GrapheneOS support for Fairphone is unlikely to ever happen. Their hardware is too insecure to satisfy GOS's reasonable requirements [1] and have stated that they aren't interested in improving it [2]. Software is also lacking and they've partnered with Murena [3], who has been slinging shit at GOS [4].
> On a more positive note, due to the AOSP/Pixel drama there now is a real possibility a different major OEM will be supported
I really do not know which other major OEM other than exynos-based samsung that comes near GOS' checklist, but here I am hoping if he is talking about Nothing phone.
That's excellent news that they're partnering with an OEM to make something. Here's hoping it's someone like Framework that has sustainability in mind as well.
Why not Framework themselves? By now, they have brand recognition to certain extent and a ready customer base - I think a Framework phone with choices of GrapheneOS or LineageOS or standard Googleized option could be a very compelling product.
That is if they can sort out their availability gaps.
Their phones are sold in the USA through Murena. I've bought a fairphone 4 through them. It was preloaded with eOS but I loaded calyxOS on it, which is similar to GrapheneOS.
I would hate to see them move to Discord over Matrix. I know Matrix has its issues, but Discord is inviting the same issue a couple years down the road. Besides, Matrix could use the attention of those talented devs using it every day!
I would make the jump to Signal. It's super easy and secure. Has all the features you'd need (minus the online status). It's how I communicate with my whole family.
Problem is that a significant chunk of the technology industry still relies on "engagement" as its business model. The objective of slapping an overzealous bot protection system isn't to protect high-risk endpoints like logins/etc, it's to ensure a human is "engaging" and human time is being wasted by making even legitimate automated usage impossible.
From their perspective, the blocking of power users with unusual setups is actually a happy coincidence, as those are unlikely to "engage" with the product in the desired way (they run ad & spyware blockers, don't fall for dark patterns, and are more likely to fight back if they get defrauded by the corporation).
40% of the internet’s traffic now is bots, with about half of those being malicious. Fail2ban is decent for a very small DDoS, but useless for one with any substance, and also useless against bots scraping data or probing for weaknesses.
Also remember, especially on AWS, bandwidth is expensive. A CDN cache + blocking bots = big savings.
> What am I missing? Fail2ban has been around a long time.
Modern threat actors can spread requests out over large pools of source IPs. Rate limiting login attempts by IP isn't an effective means of preventing credential stuffing attacks.
While you hit the nail on the head, I am still surprised that so many tools targeted at people like me (web hosting, developer tools, etc.) are protected that way.
What other way would you suggest to protect a free service from bots? Cloudflare is often the easiest to implement and has a generous limit on their free plan.
Oh, they absolutely are, I don't disagree -- I use them too.
But the immediate response to bots shouldn't be "make everyone go through a captcha". There's lots of nuance that you can tune to deal with your particular situation, but the first thing I'd do is block known bots or ASNs, set up a limit to trigger (bots usually don't make 1 document request a minute), set up higher limits for users who (seem to) have a valid cookie indicating that they are logged in, set up different thresholds for certain countries that are more risky etc etc.
What you need to protect your service depends on your situation, it's not a one-size-fits-all solution. E.g. I find that I have no automated contact form spam once I add a simple JS to add some data that isn't standard, but I'm sure that wouldn't hold up if there was enough incentive to try to get past it.
But the OP mentioned not just free services, but e.g. webhosting logins. That's just sad, as is Cloudflare's community being behind an aggressive captcha. I'm a user, I'm logged in, I've posted before, I'm in good standing, yet when I go there, I need to solve a captcha. When I then go there again an hour later, guess what, another captcha.
Either there's another reason I'm not seeing or it's just lazyness as in "we need to have a forum but we really don't want to spend any resources on it, just put up an aggressive captcha that'll filter out most bots and everyone but the determined users".
Fwiw, Cloudflare does do a multivariate confidence check which is why it has multiple tiers: no captcha, a one-click captcha, the annoying puzzle captcha once, the annoying puzzle captcha six times in a row.
> I'm a user, I'm logged in, I've posted before, I'm in good standing, yet when I go there, I need to solve a captcha.
Though consider the fact that taking over someone's account shouldn't give you (a spammer) unlimited access either. The spambots you see on Twitter are mostly cred-stuffed accounts. It's a hard problem. Existing accounts are more dangerous than fresh accounts.
Imo, "write your own password" should be a thing of the past. Services should just auto-gen a password or there should be a way to require the OS (like a password manager) to generate one to avoid cred-stuffing. We're letting down the average person by making them come up with unique passwords for every service instead of just helping them. Though I'm way off topic.
> Though consider the fact that taking over someone's account shouldn't give you (a spammer) unlimited access either.
But it's not unlimited access -- it's _read_ access at that point. This is just when trying to access the forums at all, not when trying to post a message.
And if they were worried about evildoers scraping all the data from their forums, they could rate-limit and then require captchas (their WAF settings make that trivial). But they don't, or the rate limiting is so generous that I've never hit it, and their forums are not that active, so I don't think that's the reason.
Adding more protection to an endpoint where users send posts makes some sense, but for reading? On their dashboard you need to solve the captcha on the login-form. On the forums, you cannot even get to the login (which works via the dashboard, where you'll solve a captcha again) until you've solved the captcha.
I use and like CF's products a lot (I'm a paying customer, I'm not even looking for free support on the forums, but their docs are lacking a lot of information that I'm interested in), so I don't believe in "we're incompetent", keeping the resource-investment low by filtering out bots and a chunk of users makes a lot more sense.
> Fwiw, Cloudflare does do a multivariate confidence check which is why it has multiple tiers: no captcha, a one-click captcha, the annoying puzzle captcha once, the annoying puzzle captcha six times in a row.
That's not correct, Cloudflare challenge pages / Turnstile will never show you a puzzle.
Most developers I've met were actually similarly lazy... we just use Chrome on Mac, and don't really want to deal with VPNs unless our employers force us to. The last few Firefox holdouts also switched after running into various WebGL/Canvas/etc issues. The same attitude that leads us to focus on "happy path" users and ignore edge cases often also causes us to sheeple into that same basic dev group. Long gone are the days where most devs custom build Linux boxen from scratch and compile custom kernels to our liking...
Anyway, I know the "Cloudflare's monopoly gating is killing web openness!" meme is common online, especially on HN, but in real life I've never actually heard anyone else complain about it (either a fellow dev or a customer or a manager). Instead, it's been universal praise for the actual issues Cloudflare exists to solve (CDN, bot protection, serverless, etc)... they are a godsend for small businesses that otherwise get immediately flooded by spam requests, especially from China, Russia, and India.
And if you think Cloudflare is bad, it was even worse before they became dominant, with terrible services like Incapsula/Imperva charging way more but providing both worse bot protection AND more false positives, or the really hard early reCAPTCHAs (that Cloudflare was largely able to replace, for users who DO fit within the "norm"). That, or you'd have to fight every random sysadmin with their own lazy rules, like firewall rules that blacklisted entire regional ISPs and took weeks or months to resolve, if they ever even checked their emails.
As inconvenient as Cloudflare is for users who take privacy seriously and try to be less trackable, for the other 90% of us who don't care as much and easily fit into their "norm" model, it's much nicer than what came before. Site downtime and slowness are also much less common now, in no small part because of their easy CDN and caching.
From the implementation side, I've set up a few Cloudflare accounts in my career, but do take the time to try to configure it to balance security vs accessibility for any given target audience. Sometimes we'd block entire countries, other times we'd minimize security to ensure maximum reach, but usually we'd customize rulesets in the middle for any given company & audience. I never got a complaint about it (our emails were still available and not blocked).
This was always a direct response to some business need, usually spambots or DDoS attempts that fail2ban etc. couldn't catch well enough. For the business, it was usually a "shit, our website is down again, what is it this time", and the choice between "for free or $20 we can get it back up again and not have this issue anymore" or "we can spend thousands of dollars and weeks of labor building our own security solution" is pretty easy. "What about that one guy who is proxied behind TOR and three VPNs with a random user agent using a text-only browser he wrote himself?" never really factors into that process =/ There's just not enough users like that out in the wild vs the very real constant threat of bots and malware.
It's a shitty situation that the web is like this today, and I wish it weren't the case, but it really is an arms race, and these imperfect weapons are just what most of us have access to...
That is not an excuse to give in to the cloudflare's agenda of centralizing everything. Bad things have happened, is happening and will continue to happen if one entity has this much control over the internet traffic
Maybe in your country, but tons of countries outside of the US (first world) avoid Macs like the plague and just use Linux/Windows as building machines.
But you are right on Google/Cloudflare, they are the poison of the web.
If I have a process that works for 95% of the people, why should I care about outliers who use Linux behind a VPN on a heavily customized version of Firefox?
Maybe you should try to care about something other than just your bottom line. I'm sorry if this sounds mean, but this attitude just turns the web into a giant monoculture because you can't be bothered to care. It actually ends up hurting everybody in the long run. Look how long we were trapped with IE6. Amazing how people forget history so quickly.
Everyone has limited resources. As a for profit company, the focus has to be on your bottom line. How many resources should a company use for some obscure corner case when the user can make changes?
Of course accessibility is important - ie screen reader compatibility.
A typical testing matrix in the US would be
- Safari for iOS
- Chrome for desktop and Android
- maybe Safari for desktop or you just tell Mac users to use Chrome
- Firefox if you have the time. But if not, no big deal.
We are definitely not going to test for a highly customized Firefox on Linux running over a VPN.
By that logic, why care about accomodating anyone with a disability? Your site works for 95% of people, why care about those who need to use screen readers?
And before you say "that's their choice," you're the one who is breaking the functionality. Nothing about using a VPN or linux or Firefox creates any problem for TCP/IP or https.
One because it’s the law and two because the disabled can’t just make a choice and install Chrome.
However, while the site creator does have to meet the disabled halfway, the disabled person is responsible for having whatever type of equipment they need to make it work - ie screenreaders
If your website is full of divs generated by JS that are full of aria tags that make no sense, those tools don't have a chance. Most websites act this way as well. Even Facebook used to lock people out of their messages if you couldn't use a mouse, at least in the last time I checked (infinite feed + no way to skip feed via tab -> can't reach right panel).
Just do your job right. Not saying you should test some unique Firefox config but at least the default version is to be tested.
Hell, I've seen people here indicating that they just tell desktop Mac users to "install Chrome". Such carelessness is bad for business. Web development sure could raise its bar.
Because they are standards compliant and you aren't, and you are legally required to provide an unsubscribe service or whatever without undue barriers around it.
But if I am using standards and they have an ad blocker that blocks some of the functioning of my site, am I also required to test my site against that?
I'd include _everything_ important in the "yes" category. If I cannot access the customer panel to update settings or notify them of a bug that is affecting me because I'm using Firefox ("works for 95% of users"), they're just not keeping up their end of the contract.
Remember, 95% excludes everything but chromium/webkit-engines.
Every SaaS company I’ve worked for has had a compatibility matrix where we say what we support. If we lost customers who were running a highly customized Firefox on Linux, so be it.
Every company decides which customers are worth going after.
And I'd include that as well: if your server rejects emails because of your spam-decisions, you can't claim "we've never received that email". Either you don't use email for any legally-binding communication ever, or spam-filtering is a you-problem, not an everyone-else-problem.
It's not surprising that the strongest protections always happen on the unsubscribe links, but not on the subscribe-links. That just needs to be fined out of existence, just like "you can order with one click, but you need 50 clicks and a three-hour-conversation to cancel".
I don’t understand the “automatic” here-yes, reputation takes time to build, but if you run your own mail server with SPF/DKIM/DMARC set up correctly why is the default posture “block it” before there’s any reputation?
Just like other cases, I won’t accept that it’s “just lazy” on the part of big tech companies. They clearly know how to adjust their internal view/reputation of a domain once it starts being used for “misbehaviour” and spam such that they start blocking it.
Thus they could clearly start by not doing so-and, maybe, they’re “really touchy” about domains with no initial “internal score” such that if a new domain pops up and starts spamming people they catch it fast. Its not necessary to break open Internet protocols, though, unless they want the breakage.
It'll be interesting to see what happens if someone takes that argument to court.
One side of the argument is that Cloudflare places an undue burden. The other side of the argument is that without the CF protections, the service provider doesn't even have reason to believe the request is coming from a human being the law protects.
> If you look like a bot, how are they going to distinguish?
Some non-existant system of attesting that I'm person X (possibly through an e-ID card) who has issued a client certificate Y (cert chain, using my e-ID cert to sign) to be used with my device Z (presumably with a device fingerprint or IP range attached to the cert). Of course, this would mean no privacy, but that's not that different from being signed in through Google as an identity provider, we'd just shift the mechanism to be universal (like client certs already are). One of the options that would take more coordination than will probably happen (though very similar to some e-signature solutions in EU, which we already use) but I could see using something like that for a variety of professional/service sites, since signing in with the e-ID card directly is already a thing on some sites here (government sites, banking sites, utilities sites).
Okay. Do that globally. And solve the ddos problem as you’re on it. If you add transparent tls termination, edge, caching, dns… maybe I’ll have a look!
I had a guy like that working with me. Blocked every possible tracker, disabled javascript, used some niche browser, proton mail, and then complains that google doesn’t allow him to sign in. I get it, privacy and what not. But the guy was an outlier.
Some random blogs, product pages aren’t gov, most likely have no way to opt-in for gov eID (maybe they aren’t based in the EU), and they only care that their service is available fast globally and that they get ddos protection for free (plus some other convenience features).
We already do a simpler version of that with TLS and HTTPS, there are globally trusted root certs that ship with most OSes and browsers. It's just that we haven't extended the same approach to client certs and identity verification, instead having a bunch of walled gardens and governments running legacy methods of figuring out who someone is, as opposed to various eID mechanisms.
If I trust news.ycombinator.com because I trust ISRG Root X1, I might similarly trust John Doe's iPhone because I trust the government of France's CA, as a hypothetical, as long as the certification chain is valid there.
It's a problem that's technically solvable (say, in 20-50 years), but won't get done because good luck getting a bunch of governments to collaborate on that across the world. It's actually a surprise that we have TLS in the first place.
> If I trust news.ycombinator.com because I trust ISRG Root X1, I might similarly trust John Doe's iPhone because I trust the government of France's CA, as a hypothetical, as long as the certification chain is valid there.
There are a whole ton of privacy problems with this. I am happy to demonstrate anonymously that I am not a bot, but a random blogger does not need to know that I am John Doe, a citizen of France with national ID number 12345678.
We cannot get them to agree on cookie banners and you’re talking about something much more complicated.
Hey, by the way, would you trust some Chinese or Russian root certificate?
The question is irrelevant, frankly. Consider this: you’re living in Germany today. You trust the German government. They handle all your logins using that eID. What if in February AfD comes to power? Do you still trust the German government? Governments are formed by people. Different people have different interests.
> We cannot get them to agree on cookie banners and you’re talking about something much more complicated.
Another good example of something that’s technically feasible and not that complex, but was made infeasible due to either ignorance or malice, with all of the dark UI patterns and scummy behaviour.
> Hey, by the way, would you trust some Chinese or Russian root certificate?
If there’d be an issue of not wanting to support a certain country, then removing such a group of CAs from a store would be trivial for a particular service, same as with the above.
Plus, the opposite is also viable, if for example the Russian govt. wanted to allow anyone to verify whether particular requests come from their citizens, they might also run their own CA akin to https://www.bleepingcomputer.com/news/security/russia-create... except that the attack vector would change from MitM to fake identities being issued by them as needed (but since the server is the one doing the verification, it might as well drop the CA when desired).
> What if in February AfD comes to power?
Revoking the eID and anything dependent on it would be akin to your passport being taken away.
Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.
Fundamentally, that’s no different from the reality that we already face - my regular eID could also be taken away if my own government felt like it, same as with my bank account and other assets.
Client certs themselves are nothing new, same for PKI. It’s a cool technology that could but presently cannot solve the problem of client identity globally, because we just can’t have nice things and order.
> Revoking the eID and anything dependent on it would be akin to your passport being taken away.
Is it? If my eID is used for logging in to my bank and said eID is revoked, I can no longer log in to my bank account. That’s completely different than a locked up passport.
> Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.
Use a custom domain, don’t make your kingdom dependent on the gmail.com address.
I don’t know, for me the perfect amount of government oversight is “as little as possible”. There’s zero need for the government to mediate between me and my bank, or some random service provider on the internet.
What you’re describing sounds like a fun technical challenge assuming a perfect world. For example: who decides which countries’ certificates should be revoked? Who decides who is the rogue one? Even that is stretching it too far. Can I simply download a browser without some selected certificates? If the technology is so great, why isn’t it widely adopted today
Those are all rhetorical questions. You don’t have explain PKI to me.
Pretty much the same failure mode, just with different immediacy. No more travel, no more ability to start using new banking services, no more proving identity for becoming employed, pretty much anything that needs you to provide valid governmental ID (ID card or passport) and doesn't accept alternatives.
On the opposite end of that, both those services might accept something like a driver's license and the banking service might allow you to log in with their app, or a similar identity provider as a backup.
> There’s zero need for the government to mediate between me and my bank, or some random service provider on the internet.
Who else should we depend upon for verifying the identity of someone? Because currently it's a hodgepodge, especially when some places treat the equivalent of an SSN as a secret or have other half baked mechanisms, whereas in actuality it's a problem that's been solved far better, the same way how e-signatures work here when a single competent authority implements them well (certs on the e-ID card, you choose what to sign, but there's both data integrity and non-repudiation, a service that everyone integrates with and it is basically treated as a commonplace utility).
> What you’re describing sounds like a fun technical challenge assuming a perfect world. ...
A non-citizen living in Germany without the German eID because they’re not a citizen. Their country of origin doesn’t have any of that. I guess they don’t exist in that setup? Seems like a steep hill to climb on to solve some random login with captcha problem.
Binding login interaction to some government issued id…who’s entitled here.
Sounds like throwing a baby out with the bathwater.
Yeah, this is at least being discussed now for eID. Getting it to a point where it is actually usable for everyone and trusted by everyone will not be easy though. But even in the best case, this would cover maybe 5-10% of internet users in 5 years. What do you do with the other 90% ?
ChatGPT has been painful, especially at login, for me for months. Had to move to alternatives as a result and cancel my sub. I want to come back though!
This exact career is that of the protagonist in Evil, my wife and I's favorite show. The show is led by a Catholic priest and an atheist psychiatrist (possibly a -gist in the show) tasked with investigating demon possessions.
Highly recommend it. It is written by a married couple, one Catholic and one atheist. It takes the supernatural seriously without getting hokey or dismissive.
Slightly off-topic: has PayPal become unusable in the browser for anyone else? When using Firefox, no VPN, no ad blocking, I get some nondescript error that bounces me from the login screen. My IP must be on some list, but it is really annoying.
Edit: The status page and home page were down for me for about 15 minutes (checked on multiple devices and networks). Now they load about half of the time, but are very slow. Might be a load issue in this region of their CDN or something. My hosted services are fine, as far as I can tell.
>Framework-like upgradability / repairability / modularity
>Support for GrapheneOS
>Sold in USA