The concerning thing about this is that internet is increasingly dependent on Cloudflare, making it a single point of failure and exploitation. Somehow, people are not talking much about it, but a significant amount of sites have opted in for Cloudflare proxying, allowing it to see the traffic in plain text, while the visitors are made to believe that the connection is secure. Similarly, users will now use their fast DNS server, which is also advertised as more secure.
What about akamai? They are a much larger CDN (no one talks about it on HN because they are not a startup). I agree with your assertion that it will become a single point of failure with many web properties but also I think that HN has a sort of filter bubble on startups (for obvious reasons) and I'm not sure cloudflare is as big as people make it out to be.
Also, Google has 8.8.8.8 which could be for the same thing and has similar problems (large scale data collection, singe point of failure).
CloudFlare publishes their pricing. Akamai doesn't.
Dealing with salespeople is a massive PITA. They're not going to tell me anything that's not in the docs or support forums and I don't want to spend a week negotiating. I've seen many others make this point on HN over the years.
Maybe Akamai only focuses on large enterprise customers while CloudFlare also goes for the SMB market. IDK. The HN crowd seems to work at SMBs (startups included) or at companies big enough to operate their own CDN.
Fuck I hate this. I've avoided buying storage servers from ixsystems, despite the fact their products seem to be exactly what we need, because they won't tell me how much they fucking cost. They want to have a "conversation" about "solutions".
Fuck you. Sell me boxes and tell me how much they cost. But they won't.
I work for a vendor and I'm not allowed to tell my clients pricing because I'm not qualified to make deals. We don't even have a list price published internally, it's all at the salesman's discretion. That means some clients pay $150k, some pay $300k, some get it for free bundled with another purchase. Far too often I'm asked "budgetary pricing" but even that is a conversation with a solution architect and a virtual procurement cycle and an NDA and all that nonsense. Just so we can make sure someone is getting overcharged.
I'm going through this right now. I'm sure we are not willing to pay the price but some VP wants a commercial solution not an in-house solution. So I have to get quotes from enterprise vendors and cannot get even ballpark numbers out of them without at least 3 meetings and where they basically try to get our finances (but maybe I'll get some tickets to NBA playoffs or something in a Faustian bargain). I never want to hear "we grow as you grow" or any form of that ever again.
Last project I could have spent that money to pay for 3-4 additional full time engineers for 3 years and built a better solution with open source because I still had to devote 2 plus myself to do integration. And then didn't have overpriced SMS for the next decade and licensing headaches and afford to keep at least 1 of the engineers indefinitely.
Ugh. So many terms that when I actually say out loud and try to be serious I throw up in the back of my mouth a little.
Is there room in this space for a new no-nonsense vendor? Someone who cuts out all the goddamn middlemen and just asks what hardware you want, how you want it configured, and quotes you a frickin price without all the bullshit?
First I've heard of them (but I'm not any kind of expert). Are they good? I usually just hear the usual suspects mentioned such as iXSystems and Supermicro. Linux guys will mention one called PogoLinux every once in a while also
I have bought a few servers from them (4 or so over the years), and they have served me pretty well so far. I haven't had to do any RMA's or replacements though, so not sure how good the company is about that.
To be fair, it does represent a concept where I don't know any other word that can take its place.
We sell incredibly complicated systems that necessarily interact with many other complicated systems. We don't work natively with all of them, and sometimes we need to do custom work. Not to mention that we need hardware in many geographical areas, yet still need to work when the virtual space doesn't line up with the physical space.
It's not as easy as "am I buying the small, medium, or large solution". Before you invest tens of millions of dollars into this one product, you need someone from the vendor to analyze your infrastructure and tell you if our product will work, and then how many you need to buy and where you need to put them geographically, and then how many hours of custom programming it will take to get everything working with the other systems.
That's far outside any definition of "salesman" I've ever heard. These people are project architects and their speciality is solution design. It's not a three-tier SaaS solution.
Big HN fans here at iXsystems -- thanks for the feedback!
We'd actually love to be able to give you an "add to cart" price, but the reality is that most of our systems are configured to your specific requirements (with the exception of the FreeNAS Mini, which you can just add to cart on Amazon) instead of just "off the shelf".
It's actually not about trying to figure out how much is in your wallet, I assure you. In fact, we have one of the most transparent pricing processes in the biz. For example, we tell you your end price on our storage systems before a Reseller/VAR is even involved. We also fought the concept of having "list prices" for years, since we all know they're completely fictitious. However, it's something our F500, Gov't, and University customers almost always require so that they can measure and compare their discount.
Nonetheless, we do try to make the design process as quick and painless as possible for you, and regardless of whether or not you give us another shot, the feedback is always appreciated.
iXSystems does have min/max configuration prices on their website for the TrueNAS systems. If they took forever or wanted to get into NDAs for pricing that would be one thing, but if I wanted to specify the exact parts in my servers rather than tell the vendor what I need it to do and have them take care of the rest.. Dell will let me do that without talking to a salesperson, but how in Cthulhu's name am I supposed to pick from the twelve bazillion CPUs Intel is offering?
The way you do this is with an RFQ. Send them a notice of exactly what you want and ask for a quote. Be clear that it is a competitive bid situation and you are going to buy from the lowest bidder.
The problem is if you only need one or two servers that's too small for most vendors to bother responding. If you're buying 10 or more it can work well.
Why do startups that sell to other startups hire sales people to do this instead of just having clear pricing?
Obviously they must extract some value for the business but the experience of haggling with some sales bro to get a decent price leaves me so annoyed with services that I usually skip signing up when it’s the only option.
> Let’s talk about solutions!
No thanks. I just want to insert dollars and get the service.
It's because just having a pricing page doesn't give any feedback as to whether the price is correct or not.
A salesperson could at least ask 'what is a better price we can shoot for?' or 'what features do you really need?' whereas a visitor to a pricing page just disappears.
You can A/B test pricing, Amazon does it all the time. You can have a pricing page that says "If this seems off to you, let us know and we'll talk" like Papertrail does. There are plenty of options, but if you're worried about customers walking away, you're losing tons of them by making them call you first.
Your platform may have 1000's of features, not all of which all your clients want or can pay for. Packaging into simple groups may not possible until you have the volumes to figure out what works
Many clients need specific features that you don't have yet, pricing calculation becomes very complex, and depends on customer to customer as well. We will charge more to some customers simply because we know they need a lot of hand holding and special assistance
I don't run any business so I don't have much info, only questions. Why could you not simply add a "custom solution, contact us here" next to the publicly priced offers? That way everyone is addressed, best of both world.
The simple answer to your question of why B2B startups devote resources to salespeople rather than having a clear (published) pricing strategy is that they don’t know how much their prospective good/service is worth and therefore need an interactive ”price discovery” process to occur. Once that process has occurred, however, they’re left with a dilemma: they sold the same thing to one client for $150k, to another one for $300k, and one got it bundled for free. How on earth can they keep a straight face when they go ahead and publish a single price that will at the very least infuriate two out of three of their early adopters? They’ve trapped themselves until they can offer something radically new and therefore decoupled from prior pricing. And by then the salesperson-centric paradigm may be so engrained into the firm’s behaviour that it is no longer possible to change.
Multiple cookie cutter options + "call us if you want" works pretty well for Salesforce. Pay-for-what-you-use-until-you're-huge is sufficiently profitable for AWS/google cloud/Azure. The frustration expressed here is against the companies that force prospective users to call them, no matter what.
Having tiered pricing + "Call us if ..." works at a large scale. At small scale, particularly smaller startups in the B2B space, extracting value from each deal matters a lot more as you don't have anywhere near the level of deal flow on your inbound funnel.
Note that B2C is totally different and unless you're doing some very high priced / bespoke delivery then you have to go cookie cutter.
Akamai has been around since web 1.0 and reached critical mass before the freemium model was prevalent. At this point, they sell on reputation. They serve such a ludicrous amount of traffic and I can't recall ever seeing a major outage. I've been in and out of a lot of IT departments and every single one has used Akamai for public-facing systems. And I mean, every one.
As opposed to further up the stack where you rely on just a small handful of backbones that fail in spectacular ways far more than Cloudflare does. L3 and AT&T and all the networks that just route traffic through China for no reason at all.
As opposed to hosting everything on AWS, so half the Internet goes down when they have a no-so-uncommon outage.
I don’t think Cloudflare is that much of a bottleneck in comparison. Not to mention 3 points of failure is the definition of “not a single point of failure”.
To me that’s a diversification away from 8.8.8.8. I am absolutely not criticising google’s DNS, it’s a useful service. But I am happy to get more choice.
I agree - there are not very many internet-scale (for lack of a better term), completely free and fast DNS servers who have an IP address that's easy to remember.
Is that specific? sure, but I'll tell you when I go to set a new system up I'm going to type 8.8.8.8 because it's what comes to my mind.
Those resolvers are technically for Level3 customers only - they'll return one of those ad-filled "search" portals where an NXDOMAIN would be proper, see:
; <<>> DiG 9.9.7-P3 <<>> thisprobablydoesntexist.com @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12860
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;thisprobablydoesntexist.com. IN A
;; ANSWER SECTION:
thisprobablydoesntexist.com. 10 IN A 104.239.213.7
thisprobablydoesntexist.com. 10 IN A 198.105.254.11
Those resolvers are technically for Level3 customers only
There is this comment from a few years ago, https://news.ycombinator.com/item?id=7120248 , linking to a blog post which is now only accessible from the Internet Archive, where a VP at Level3 stated they were public.
I use 4.2.2.x and I do get NXDOMAIN from them, and I'm not a L3 customer. I wonder if they respond differently depending on who you are...
I thought NXDOMAIN responses indicated that the domain doesn't exist and there wasn't a way to actually direct the user anywhere. Your resolver could of course lie and return an IP instead of NXDOMAIN however. Perhaps I'm wrong.
They do it a little more cleanly than some other attempts I've seen, but there's still flaws in their approach. In particular, they will generate redirects for NXDOMAIN responses to certain records under domains that do exist:
Specifically, they'll generate a redirect for any record that starts with the letter "w". (No, I'm not kidding. Try it.) Other records generate a real NXDOMAIN.
Highly recommend Quad9. Their privacy policy is absolutely no identifying data logging, period. They're also the few providers offering DNS over TLS. Google, on the other hand, keeps identifying logs for 24-48 hours.
Just watch out for them if you're not in the US - any DNS-based CDNs will send you to an American node rather than your closest, it could slow things down a little
dig @9.9.9.9 icnerd-1e5f.kxcdn.com
icnerd-1e5f.kxcdn.com. 3600 IN CNAME s-us-ca00.kvcdn.com.
s-us-ca00.kvcdn.com. 55 IN CNAME p-ussj00.kxcdn.com.
p-ussj00.kxcdn.com. 55 IN A 209.58.129.70
dig @8.8.8.8 icnerd-1e5f.kxcdn.com
icnerd-1e5f.kxcdn.com. 21599 IN CNAME p-uklo00.kxcdn.com.
p-uklo00.kxcdn.com. 59 IN A 217.146.91.55
There is a public DNS server at 141.1.1.1 (which I used for connection testing before there was 8.8.8.8 etc.), but I actually do not know by whom it is operated. Whois says Vodafone.
My ISP (Spectrum / Time Warner) will not return a proper NXDOMAIN, and will instead send you to an ad-filled "search" page. They're also slower than Google DNS somehow, and generally not much more than an opportunity for my ISP to get more information and ad revenue from me.
At least I'm not paying Google to do the same, and I can trust that they'll send the proper results.
For servers you typically have no DHCP. Also ISP often have annoying behaviours like redirecting you to their own websites for failed lookups. And my ISP doesn’t allow local non routable IPs (192.168.1.x) in DNS responses while google does.
I wonder if, given that we now have a number of reasonably decent DNS services, if we can make software better to obscure/divide up our DNS use.
Take your 1.1.1.1, 8.8.8.8, 9.9.9.9, maybe your ISP DNS, etc., check against them randomly to try and avoid giving any one of them all of your DNS request traffic, maybe look up the same address on two of them to confirm that you're getting the same destination from both?
If you are Chinese, you would. 1, 6 and 8 are lucky numbers to Chinese.
I suspect that the whole reason why 8.8.8.8 is a Google DNS server is that they were originally only 4.4.4.4 until someone Chinese pointed out that 4 is an unlucky number. :)
Well for me it is really useful to renew let’s encrypt certificates. When doing DNS validation, you must enter a TXT entry as a response to a challenge. Having multiple public DNS is useful to ensure the entries have propagated before letting letsencrypt know they can query them. OVH’s Anycast DNS servers propagation for instance is really non deterministic. It may have propagated when queried from one location but not yet from another.
However, 9.9.9.10 does not perform DNSSEC validation, as 8.8.8.8 (Google), 64.6.64.6 (Verisign), 9.9.9.9 (Quad9), and now 1.1.1.1 (CloudFlare) do, so results may not be as trustworthy.
My personal experience is that I had reliability problems that I didn’t have with Google. And DNS is a critical step in the connection for which you really want reliability.
I definitely have single point of failure concerns both with Cloudflare and Let's Encrypt, but as another user points out, right now 8.8.8.8 is the much more common single point of failure for DNS, and it's run by an ad/tracking company.
It's definitely possible Cloudflare may go the way of Google at some point in the future, but right now, I'd rather have the former than the latter involved in my Interneting. And in this case, it's a new/additional option, a second point.
This seems to be a general rule-of-thumb tendency with "distributed anything".
In general, in distributed systems a number of inconveniences arise as a natural cost of the distributed nature of the system.
This creates a tendency for a critical mass to circle around a single central entity that uses its central position to provide convenience and further creating a "distributed in theory if you really want it but not really" environment (example: Github).
Not really super related to Cloudflare, just a general observation.
Github's existence does nothing to change the distributed nature of git, just like GMail's existence does nothing to change the nature of email.
They offer/sell a service that is built using those technologies. People go to them for the convenience you mention. If there were other convenient ways to use those services people would use them as well.
... and there are! Github has competitors (Gitlab, bitbucket, ...) and GMail has competitors (Fastmail, hotmail, yahoo, and a bazillion others). Maybe it doesn't feel like they have enough competition, but if they actually turned git/email into "distributed only in theory" then there wouldn't actually be competition.
GitHub has gotten a ways there socially. Repositories which are not on GitHub are not socially first-class for many subsets of contributors, because the only habits you can rely on them having in easily-accessible brain memory are based on GitHub-specific workflow. So if you are used to Git and not GitHub, projects you want to contribute to may ask/demand that you do the GitHub-specific thing instead (and feel justified by norms in doing so), and contributors to any projects you publish may do the same in the other direction (more likely, just quietly give up if they can't use GitHub to interact with you). When that happens, you can't move your repository around and still be able to collaborate even if your server's publishing on perfectly good Git-accessible protocols, because the centralized convenience has turned into a necessity in order to keep up / because it was common enough.
That's far from the perfect opposite of “distributed and open”, since these habits can be more fluidly shifted and alternate versions of the convenience processes can exist in theory, but it's also far from what I usually hear people implying when they expect things to be socially distributed as well as technically.
(I'm told that GMail similarly changes the nature of email by making it socially unsafe to operate email addresses in certain ways, but I believe this effect is weaker and I don't have real experience with it.)
git doesn't offer what github offers (PRs, reviews, comments, ...).
Do people here actually think about the alternatives when they complain certain systems are too centralized?
If you stop using Github/Gitlab/Bitbucket today, you won't be able to collaborate because you no longer have a way to do the things Github lets you do. This isn't Github's fault.
Git is decentralized in that it has logic that allows multiple upstreams/downstreams. It's not magic. It's not "blockchain" or whatever.
Github is not decentralized, it's a SaaS product which offers git-compatible and svn-compatible repository storage, an excellent UI, comments, reviews, issue tracking and a bunch more. FOSS developers are asking you to create accounts to Github not so you can download their repository (you don't need to!), but so you can actually use the contributing tools on offer.
Sorry, I realize this isn't the tone you want to hear, but these comments about "centralized systems in decentralized worlds" are just so empty and meaningless. There's a few projects out there which actually try to solve the abstract issues you mentioned by, for example, adding comment/review metadata to git repositories. But you still have access control to take care of and at the end of the day, you need to trust some party; just like at the end of the day, with DNS, you have to put in a couple of IPs that you trust to provide you with good results.
Yes, you have to create a Github account to contribute to some projects. Has nothing to do with git, has everything to do with being able to use the services that Github provides. What is it that you're actually suggesting?
> If you stop using Github/Gitlab/Bitbucket today, you won't be able to collaborate to projects on these sites because you no longer have a way to do the things Github lets you do.
FTFY
Git works without a website just fine. Linus manages one of the largest Git repos purely via e-mail.
And you can do the same. Sure, Github/Gitlab/Bitbucket is more convenient, but you can just put up a Git repo with a static website that says "send patches to <mailinglist>" like it's 2003.
CloudFlare has done a great job convincing everyone that putting them in the middle and letting them proxy everything is a standard configuration that you need, and if you're not doing it your site will be too slow etc.
In most cases smaller websites are regional and can be better served without CloudFlare introducing proxy delays, slower speeds. The ease of adding ssl is offsetted by the privacy hole that forwarding everything to cloudflaire creates.
What makes that even worse is that Cloudflare is vehemently against anonymity on the Internet. I get it, it is part of their business model, but with the privacy concerns today ... well ... let's just say I am not a fan of theirs.
What makes you say that? They are well known for their IP reputation based captchas. The IPs with bad reputation are often services which exist to provide anonymity (vpns and Tor). They have done some interesting research into using zero knowledge proofs to allow good actors to bypass that without compromising privacy. There would be a lot of easier options if they were "vehemently against anonymity" than to make https://blog.cloudflare.com/cloudflare-supports-privacy-pass...
If you read the details of that decision, they're pretty interesting - they only did it because people were claiming CloudFlare were supporting their ideas.
Matthew Prince basically said "this is dangerous" and a month or two later that exact decision was being used against them in court to take down a copyright infringer.
Not saying one way or another about it being a good or bad decision, but they definitely knew they were setting a scary precedent when they did it.
Relying on a service does not always result in a SPOF. The time CloudFlare was unavailable (globally or for very noticable impact) can be counted on one hand for me... While AWS outages already need me to resort to hands and feet.
This is awesome to hear, and for all of the criticism Cloudflare has gotten in the past, they have spoken loudly against censorship, not just for people they like, but those they dislike as well. I'd much rather point my DNS at them than Google, an ad company where tracking is the whole business model.
On the other hand they've also censored some of their users without being legally obliged to do so on a couple occasions. They don't have a clean track record. I'd rather point my DNS settings at my own server than anyone elses.
I would much rather have a company with a long but nearly clean track record, than a short and spotless one.
The difference is that when a company with a spotless record decides it's time to change their ways, it can be a pretty radical change (look at Reddit). But with cloudflare I know we're a long way from that.
It's kind of absurd how everyone expects spotless companies. I'd like to live in that world as well but the reality of this one is that such companies do not exist. Cloudflare gets criticism on both too much censorship and not enough. I don't envy them...
My last point was that DNS is supposed to be decentralized. With a properly decentralized system, censorship becomes very difficult. We shouldn't rely on someone like Cloudflare or Google to provide us with DNS services.
It's a decentralized service, but at the end of the day, your PC's going to check one address. If it's not Cloudflare/Google/Quad9/etc., you're just going to be checking against your ISP. It's pretty beneficial, especially in certain countries, to have alternatives to the ISP's DNS.
So what's your thinking here? Cloudflare shouldn't offer to be one of the many pillars of that properly decentralized system?
I don't believe we are going to suddenly flock to cloudflare to provide all dns ever. Between ISPs hardcoding or force-defaulting their own (awful) dns servers, and the amount of geeks and IT techs who have memorized 8.8.8.8, we're safe for a long time. And if I'm wrong on that, that wouldn't speak highly of the "decentralized" nature of DNS, would it?
To sue someone for doing something illegal, you first need some evidence that they're doing it. Google heavily employs confidentiality for that reason. Case in point: Antitrust investigations across the globe were launched into the Android MADA... but that didn't happen until years later, when the confidential agreements were revealed in the Oracle v. Google case.
As long as nobody knew what was happening, it went unpoliced. One of the ongoing HR-related lawsuits explicitly claims Google prohibits employees from revealing illegal conduct that the company engages in.
How much tracking can you do on a v4 DNS? There can be thousands of people behind the same IPv4 at a given time, or it could change in a matter of minutes. A state could probably be able to exploit that (as in there is a political opponent living at this address) but if the aim is just to track an individual’s browsing habit I would think it is impractical.
My home IPv4 address from a major cable internet company hasn't changed in over a year and I don't have a static IP.
Even when they do change, knowing ping times plus IP address owner plus superficial usage patterns would easily be enough to narrow down to a single household. Many households will have a unique DNS footprint based on the exact makeup of internet connected devices in the household that are constantly phoning home.
People do often forget this about DHCP addresses: Most DHCP servers will renew your same IP for as long as practical, and this often spans years. At work, my NIC held its same lease for about two years, I was a little sad recently when I discovered it had finally changed.
How I monitor my house also lets me know when my public address changes, and its extremely rare.
I have an IPv6 address that has never changed. My IPv4 address changes fairly often. The DHCP servers most definitely log the end-point MAC which can be tied directly by the ISP to my modem and router behind it. It's fairly easy to trace this stuff, if somewhat impractical.
Well, they do seem to plan to offer IPv6 DNS. And you'll probably want to be using that anyway, although they don't seem to recommend using that, as they mention it only briefly.
The privacy statements on this service are vague. Google makes specific and strong guarantees about what it does with DNS service logs. Google does not keep DNS logs with client IPs longer than 48 hours.
I also note that Cloudflare doesn't make a performance comparison with Google DNS.
But it is. They don't say what they do log. For example if I zero out the highest octet of your IP address and I log the ASN, I have effectively identified you without "logging your IP address".
Had the Daily Stormer folks kept their mouths shut, they probably would've been fine.
And then Cloudflare continues on to describe why they don't think companies should censor content, whereas Google has numerous blogs and entire technologies revolving around how to censor content even more than they do now.
There's a difference between saying "[highly controversial statement]. We know company X will not censor us." and "[highly controversial statement]. We know company X will not censor us because the people at company X are really on our side!"
They really should have booted them for that reasoning rather than by feeling. They even have it in their Terms of Service (and when I looked, did have it at the time of terminating the site)
> Section 18 - Because Cloudflare has no control over such sites and resources, you acknowledge and agree that Cloudflare is not responsible for the availability of such external sites or resources, and does not endorse and is not responsible or liable for any content, advertising, products, or other materials on or available from such sites or resources.
It's a clear ToS breach, a bit of thought would have avoided the whole thing. You got lawyers on hand? Talk to lawyers!
There's a difference between supporting someone's free speech in general and whether you want to continue with them in a business relationship because they are abusing you specifically.
I may support my friend's right to free speech in general, but if they are at my house and start bad-mouthing myself and my family, I'll ask them to leave. They can still say what they want (if not libel/slander), but they don't need to do it in my house. They can go say it elsewhere.
> If this is true [Daily Stormer made the claim that CloudFlare were secretly supporters], then I agree with the takedown [...] But in this interview, the CEO says something totally different
to me thats almost the exception that proves the rule.
if someone tells me they have a 100% SLA I write them off as a liar, but tell me you have a 99.995% SLA and have only ever had this one exception and here's why, that builds much more trust with me.
Your reasoning is like saying "the canary only disappeared once, and knowing that it can indeed disappear bolsters my confidence in it now that it has returned."
No, it's a matter of reality matching expectations. If you expect that the SLA has very likely been violated at some point, hearing that it has not means you should believe you have just been very likely lied to given your existing knowledge, unless you are considering that statement as a source of truth itself.
If you expect that the SLA has very likely been violated at some point, hearing that it has at some point means that the statement confirms to what you already believe to be true given your existing knowledge. That doesn't mean the statement is true, but since it's not obviously conflicting with what you already believe to be true, it at least allows you to believe it is not immediately false.
Instead of thinking about it increasing the likelihood of being entirely true, think about it as decreasing the likelihood it's entirely false. Depending on your point of view that may not be much, but it's something.
>No, it's a matter of reality matching expectations.
What an agent tells me is what they choose to tell me. You're describing some sort of luck-based updating via that third party's choice.
I don't live in a tinseltown universe full of model trains and animatronic NPCs. None of us do. All reasoning about real-world agents is subject to incomplete information and uncertainty.
That much is trivial. More, it's mutually understood to be the case.
Also mutually understood: basic world knowledge stemming from the same. These are principles simple enough to be patronizing in written description, yet persistently ignored or misused at implementation-level. Like:
1. Actors are variably susceptible to errors in reasoning under uncertainty
2. Actors are variably skilled at exploiting 1 to modulate 3rd party behavior
3. Actors are variably motivated to make use of 1-2
It follows from the above that allowing an actor to subtly shift your expectations as if you ever held a platonic model of their behavior is simply a cognitive error. There's no way around it.
Take the "99.995% SLA" example.
In the absence of that figure, would you have assumed a God-Mode level of performance? Clearly not. You can cross all the factors like whether you care about the figure, whether it's above or below average, whether disclosure is standard in this context, … to just enumerate all the cases and see clearly that there's no time when this information is surprising.
I mean, just look at a top google hit for SLA⁽¹⁾. You really think a CIO reader is in any way surprised to hear that some metric they negotiated into a contract indeed holds? Or that it doesn't?
Continuing: A figure like 99.995% is well within reasonable bounds for any number of business processes, so it's not necessarily false precision here. What it almost definitely is, however, is precision in pursuit of persuasion.
There are plenty of industries for which exacting figures at the high end of some performance criterion — manufacturing quality, service availability, measurement accuracy, etc — are essential to informed consumer behavior. Those industries almost universally have norms or regulations setting out certain expectations about what will be found on a specsheet, how units will be tested, how this information will be reported. If not, the spiel is just spiel.
Facts and figures as token gestures of fallibility, however, are confidence tricks.
I already know you're fallible. You cannot sway this comprehension by reframing around some very likely sort of figure: charm pricing⁽²⁾ and related uses of odd figures are marketing weaselry targeting plebs. To point these things in the direction of clientele is to tell them how much you think of their ability to resist bullshit-fatigue.
My feels about whether I'd wanna have a beer with <The Guy>, modulated by his current demeanor toward me or whatever audience he imagines me to be a member of, do not determine his fitness for any high-stakes job.
The same is true here.
Cloudflare is in the MITM business. Absolutely trusted at no point in time, independent of whatever cost/benefit has gone into the decision to use a MITM. This isn't even defeated by being too big a client to lose: if you were big enough to be a lifeline for cloudflare, you'd have no need for cloudflare.
They also went out of their way to automatically treat them as more questionable by default. Unless the website operator explicitly whitelists tor, tor users are given a worse experience.
This probably isn't really correct. Their blog says that 94% of the traffic they were getting over Tor was malicious, and since they probably automatically put IPs where a lot of malicious traffic comes from on the CAPTCHA list, my guess is all the Tor nodes got flagged automagically.
What they went out of their way to do, was explicitly make it less painful for legitimate users to use Tor, despite the amount of malicious content they get from Tor. I'd argue for most companies, if 94% of the traffic from somewhere is malicious, the answer is "block it and be done with it", but clearly, Cloudflare actually values Tor and what it stands for enough to come up with a workaround.
"They also went out of their way to automatically treat them as more questionable by default."
nope, you're spreading un-sourced/unconfirmed FUD. Provide a source, or this is just FUD. Tor IPs are treated like any other IP by default, not "more questionable by default".
Perhaps they've changed it since last time I looked a few years ago. You're right, I can't find the tor-specific anything anymore. I ditched Cloudflare years ago and haven't checked back in a while. I rather distinctly remember a default setting that explicitly talked about how it treated Tor users. I don't see that setting anymore.
Not sure your point. Who exactly do you anticipate is opt-ing?
The website owner's settings defaults to secure, and they can intentionally take action to make the website less secure if they'd like to. That is their decision, of course we do not default to a less secure posture.
What I meant. This default setting is the reason why Cloudflare is not off the hook here. This is the default, so website owners who don't care or know about it won't change it. Like all default settings where you have to actively change it.
CF invest a lot of work into Privacy Pass, which is a crypto token system to allow TOR browsers to verify they're human without giving up anonymity: https://privacypass.github.io/
As the person who placed the order, yes you definitely can :)
Starting November 1, 2015 [1], you could no longer obtain certificates for "Reserved IP Addresses" [2] and any still in existence on October 1, 2016 had to be revoked.
Section 3.2.2.5 of the BRs indicate how one can demonstrate control over the IP address.
Publicly-trusted CAs can issue trusted certificates for IP addresses. It's simply far less commonly used, and most CAs either don't offer it at all or only for enterprise clients.
(You might have been thinking about issuance for IP addresses in private/reserved IP space. That is indeed prohibited nowadays, just like "internal names", i.e. domains that don't end in a public suffix.)
Most CAs ignore the subjectAltName extension when parsing CSRs (as it's a pain[1] for users to generate one properly). They just extract the public key, CN, and let you fill in SANs.
Well crap. I was used to going to 1.1.1.1 on my cellphone when on wireless APs that tried to redirect you an agreement page. Now there is a valid cert/website at that address.
Don't some VoIP devices use 1.1.1.1 too to check connection type or something?
There was a paper from a couple years ago when 1.1.1/24 (or bigger, don't remember) was still unassigned; at some AS they logged what kind of traffic was targeted at that subnet, by IP, port and protocol and 1.1.1.1 stood out. Can't find that paper just now unfortunately. :-(
Never had any issue and there's an extremely low, almost infinitely zero, chance of the domain dropping and being taken over by squatters (re: neverssl)
So am I correct assuming they support DNSCrypt if they claim they support encryption?
If that's the case that's really nice actually. Google DNS kinda silently launched DNS-over-HTTPS in 2016 but still no DNSCrypt; opendns are the only major ones supporting it.
Of course I stopped using dnscrypt at some point because it was a pain to maintain, and wasnt supported on most of my devices :/
Should point out though that it is using DNS-over-HTTP/2 and not DNSCrypt it seems, because the DNS stamp you provided in a sibling comment starts with "Ag" and not "AQ".
When you are a CDN and already have a massive infrastructure to handle HTTP/2 traffic, DNS-over-HTTP/2 makes more sense.
I also totally trust Cloudflare for the TLS security part, especially since they support TLS 1.3 already.
Quad9 said they will support DNSCrypt soon, and the software they use just got an update to do it nicely. So, this will be a decent alternative if you are looking for an anycast resolver.
Snap, hours later as I was looking for some things relating to setting up dnscrypt-proxy2 I landed on https://github.com/jedisct1/dnscrypt-proxy and spotted a certain similarity between the usernames of that GitHub user and the person that had responded to me on HN earlier.
Thanks for making this :) Also, thanks for using the ISC license, it is my favorite license.
PS: And additionally then, the text I was quoting from https://dnscrypt.info/faq was probably written by you. Good thing I was sufficiently convinced by what you said that I didn't argue against it, that'd been embarrassing. Embarrassing but also funny ofc ;)
Edit, another 40 minutes later: And you've authored libsodium, and you've done a bunch of other really cool things also. Holy crap! I'd buy you a beer if I ever met you but you are probably way busy anyway lol.
This CSV file is gone, along with the confusing and mostly useless information it contained.
All the required parameters to connect to a server (protocol, certificate hashes, public keys, bootstrap IP address, URL...) are now represented as a string ("DNS Stamp").
Are encrypted DNS requests used by default? Does 1.1.1.1 somehow advertise to your client (whether it's a browser, the OS or a router) that encryption is possible? Do I have to configure my endpoint, which may expect to be able to send normal plaintext DNS requests, for it?
I guess DNS over HTTPS will surely not be supported by normal routers, but I don't know what other protocol Cloudflare refers to as "encrypted DNS", so maybe that will work.
Encrypted DNS usually refers to making TLS-secured connection to a DNS server over port :853. You can read more here: https://tools.ietf.org/html/rfc7858
Lots of bad networking equipment assumes 1.1.1.1 isn't a real address and use it for things like captive portals and administration making this a terrible address to use for a service you want to be widely available.
Didn't realize this wasn't official yet. A few days ago dns.cloudflare.com pointed to a landing page describing how to change your DNS to 1.1.1.1 and 1.0.0.1 and how they were not going to censor or log anything.
Where did you get China Telecom from? The IANA released 1.0.0.0/8 to APNIC in 2010 and 1.1.1.0/24 was assigned to APNIC-LABS. The IRR Netname is actually still APNIC-LABS too. See:
The IANA released 1.0.0.0/8 to APNIC, and APNIC subsequently sold parts of it to China Telecom. I deduct this because neighboring IP ranges (https://stat.ripe.net/1.1.0.0#tabId=at-a-glance and https://stat.ripe.net/1.1.2.0#tabId=at-a-glance) belong to China Telecom. So 1.1.1.0 likely did too. I think the whois information may have reflected the China Telecom ownership before it was updated.
APNIC-LABS is probably just a joint partner in that Cloudflare resolver project.
No. 1.1.1.0/24 was not allocated because idiots poisoned it. For a long time address ranges like these were left unused because it wasn't worth anybody's time handling the problems but since IPv4 is now full we may as well do what we can with them.
So China Telecom will never have been given 1.1.1.0/24
In case it's interesting to anyone I ran nmap against the ip and it seems that the domain associated with it is one.cloudflare-dns.com, also all of the ports are closed currently
This protects against a tremendous amount of local and ISP level DNS request collection which is great; however, we ultimately need a zero-trust DNS system. KPMG auditing Cloudflare provides security through bureaucracy/obscurity which doesn't help.
Appears to be a joint venture between Cloudflare and APNIC, not sure the relative involvement of APNIC, they provide the IP addresses at the very least.I don't know if they retain any oversight of operations.
But those IPv6 address aren't actually working, unlike the IPv4 ones. Also those addresses are owned by Telia, so I have my suspicions that those are the go-live ipv6 addresses
It worked like this (according to the submitted website archive):
> Cloudflare had the network. APNIC had the IP address (1.1.1.1). Both of us were motivated by a mission to help build a better Internet. You can read more about each organization’s motivations on our respective posts: Cloudflare Blog / APNIC Blog.
The blog post links just links to the blog themselves, not actually to a post, so this submission seems premature.
It appears APNIC still owns the IP address, described as "APNIC and Cloudflare DNS Resolver project, Routed globally by AS13335/Cloudflare, Research prefix for APNIC Labs".
