Topic: Moving to Cloudflare (Read 13572 times)

This topic is inactive for almost a year now, sorry to necrobump it 

Just in case theymos missed the following message:

Trusting 2 third parties is always worse for privacy than trusting just one.

Cloudflare regularly posts reports on DDOS attacks, the latest for Q1 of this year https://blog.cloudflare.com/ddos-threat-report-2023-q1/  but if it comes to protecting your personal data, then no matter what hosting you use, you risk trusting it to a third party anyway.

As problematic as a solution like Cloudflare is, it's still probably the only serious option, even today. Anything else is a constant cat-and-mouse game. I've done a bit of fail2ban work to make my own anti-DDOS or psuedo-WAF and such, but any site under the threat of an arbitrary DDOS attack really only has Cloudflare (or other, worse options like Akamai, cloud, etc).

Not really. I don't know of any better solution which wouldn't require a lot of manual work to keep it working.

Cloudflare actually isn't even very good at identifying bad traffic or delivering on several of its claimed features, but it offers two extremely valuable tools:
 1. It completely blocks even massive IP/UDP/TCP flooding without any thought on the end-user's part. My custom DDoS protection was also able to block these attacks, but it required a significant amount of sysadmin work.
 2. My custom protection failed against layer-7 attacks from 100k+ IPs. To handle these attacks, there needs to be some sort of proof-of-work/CAPTCHA challenge before the application starts making database queries and such. These challenges must exist on servers which will automatically scale to handle any number of requests, as needed. The challenge servers must have the HTTPS key in order to function. It would definitely be possible to do this without something like Cloudflare, and I've posted a general description of how it could be done, but both the coding and sysadmin work are more than I want to deal with.

Cost is a consideration, but not the primary one: I'd consider paying 10-30x more than Cloudflare's $250/mo, if this came with significant improvements. But as far as I know, you don't actually get much more by paying an "enterprise" DDoS protection company $5000/mo than you do by paying Cloudflare $250/mo, and in fact you often seem to get less.

I meant cheaper and easier to set up than the alternatives which existed in 2017. I don't think it's unlikely that the space has evolved since then and better alternatives exist today. (either entirely new ones or the ones theymos tried back when he wrote the original post, have evolved and fixed the issues he had during setup etc.)

I don't think price is the biggest issue for Bitcointalk, judging by the generous donations that have been made way back and HODL'ed so far.

These three features are hard to co-exist in one tool usually.

Has anything changed on the topic of DDoS protection? Maybe new, better options? Cheaper, easier to set up?
I remember a while back when Cloudflare was having issues, what felt like half of the internet was inaccessible for a period of time.

Regardless of conspiracy theories about who is behind this company, for the sake of the stability, reliability and decentralization of the internet, I believe that Cloudflare usage should be reduced if possible. It's just such a big single point of failure.

See theymos' post:
Just PM theymos, he can fix this.

There are 2 lines in your code that trigger it:
For both lines, I've isolated the problem to a smaller code (in bold) by removing code that doesn't trigger it. I used Teletype-tags on 1 character to be able to post this.

I tried to post my Code and received a "Sorry you have been blocked" error message from Cloudflare saying that I was blocked, possibly for posting a SQL command, certain word, or malformed command.

I guess code can no longer be posted here?

Dear admin, cloud protection from CloudFlare is a bad idea. And yes, the CloudFlare is cooperating. CloudFlare falls with jsbypass very easily.
You need an individual cluster, it will disperse the attack and thus ddos will not be felt. Write to me in PM, we have a big team is engaged in this just.

And consider the important point: your real ip should not fall into the wrong hands. Many ill-wishers will be recognized through mail (password recovery) or through a sniffer.

And in general, there is an expert on attacks, his name is Agata, he has been dealing with attacks for a long time, everybody knows him.
https://forum.zloy.bz/showthread.php?t=130510

Its already fixed. Sir theymos said it just killed the connection when Cloudfare's strict TLS enforcement was enabled, that caused the downtime earlier.
Check here https://bitcointalksearch.org/topic/tls-error-3279125

the cloudflare stopped for a long time. I'm a little worried   . the good thing is that it has already activated again 

Same here, I checked out this thread having thoughts that it was a server down again. But there's no too much update, I thought newbies will flood the Meta section with earlier problem of the Forum but it seems like they are behave this time. Seeing "Error 526" in my browser gave me a little nervous and a bit happiness. A little bit happiness because I saw my own number in the error which is "526".
By the way Teacher, I'm going out to make a snow man for a while. I'll be back in the chemistry class. 

Came here to see if such was the case and if so would you admit it. Class! Now go back outside and play in the snow. 

lol, right on

thanks for owning it, I was getting pretty jittery there

The recent downtime was my screw-up, not Cloudflare's fault.

yeah Theymos

that wasn't working out so well this afternoon

They attack you until you give in and move to Cloudflare, not much choice. Are you at least using that temporary ssl feature?
https://www.cloudflare.com/ssl/keyless-ssl/

Are you using https://origin-pull.cloudflare.com/
It helps enforce Cloudflare

Yes, you are absolutely right.  I don't know what I was thinking, the only way you could exclude from CloudFlare is with a subdomain.  Anything else would terminate SSL on their side, even if there's another SSL connection between CF and BCT.

I thought that potentially BCT's IP was known/listed somewhere since it was known by all of our DNS resolvers before CF came into the picture, but a quick Google search didn't turn up anything, so perhaps not.

I had no idea they were doing what I assume is some sort of browser fingerprinting with javascript.  That makes it even worse.  I remember reading last summer, in connection with some white supremacist website that was being shut down by hosters, CF, even the domain registrars, that CF made a claim that they provide service to some high percentage of all global web traffic.

I can't find the number now, and while I certainly am not supporting that website or that sort of hate, I also don't believe that an entity should have such a high percentage of control over internet traffic.  With very little exception, anytime there is high concentrations of power in the hands of a few, the power is abused.

Which of course 99.9% of the people reading this are well aware, considering we are on the Bitcoin Forum.


I agree with each of theymos's statements here.  The need for large sites to use one of just a few services that provide high-capacity DDoS mitigation is just another point of control.  I don't know if the "intelligence" agencies own Cloudflare or not (would not be surprised), but I'm betting they have a nice convenient backdoor regardless.

HTTPS as a centralized protocol will hopefully be obsoleted by better, decentralized ways of propagating HTML.  I look to IPFS as an interesting approach that may be part of that solution.  Also, considering that multicast in IPv6 might actually properly function instead of crap implementations from ISP to ISP, that could be a great way to save on needless duplicative packets for broadcast data (such as Bitcoin blocks, for example).

The cost that Protonmail incurs for independent DDoS mitigation is ridiculous.  It's almost a form of extortion.  Watch it turn out that these companies are behind the DDoS attacks themselves, nothing suprises me anymore as to the lengths that greedy people will go to.

---

I don't support ICOs for everything under the sun, nor are distributed ledgers code that solve all problems of humanity.  Both of these things are tools that have proper uses and, unfortunately, many attempts at applying them well beyond their competencies.  If I had a spare 10 or 50 BTC I would certainly donate it to this forum because it has taught me so much over the years and remains one of the few gems that remains free from moderation for political reasons.  Despite many complaints I've read, I believe the new merit system will make big impacts on the number of crap posts and improve the fidelity of the forum.

Personally, I would never want this forum to be closed or behind a paywall of some sort.  I believe that community communication benefits all those that pursue truth.  When it comes to information, such as the discussion that takes place on this forum, everyone should be able to openly share their views.  This is a big part of the reason that the world is increasingly being seen as the huge corrupt racket that it is, and has been for many decades, even centuries.  We just couldn't share our findings with each other easily before.  Because we can now, we've been able to build off of each others knowledge, as a collective, that can be expanded upon.  This is the power of the Internet, the ability to communicate your message to the world instantly.  Next phase, to pull that corruption down and rebuild it with better, more fair and transparent constructs.  Bitcoin being the very first of those, and arguably the most impactful as it goes straight to the core of the corruption, the banksters.

Best regards,
Ben

Thanks for the suggestions, Ben.

Unfortunately, to the best of my knowledge, all of your suggestions would require action by theymos; there’s nothing there which I could do myself, as a workaround to obtain downloads right now.  If there’s a legitimate public means to find a direct IP address, I’d appreciate being corrected here.  But I rather suspect that theymos wishes to keep his real IP addresses unknown to DDoSers; and if I could find it, so could they.


Same here.  Specifically as to Cloudflare, in addition to how they sometimes cavity-search you with Javascript while still failing to keep the site reliably available, see e.g.:

https://trac.torproject.org/24351


Cloudflare intercepts all traffic (and modifies at least HTTP response headers), as a matter of course!

My biggest complaint is that Cloudflare is a MITM attack against TLS on a substantial portion of the whole Internet.  From the user end of things, I generally boycott Cloudflared sites insofar as practical.  But I support the Bitcoin Forum, out of my respect for how theymos was honest with people when he was effectually forced behind Cloudflare by Internet arsonists:


To get a gauge on what independent, no-MITM DDoS protection can require for a(n extremely) high-profile target, I found Protonmail’s experience interesting:

https://protonmail.com/blog/ddos-protection-guide/


Though I would be concerned about the affordability of an ongoing subscription, an official .onion proxy would solve many problems.  I may even offer to help with such a project, depending on what would be required of me.  See my reply to ChipMixer upthread.

---

And congratulations, Phash2k reinvented Steem.  This sort of nonsense reminds me of one of the earliest posts to which I awarded merit.  It spoke of how DHTs...


No, the problem will not be fixed by sprinkling some magical blockchain pixie dust on it.

That would mad, the whole point of this forum is to have the public have a balanced or neutral stance in the cryptocurrency community.

Creating a token or ICO for BTCtalk is effectively the same as losing net neutrality in the CC industry.

For the downloads problem, if the downloads do not require you to be logged in, accessing the BCT server by its direct IP address and/or a DNS record that resolves to the IP should make it accessible, provided BCT hasn't blacklisted all non-CF IPs.

For the website issue, how about 2FA, that could help the situation?  As you know, anytime a CDN has your certificate, they can intercept your traffic if they choose.

You could also make a login URL that is not routed through CF.  I don't know how much hacking of SMF it would take to implement that.  Actually, cloudflare might have a way to direct certain URLs to directly point to the backend (BCT) servers.  I haven't messed with them in a while, since before they started doing their shared SSL service, so I'm not positive about this.

On the other hand, this might not address the problem that putting in a CDN was designed to prevent.  If the DDOS attacks were directed to the login URL it would then be vulnerable again.

I have an inherent distrust of infrastructure services that I don't control, which is why I try to avoid CDNs.  However, I have no website with as much traffic as BCT, so have never had to deal with that situation.

Best regards,
Ben

Quoting from another thread:


Through Tor—and this is not the first time I’ve had this problem:


I have had the same problem with PGP keys and the trust database.  Even right-clicking to save images from within a browsing session oft (inconsistently) results in a Cloudflare 403 HTML file, apparently due to some weird quirks in how Tor Browser interacts with Cloudflare’s control-freakiness.

I request a workaround or solution for this general problem.  (Note: “VPN” is a non-answer.)

How dumb can someone be?

I will not use this forum anymore because of that.

Bye

Why no bitcointalk forum coin with ICO
You earn coins by posting, and devs & sysadmins are paid with it?

Everything is creating tokens and ICOs... Even without value...
This place here is valuable!

Decentralise the Forums!

what about a solution like Protonmail using it?
https://protonmail.com/blog/ddos-protection-guide/

Radware’s technology does not require our SSL keys to operate effectively, meaning both layers of encryption that ProtonMail offers (SSL and OpenPGP) can be kept intact. Thus, there is no compromise in the privacy of our secure email service.

[Edit again:  Raize, that was the post of the thread.  I’d intended to reply before, to simply say:  Well said.]

This blocked a post.  I will try again, and edit if it’s still blocked.

Edit:  This is persistently blocking a particular post.  It is a very long post, which I spent much time writing in a text editor.  It contains a modest snippet of C code in BBcode code tags.  Other than that, I cannot imagine what trigger this is hitting.

This does happen, but it's a whole lot more rare in practice. In reality, most attacks come from thousands of compromised IPs [botnets] run by people or organizations looking to blackmail operators into paying a fee or doing something like giving up user data. It has long been rumored that these entities with blackmailing power are often state-run themselves, in order to bully providers into sharing their data with "a trusted anti-DDoS company" that the governments can force to give up plain-text info about their customers more easily. Why bother even trying to get an operative in a position to run the site when you can sniff all the data and who is writing what via an anti-DDoS provider?

Cloudflare regularly provides the US gov't data on its customers. I'm not sure I'd go so far as theymos and say they are basically CIA-run, but I do think they are forced to work with three-letter agencies all the time. If there are any people with principles that work for Cloudflare, it doesn't matter, they have to comply in order to keep their job, and I doubt they are allowed to talk about it even after they have left. Cloudflare itself might have state contracts, or do contracts for other DoD-like agencies and groups, all of which have the specific purpose of cataloging citizens for the government in clear violation of the fourth amendment and chilling the free speech guarantees of the first amendment.


For the same reason that OpenDNS sold to Cisco for a whopping $635 million. DoD contracts are phat loot and the CIA/NSA need the data routed in about who is doing what.

Well, it’s not only Cloudflare.  It’s that and/or something else:


Admins may e-mail me for details, if that would be useful.  (I doubt it; that’s all I saw.)  PM seems not so useful right now.

@theymos, this isn’t what you signed up for!  Not the downtime, and not the following—as seen through Tor.  Not changed by rotating circuits.  I can’t dump cookies, because I need to stay logged in; and once Cloudflare decided to demand from me an Internet cavity search, they locked me out of bitcointalk.org with a demand that I let them run their executable code on my machine.  I waited it out, and they eventually let me pass.


Cloudflare also repeatedly tried to Google-CAPTCHA me on their error pages.  No, thanks; I can do without seeing the holy secret errors.

This interrupted my repeated attempts to post the following.  (Anybody awaiting a reply from me elsewhere, please understand if it may be slow in coming.)

---

I’ve oftentimes wondered how Cloudflare can afford to offer “free” DDoS protection.  Their product requires serious network bandwidth, hardware, sysadmin, and engineering.  Those cost money—lots of money.

Usually, “free” products which cost big money to offer can be explained with the aphorism, “You are not the customer; you are the product.”  That raises the question, who pays?

In practice, who pays? is isomorphic to the ancient idiom:  Cui bono?

“You are the product.”  Bitcointalk.org is now a product.  For whom?  And does the customer truly wish for Bitcointalk.org to succeed?

At that, does Cloudflare itself like customers who “especially dislike Cloudflare”?  One of the great benefits of dependence on “huge centralized anti-DDoS companies” is that you can’t bite the hand which feeds you—at least, not more than that hand will deign to tolerate.  Too bad.  Even if this is only some generalized Cloudflare failure, I doubt that theymos stands at the front of their support queue.

Connectivity has sucked all day. NSA must have finally implemented their traffic analyzer      


Cloudflare is seriously flawed if your homemade DDoS protection works better than theirs.

Seemingly nothing at the moment.

I can hardly connect to bitcointalk.org and read the topics without many errors / downtime.
Another DDOS attack?
What's the difference between having cloudflare and not?

Edit : more than 3 minutes to pass this post (and i think the same time to pass this edit). Agree totally with hilarious.

Yeah, I'm not sure it even works very well because every other website that uses it seems to have a lot of downtime and cloudflare errors. There's seemingly no difference between when we had theymos' own version and it's been especially bad today. Barely been able to use the site at all, so not sure how effective the service really is if the forum is still going to be unusable.

it isn't working

How is Cloudflare thus relevant?  The purpose of the image proxy is to “improve privacy and eliminate mixed content warnings”.  (I also speculate that it might filter some evil, though that’s only an idle guess.)  It has nothing to do with DDoS protection, other than needing it.

---

On a related note, I am now working to spearhead the development of a browser add-on to block Cloudflare.  Bitcointalk.org is discussed in Issue 4.

can you (theymos) suppress the automated filtered ip.bitcointalk.org picture recreation ... if we are on cloudflare, now ?

many pictures are not recreate now (on popular thread : the Wall Observer).

Hot off the presses, a Cloudflare-blocking browser add-on!  a.m.o. currently says it was last updated “an hour ago (Dec 11, 2017)”:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

I have not yet examined the code.  Use at your own risk, pending review.

Referred by:

https://trac.torproject.org/projects/tor/ticket/24351#comment:25

Cheers to whomever did this.  “Cypherpunks write code.”

I was careful not to suggest that .onions be DDoS-proof.  Of course, they’re not.  But they do radically change the attack surface, largely for the better (at least against DDoS).

In practice, I would suppose that probably, the best means to deny access to a .onion would be to DDoS its introduction points.  Those have publicly known IP addresses; and I doubt many Tor node operators are prepared to handle even something so commonplace as an amplified flood of UDP packets in response to forged DNS requests.  The .onion will become available again as it changes introduction points; but meanwhile, users will have an awful time getting through.  I am not saying anything which is not already well-known and widely discussed amongst Tor devs.

On another note, I would not deem Ulbricht competent to admin the website for a hot-dog cart.  Let alone to run a site under a threat model far beyond my abilities, and likely beyond the capability of the Tor network.  He couldn’t even keep PHP (!) errors from spilling his servers’ guts.  I guess he must have been high on drugs.  I would not take any lessons from his experience, other than mining it for examples of what not to do.  Whereas .onions run by competent sysadmins have survived extreme DDoS attempts.

There have been plenty of .onion sites that have been DDoS'ed over the years. I know that Silk Road had a decent number of DDoS issues, and Ulbright apparently spent a decent amount of money fighting it. I am not sure if he implemented any of what you suggested though.

THIS.  Thank you.  A Bitcointalk .onion was on my mind all week, together with other anti-DDoS mitigation ideas about which I hope to write up suggestions.  It is also something I may perhaps, maybe, perhaps be willing to not only talk about (hint, hint).

.onion sites already have less exposure to DDoS than sites on the open Internet.  Connections to .onion have no access to a full network stack—only to streams through Tor’s circuit protocol, a custom stream transport layer.  No TCP handshake tricks, no amplified UDP floods to clog the pipes, etc.  I suppose theymos’ “homebrew” anti-DDoS had already stopped those.  But also, the capacity limitations and cell queuing mechanisms of the Tor network and its nodes provide some upper bounds on any type of DDoS which uses high bandwidth.  That leaves (1) specialized attacks against the Tor onion proxy, (2) DDoS against introduction points, and (3) any relatively moderate-/low-bandwidth application-layer attacks.  (“Relatively” compared to DDoS which uses tens or hundreds of gigabits per second.)

For (1), lock down that onion proxy tight and isolate it from the web backend—which you should do anyway.  At least it can’t take down the site itself, or affect reachability from clearnet.  Better still, use onionbalance with multiple onion proxies; that gives load-balancing and failover, and also permits isolating v2 .onion private keys from the machines handling visitor traffic.  (2) is really a Tor network issue, though maxing out your intro points with onionbalance will help.  For (3), well, as always—don’t run poorly designed software.  nginx is already robust against HTTP-level DDoS; I have no idea about the vulnerability profile of SMF, other than that it’s database-intensive forum software written in PHP.  I guess, start by disabling the search function through .onion...

I don’t see why a monthly paid subscription should be required.  If that was intended as an idea for .onion, it would effectually restrict .onion use to people who directly make money off the forum—signature campaigners, etc.  Instead, to prevent abuse, I’d suggest that full posting privileges through .onion be restricted to full Members or paid Copper Members.  (I am guessing that Junior Member accounts may be too cheap on the account sale market, especially for hacked accounts.)  .onion posters without those ranks should be restricted through a “newbie jail”-like system.  Those who could not afford paid membership, could spend a few months ranking up in the .onion jail—or through clearnet exits, just like now.  For spammers and scammers, throwaway accounts would be prohibitively expensive.

Perhaps also add a “.onion” tag below the username and rank for posts made through .onion.  I am reluctant to suggest that, given the level of prejudice some people have against Tor users; but I don’t think the moderators here have such a bias, which is the important part to me, personally.  I myself would be proud to wear a “.onion” tag.  I would explicitly add it, if it were offered as an option.

For a non-location-hidden .onion, as I presume this would be, single-onion mode should be snappy for users.  Projects such as Debian and Tor Project successfully run high-bandwidth services such as public apt repositories through .onions, using onionbalance.  Debian users can do all their OS updates without ever touching clearnet!  Use of .onion also helps the Tor network, by shifting load off the bottleneck of exit nodes.  Any relay can serve as as a rendezvous point, including the far more numerous “middle nodes”.

Note that any .onion version of the forum must be verified to work with Javascript disabled.  Excepting signup and login functions, basic functionality seems to work fine that way.


Cloudflare’s effect on spam should be somewhere between negligible and nil.  It’s an anti-DDoS reverse proxy network and caching CDN; it also filters out attacks against braindead applications which can’t handle Bobby Tables.  I don’t see how it could help much against spam; how could the HTTP requests involved in spam posts be distinguished from legitimate network traffic?  Especially the spam posts made by nominal humans?  Though I suppose that forum spam is a wetware-layer DDoS.  It does “deny service” when the forum is unreadable.


I wonder whether theymos’ “evil IP” system uses the publicly known IPs of Tor exits, as published in the consensus.  It would make sense to charge a set price to all Tor users, rather than varying the fee by measurements taken on a particular exit IP.  But n.b., not all exits actually exit through the same IP as they use for their ORPort.  I recall some research finding that as many as 10% of exits did otherwise.  This is useful for avoiding blocks, but risky for node operators since the IP is not listed in the “exonerator”.

that's only if the exit node ip has points of evil associated with it though, i could imagine some new nodes might not have any points linked to them.

Is there an official .onion proxy of BitcoinTalk that bypass Cloudflare? We do sometimes get support request PMs.

How about BitcoinTalk Pro accounts with monthly payments, private proxy without Cloudflare and captchas, bot access?

I think there might be numerous individuals like me who don't generally mind if their posts or messages are perused. On the off chance that I have to make some secret courses of action with some individual, at that point I would do this far from the discussion. My essential concern is the security of my posting. You may not concur with my assessments and thoughts, but rather at any rate they are mine, and I don't need anyone putting on a show to be me to post other data, or to execute any extortion. Anything that diminishes spam and pernicious assaults is great as I would like to think.

Why would they bother trying the back door, when sites (and browsers) grant them front-door access?

Cloudflare is a global active adversary which MITMs every connection by design, as theymos wisely noted.

No matter using cloudflare or something else, NSA already had access to forum's servers, Since they are in USA.

Single data point:  This applies to me.  I don’t wish to discuss details publicly.  I did overpay.


Well, then why bother with the large (and futile) effort of trying to associate a payment-from address?  Delegating trust to a public key (Bitcoin or otherwise) is an ordinary key management issue; and it’s orthogonal to the anti-abuse payment mechanism.


https://github.com/bitcoin/bitcoin/issues/10542 (only discusses Segwit P2WPKH-in-P2SH; generalizing a signature scheme for P2SH would be a non sequitur.)

I recently made this mistake, much to my embarrassment.

---

Anyway, this whole discussion is on the wrong thread.  The login CAPTCHA issue is distinct from the Cloudflare issue.  theymos added the login CAPTCHA sometime before 2017-10-19, and moved behind Cloudflare 2017-11-29.  The login CAPTCHA is not from Cloudflare.

Sure they can. They can sign from the private key(s) used to sign the transaction. The public key associated with the private key(s) used to sign a transaction is public information once the transaction is broadcast.

The average fee users pay is below most exchanges minimum withdrawal allowed. Any users who couldn't sign messages from an address could be given an option to associate another address with their account.




Signing from any of those addresses should be OK.





They can export the private key from their mobile or web wallet, then import it into a wallet capable of signing messages. The blockchain.info web wallet allows exporting private keys.

The Tor user may pay the fee from a bitcoin exchange account. As far as I'm aware, exchanges do not offer their customers the option of signing messages.

Also, if the Tor user's non-exchange wallet has many inputs to many addresses, and pays the fee from that wallet, which address(es) would the Tor user then have to use to sign the message? And if the Tor user pays the fee from non-P2PKH addresses (e.g., segwit P2SH addresses or multisig P2SH addresses), the Tor user can't sign the message using those addresses.

And again, not every wallet has the ability to sign messages, with mobile and web wallets being the most obvious examples.

Anyone registering through tor has to pay a small bitcoin fee, so all those users have bitcoin addresses associated with their accounts.

Not every wallet has the ability to sign messages. Also, one registers for a forum account using an email address, not a Bitcoin address.

Well how about asking tor users to sign a message from the bitcoin address they registered with instead?

Each time they log in they could be given a unique code and asked to sign a message containing it. That wouldn't cost them anything, and signing a message would be faster than going through endless cloudflare captchas.

Thank you.  As a Tor user, I admire this forum’s high-level culture of respect for privacy.

Paying a small fee to register and paying a fee every time you want to log in are two very different things (not to mention the latter being ridiculous and not sure why we should punish all legitimate tor users).

Forum is slow on loading, that is not something new I assume since the move.

But, I've never encountered an error apart from guess what, reporting a post/thread.
Tried several times this today (different reports of course) but I always get a timeout (error 524) that picture with:

Browser Working
Cloudfare Working
Bitcointalk host error

It has never happened on anything else, post/search/pm.

Theymos said he's unenthusiastically using Cloudflare to protect against DDoS attacks. I assume some of those attacks come through Tor and VPN users. Those users couldn't DDoS if they had to pay a tiny fee to login, and further fees if they make excessive HTTP requests. They are already prepared to pay a registration fee for privacy, charging small log in fees isn't much different.

Furthermore, charging a fee for excessive HTTP requests could protect against botnet DDoS attacks from regular IP addresses. Normal users wouldn't even notice because they don't make huge numbers of HTTP requests.

I guess most of the accounts involved in DDoSing are newbies. During times of excessively heavy load on the forum newbie accounts could be asked to either pay a small log in fee, or return later when there's less users accessing the system.

A fee to log in!?  Are you serious?

N.b. that (a) the move behind Cloudflare at the end of November is absolutely irrelevant to login issues, discussed separately since October; (b) everybody’s connections go through Cloudflare, for every connection to the site; and (c) Tor users (among others) are already charged a fee to create an account.

Why not charge Tor and VPN users a small bitcoin fee to log in? Most of those users would probably rather pay a  fee than use cloudflare. They already have to pay a fee to register.

Sigh.  A “blockchain” is not some magic pixie dust you can sprinkle onto any problem and make it disappear.  If you don’t believe me, try setting up your own Steem full node.  Yup.  Not happening.  —  Oh, Steem is exactly your idea, including the coin part.  To run a full node, minimum listed requirements are a dedicated server with at least 32GiB RAM and large, fast disks.  For this and other reasons, Steem is quite centralized; instead of “being their own servers”, almost all users just log into the centrally managed Steemit website.  I’m not sure what the point is, other than “blockchain”.

How about a forum based on blockchain?? We would just log into a software and we will be the servers. And hell, we can even have shares and trade on them like a coin.

that sucks

I am sorry that it has come to this Theymos

thank you for your efforts

I've been getting several 504 (gateway time-out) errors from Cloudflare today, seems to come and go.

I just got Cloudflare CAPTCHAed.  I infer it may only have been the “currently offline” error page?  Was the site down?  What is going on here?


I didn’t do the CAPTCHA; I just waited awhile for the site to come back up, and then it loaded without CAPTCHA.  I don’t know whether the wait also resulted in me using a different Tor circuit, due to Tor’s circuit dirtiness timeout.

(I then got more Cloudflare errors when trying to post this, but no CAPTCHA.  Error 504, then 502.  I guess the first time, Cloudflare decided the error message was too precious to be served without CAPTCHA.)

Thank you, theymos, for honestly disclosing and discussing the facts about Cloudflare.  It is for exactly the reasons you stated that I filed Tor Browser bug #24351: Block Global Active Adversary Cloudflare.

I usually dislike Cloudflared sites.  Well, here is one run by someone who actually understands.  What a conundrum!  I suppose I simply won’t send any data to this forum which I would not publish openly.

Good luck stopping the DDoS attacks; and I hope you can find a better solution someday soon.

Here's what would need to be done to replace Cloudflare: https://bitcointalksearch.org/topic/how-my-custom-ddos-protection-worked-and-how-it-couldve-been-improved-2497008

Well there's always room for competition but I'll have to check it out as well like you, but if that meets all our needs then great. Maybe theymos could donate some funds to the development of that instead.

Instead of wasting such tremendous amount of energy to create our own DDOS protection system, There is an existing project for that https://gladius.io/. I have not done some research yet, but I hope it's a good reference for Theymos to consider using decentralized anti-DDOS service.

Same, as I'm sure many others would also. Most ICOs are just hollow get rich quick schemes run by greedy scammers but I'd happily support one for a valuable service created by reputable people and it could actually be one that makes a lot of money as a business which we could give back to investors as dividends. Maybe bitcointalk could create it's own coin and give that out for promoting the ICO and bonuses for helping out the forum as well.

If this is the case, I think that now would be a good time to implement this plugin or something similar to keep accounts secure, should another Cloudbleed happen. It's well overdue regardless.

This is something that I would happily support with my BTC. Please consider this, theymos.

Sounds like you just sold the site to the NSA.

I agree with Mittchell I would rather have downtime than being a sell out

It's probably some guy who got the hump because he was banned.

Have the same error frequently but since it gets resolved rapidly when reloading, well, it is relatively tolerated..
BTW, couldn't be the NSA conducting the ddos attacks? and what's the point of ddosing the forums?
Downtime isn't a good thing for sure but the idea of hilarious is good if feasible

Is this active at the moment. I'm getting server 500 errors. It's not really a problem because a reload seems to clear it.

If a secret service agent is willing to break the law to get bitcoins, why wouldn't an NSA agent?  And why is it they can only read... couldn't traffic be altered?

The recent data leak is also not comforting: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/






Not sure if this is related or not?

The current Cloudflare solution appears to be blocking bots.

I run two bots that crawl the site periodically, the one for bctalkaccountpricer.info and another one for ACE. Both of these have been blocked from accessing the forum.

There are two aspects to privacy. Reading other people's communications, and watching their actions. I'm now old enough to be boring, so I'm not too worried about this. I believe that it is better to use "the system" legally, rather than try to fight it, so I suspect that the government and its controlling superiors are well aware of my actions. The other aspect is identity theft, and this is where we need to take precautions, and be aware of potential problems.

Everyone should be concerned about privacy, especially storing things in plain text. Compromises have to be done though to assure the stability of the server. It's sad that this protection is also under a monopoly and really only one company can protect against it or has the resources too. Nothing has changed in terms of personal messages though as any sensitive messages should have already been encrypted.

I suspect there may be many members like me who don't really care if their posts or messages are read. If I need to make some confidential arrangements with somebody, then I would do this away from the forum. My primary concern is the protection of my posting. You may not agree with my opinions and ideas, but at least they are mine, and I don't want anybody pretending to be me to post other information, or to perpetrate any fraud. Anything that helps to reduce spam and malicious attacks is good in my opinion.

Interesting.... nothing bad could happen here....    Are the DDoS's using the search feature?  What else could be disabled to mitigate?  I can only imagine the types of attacks the site gets but the decision seems quick and a bit extreme, haven't there been worse attacks?  I honestly don't have anything to hide from the NSA but I do value my privacy. And the general thought of the NSA collecting usernames/passwords on bitcointalk users is going to give me nightmares. 

To be honest, I rather have a forum with a lot of downtime, because of a DDoS, than handing over everything I do on Bitcointalk to Cloudflare/NSA. If we really have to go down this path, make it at least possible to bypass CloudFlare when logging in, updating your password and anything else that might be seen as sensitive data.

https://gladius.io/ Could be the solution. But the project not yet finished though.

I suppose it is a necessary evil.

Have you thought about maybe creating your own ddos protection service as from your concerns it seems like there'd be a gap in the market for a trusted product? I have no idea how much it would cost to create or run something like this but I'm sure it would be a worthy project people could get behind and would make for a decent ICO. Could even use the money we get from any potential new donator ranks we implement to invest in it. Something to consider at least.

Have you considering setting up a www2.bitcointalk.org subdomain for PMs? (that would operate outside of cloudflare)

If cloudflare can read our plaintext password, does that mean someone from google could impersonate us by entering our password, and read our PMs?

What I meant is that Cloudflare can see your unencrypted password when you log in. It's still encrypted from the real server to Cloudflare and from Cloudflare to you. So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot, and it's not like the NSA is going to steal your password in order to scam people on bitcointalk.org or anything. If you use PGP for important communications and use a unique password, then IMO this addresses the plausible attacks well enough.

The U2F thing is a good idea in principle, but I've long been uneasy about fiddling with the authentication. I don't want to make a mistake which breaks security.

The thought of willingly passing passwords in clear text is quit disturbing for a security concerned member (me).  I can counter the PM issue as I do elsewhere by using GPG'd PMs, which are encrypted and decrypted ONLY locally on this end as needed.  At some sites I only respond to PM's where both sides have good OPSec using GPG on messages.  Is there any chance that bitcointalk could counter assault this huge password weakness by allowing U2F keys for members?  Even cloudfare can't do shit about getting around an encrypted key from a member's U2F and the site server?  I am not asking you to require U2F just allow it for those that are security concerned.  With the price of BTC and users that have been in the game for awhile the risks of doing stuff in "plain text" during logins is not Plan A by any means.

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks. This change is in progress, and will take ~24 hours for everyone to see.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, but my homebrew DDoS mitigation has been one of my biggest time sinks for the last 6 months or so, and the necessary servers are still pretty expensive. If I had more manpower, then I would prioritize maintaining our own DDoS protection, but with me as the only sysadmin and current-software developer, it's become unsustainable.

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. I considered several alternatives to Cloudflare, but the smaller ones (eg. Stackpath and OVH) didn't strike me as reputable/competent enough, and the enterprise-targeted ones like Incapsula and Akamai are around $3500/month. Even though $3500/month seems absolutely ridiculous to me, I was seriously considering Incapsula due to its pretty good reputation, but then they were having all sorts of technical issues while I was trying to set it up. So I gave up for now and went with Cloudflare.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at. They can't access the database arbitrarily, though: they can only see data that passes over the Internet.

Tor users and benevolent-bot operators: please wait a couple of days for the current DDoS to subside, and then post your complaints here. I am able and willing to tune Cloudflare to be minimally annoying. Not every Cloudflare site has to do that "Using Tor? Here's an impossible captcha" thing.