> Solving this in a way that doesn't block tons of regular users [...] is precisely where nearly all of Cloudflare's $15B market cap comes from.
It's not a binary solution. Cloudflare very much does block tons of regular users, which is where all the hate is coming from in this thread. If the solution is in the domain of "a bag or squishy heuristics" it's going to be somewhat inaccurate, so then the only question is tuning... how many false positives are acceptable, which depending on the area could be anything from "how many can you get away with" to ">0 hurts our bottom line".
To reframe the problem in the latter, consider "The optimal amount of fraud is non-zero" [0]. Where it's understood the cost of inconvenience to customers ultimately will also hurt the business's bottom line. So instead the balance is very much in the favour of the customer, to make sure the wheels stay greased businesses eat the vast majority of the fraud where they could employ stricter but slower methods to verify funds etc.
There is this cost benefit balance in many things. Some things naturally balance themselves, especially when the ultimate bottom line is monetary... others not so much.
I suppose the problem with serving requests is twofold: firstly it's not necessarily a business, and even if it is, an individual visor represent a very tiny peace of the pie over their entire life. Second, bandwidth is paid for twice, by both the visitor and the provider... It could be argued this whole problem wouldn't exist if it weren't for the latter. At most DDoS problem may still exist. Either way the ultimate cost is to fairness, people are discriminated arbitrarily. It also depends on awareness of the site owner, if they care about fairness and know the cost of using cloudflare is potentially unfair to visitors, they may not bother... unfortunately I think most site owners don't realise how many false positives there are, and I'm not even sure Cloudflare does, I mean how would they, you get blocked enough you just give in and close the page, and they think they did a good job it's a negative feedback loop.
Well, that applies the other way around as well. How many false positives can the Austrian authorities accept when it comes to blocking illegal web sites? After all, those sites are obviously using a provider that also hosts illegal sites.
It's not a binary solution. Cloudflare very much does block tons of regular users, which is where all the hate is coming from in this thread. If the solution is in the domain of "a bag or squishy heuristics" it's going to be somewhat inaccurate, so then the only question is tuning... how many false positives are acceptable, which depending on the area could be anything from "how many can you get away with" to ">0 hurts our bottom line".
To reframe the problem in the latter, consider "The optimal amount of fraud is non-zero" [0]. Where it's understood the cost of inconvenience to customers ultimately will also hurt the business's bottom line. So instead the balance is very much in the favour of the customer, to make sure the wheels stay greased businesses eat the vast majority of the fraud where they could employ stricter but slower methods to verify funds etc.
There is this cost benefit balance in many things. Some things naturally balance themselves, especially when the ultimate bottom line is monetary... others not so much.
I suppose the problem with serving requests is twofold: firstly it's not necessarily a business, and even if it is, an individual visor represent a very tiny peace of the pie over their entire life. Second, bandwidth is paid for twice, by both the visitor and the provider... It could be argued this whole problem wouldn't exist if it weren't for the latter. At most DDoS problem may still exist. Either way the ultimate cost is to fairness, people are discriminated arbitrarily. It also depends on awareness of the site owner, if they care about fairness and know the cost of using cloudflare is potentially unfair to visitors, they may not bother... unfortunately I think most site owners don't realise how many false positives there are, and I'm not even sure Cloudflare does, I mean how would they, you get blocked enough you just give in and close the page, and they think they did a good job it's a negative feedback loop.
[0] https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...