países (normalmente rusia y china pero depende de donde llegue el ataque), y pones captcha para otros. También puedes hacer throttling. Tendría que ver más el detalle. ([ddshore](https://twitter.com/ddshore/status/1365000938205765639))
 								- De hecho es como te proteges en cloudflare, prohibes visitas de ciertos países (normalmente rusia y china pero depende de donde llegue el ataque), y pones captcha para otros. También puedes hacer throttling. Digo, la verdad estoy hablando sin saber porque no he visto el sitio. ([ddshore](https://twitter.com/ddshore/status/1365000438433554432))
-												PEOPLE.md

											
										
										
											2021-03-19 16:21:37 +00:00
+								- Hello, I can't add my newly registered domain and the error message is: "This web property is temporarily restricted from being added to Cloudflare at this time." Can you help me? ([fatihguner](https://twitter.com/fatihguner/status/1372886809341005834))
 								- The error message is stupid. Cloudflare is on high alert, a majority of the users can't touch the site. ([silvea12](https://twitter.com/Silvea12/status/1372625689417945088))
 								- Else an SSL Handshake Failure or Error 525 will haunt you 😅 ([sach_8in](https://twitter.com/Sach_8in/status/1372562414646951939))
 								- Hey I am getting a 520 cloudflare error on your website. Are you undergoing maintenance or something? ([robinhyll](https://twitter.com/robinhyll/status/1372548633371967491))
-												PEOPLE.md

											
										
										
											2021-03-19 05:20:48 +00:00
+								- 403 error from Cloudflare when trying to buy shopping on your app (android)... Can you get your tech guys to take a look? ([gardnose](https://twitter.com/gardnose/status/1372452712890126337))
 								- Getting a cloudflare error when trying to access your site. Can you confirm there are tech issues and if so, is someone working on it? ([carambasson](https://twitter.com/Carambasson/status/1372300397583405056))
 								- I saw the classic Cloudflare error page. I was like what's going on. 👀 Happy that PH is back. ❤️ ([thisissubhendu](https://twitter.com/ThisIsSubhendu/status/1372084189437161472))
 								- Doesn't work from RU: Error 1020 Cloudflare Ray ID: 630fe3f3dac58498 • 2021-03-16 18:02:04 UTC Access denied ([dderss](https://twitter.com/DDERSS/status/1371885117858320394))
 								- Something up with your carpark booking site? Login takes a couple minutes to process. Forgot password spits out a CloudFlare error. And when I managed to login and get to the details page for parking I see an error under the form. It's impossible to book. ([acoopernz](https://twitter.com/ACooperNZ/status/1371628930650664962))
 								- I'm a user: Getting a 502 bad gateway error from your host trying to get my list sent to - rayid 62fffd13a29d9d89 so you can troubleshoot ([docsmooth](https://twitter.com/docsmooth/status/1371185775304380421))
 								- hey guys, I can’t visit your website. I keep getting an error 1020 access denied notification with “This website is using a security service to protect itself from online attacks” and something about cloudflare. :’( ([falleri](https://twitter.com/falleri/status/1371041706724970502))
-												PEOPLE.md

											
										
										
											2021-03-19 16:21:37 +00:00
+								- I think Cloudflare is great but its MITM approach is not very privacy-friendly, there are more privacy-friendly ways (for us) to provide security and reliability to our customers and users. We're probably a special case since we're very privacy-focused and a bit overzealous. ([ardewes](https://twitter.com/ardewes/status/1372149329092345858))
 								- I started using Cloudflare in 2015 because they offered free TLS certificates (back then a simple cert cost 100's of € per year), but obviated that need. Also, privacy is our main concern at so using a MITM service like became inacceptable. ([ardewes](https://twitter.com/ardewes/status/1372130942047895555))
-												PEOPLE.md

											
										
										
											2021-03-19 05:20:48 +00:00
+								- Using decentralized compute (ex Workers) to generate nonce can reduce compute times as cost. Nonce can be cached by SW. It is still unguessable for an attacker. A MITM attack could defeat this so hash based still useful. Or SW could rewrite CSP header at each load ? ([denistruffaut](https://twitter.com/DenisTRUFFAUT/status/1371704256311521281))
 								- could always play true MITM with encrypted brower to proxy. and encrypted traffic to fast. But able to manipulate bytes in the middle as they please. I can't tell for sure if it's CloudFlare, but just based on cookies prefixed with cf. that's my guess. ([wlaurance](https://twitter.com/wlaurance/status/1368705326623694850))
 								- Its amazing how E2E ssl adds the remote IP in the HTTP headers. Thats not how E2E works, this is called hop-by-hop. Interesting they are also CA and DNS over HTTPS provider. What a nice position to build a MiTM for any website... and I mean.. ANY website. ([idafanatic](https://twitter.com/idafanatic/status/1353102502279979016))
 								- Cool, yeah I’d like to avoid using their SSL certificates, just for the sake of removing one central point of failure and potential mitm attack 😁 ([eordano](https://twitter.com/eordano/status/1350982516535140355))
-												PEOPLE.md

											
										
										
											2021-03-19 00:56:11 +00:00
+								- Why using cloudflare on this website ? 😭 It blocks tor users and acts as a giant MitM 😟 ([eban_non](https://twitter.com/eban_non/status/1342970517486231555))
 								- HTTPS scan: should you enable it? What does CKTN has to say?! - Never enable HTTPS scans unless you need to (e.g. for ad-blocking) - Intercepting into HTTPS is basically a MITM like sing Cloudflare which gives them full control and in-sights into everything ([ckstechnews](https://twitter.com/CKsTechNews/status/1336487238012727296))
 								- Depending on what you are doing it might be worth checking out as they offer SSL but will be a MITM, which is fine for many applications. Free also. ([rharpur](https://twitter.com/rharpur/status/1325552682241765378))
 								- It's extreme, but the threat vector isn't "MITM breaking TLS" - it's a misconfigured device that handles your TLS. For example, when Cloudflare or AWS ALB manage your certs, they can see everything unencrypted and in theory could leak data (like what happened to Cloudflare). ([e1g](https://twitter.com/e1g/status/1323310230181171201))
-												PEOPLE.md

											
										
										
											2021-03-19 17:43:52 +00:00
+								- Da war ein zomg breiter lauter hamster macbook air i nzzki. That means cloudflare your mitm cdn when trying ([macmelonmac](https://twitter.com/MacMelonMac/status/1315463711293943808))
 								- uhm... That's not cloudflare's fault. You should read up on what a Cloudflare 522 error is. ([butwhyt68749305](https://twitter.com/butwhyt68749305/status/1372957365759213568))