Also... It's nginx.com, owned by F5. Am I the only one who thinks it's a little weird, borderline embarrassing, that they're not fronting traffic themselves? "We make the best load bouncers and web server. That's why we ... Outsourced our ingress to another company that doesn't use our load balancers and which only uses our web server as part of their stack. Let the experts deal with heavy traffic, y'know?"
Are you using Safari by any chance? I used to get a lot of these on Safari, but issue is almost gone on Firefox. I think it's connected to how Safari handles cookies.
Cloudflare uses a heuristic trust model where it pulls multiple trust signals from the client. It can use several things (including stable IP address, cookies, and I think even a bit of JavaScript grabbing a nonce from local storage).
If you run with a lot of "identity fuzzers" (browsing through Tor, JavaScript off, cookies banned), Cloudflare can't build its trust heuristics and needs to challenge-response more often. I suspect there's overlap between HN readers and use of those sorts of tools, so I think there is a disproportionate number of people around here who run into this issue (whereas most "regular" folk almost never see a Cloudflare challenge / response).
I always encounter a "random" stop-and-solve-me-a-visual-puzzle when visiting an Australian forum related to SOHO networking equipment. According to the description on the challenge page, "completing the CAPTCHA proves you are a human and gives you temporary access to the web property". Thank you, Cf, I guess?
(To be fair, consecutive requests don't get this treatment, just the one in which I jump there from eg. a search result.)
More importantly: no server is obligated to vend data until it falls over and dies, depriving all users access to that data if it isn't mirrored.
I think Cloudflare has honestly done an admirable job of coming up with a novel solution to the problem of loadbalancing and traffic-shedding in a world with a small-but-persistent percentage of hostile actors.
What's the alternative? Abusive traffic is the norm rather then an exception. This gets into the same argument when people say they don't need a CDN; it's a relic from when bad actors were rare.
If all I'm doing is requesting an HTML page, why do they have to send me a CAPTCHA? I understand that my request is coming from an IP belonging to a VPN and maybe someone used the same IP nefariously, but I doubt they requested the same page I have.
You can knock over a server with malicious requests of static content. In fact, what you are describing (requesting different pages) is the first step to trying to defeat a firewall rule that would protect against that attack.
This is the era after the invention of Low Orbit Ion Cannon. Attacks that would previously have been technically sophisticated can now be done with a few GitHub downloads and either many volunteers or many compromised machines.
Interesting. The only other thing that immediately comes to mind is that the web site owner may have blocked the entire country (https://support.cloudflare.com/hc/en-us/articles/200170136-U...). This would be easiest to verify by seeing if other people with similar phone configuration standing next to you get the same experience.
