Cloudflare's CDN capabilities are separate from DDOS protection and indeed many requests cannot be cached due to the resources being sensitive (i.e. authenticated requests.)
Again, there are many forms of proxies and DDOS protection that do not rely on TLS interception, just as there are cars that do not rely on gasoline. Cloudflare has many less technical home users who use their service to avoid sharing their IP online, avoid DDOS, or access home resources. I do not think the average Internet user is familiar with these concepts. There are many examples of surprised users on subreddits like /r/homelab.
how would they know what to cache? the response headers from the server are encrypted. there is maybe the high end l3 protection available if you have the resources. the free tier has caching bundled.
Also, how would their certificates work if they don’t see content?
Sorry, they did not go much out of their way, to simply claim “solutions exist”. Sure, you could invent other ways of protecting your traffic but what CF offers in the free tier always includes SSL termination with their own certificates (if you enable ssl), and always includes caching.
Just turning off some features gets them just about there. It wouldn't take rearchitecting things. Those features being bundled by default means very little for the difficulty.
So you too, are saying “its possible” as proof of your argument.
Which itself shifted from complaining that you aren’t warned that coffee is hot, to - after implicitly agreeing that it should be obvious it’s hot - complaining that it they didn’t have to make it as hot.
Great! Offer an alternative! Everyone would be more than happy.
Not that it's "possible", that it requires them to add nothing new.
That is a much much easier to reach bar.
It's like if a restaurant sells cheeseburgers, and I want a hamburger. "How do they figure out ~~what~to~cache~~ the cheese to ketchup ratio without adding cheese?" They can just skip that part. I'm not asking for sushi and supporting that by saying "sushi is possible".
So you agree that your argument has shifted from complaining about inadequate disclosure that coffee contains caffeine, to complaints about lack of decaf offerings.
It would also be trivial for google and facebook to turn off all ads and logging of your activity. They would need to do strictly less than they do now. It would benefit all users too!
In CF case they would have to build a completely different infrastructure to detect bots using different technology to what they have now, including different ways around false positives for legitimate users. While perhaps nothing new in the sense that you claim “this is possible”, i see no one else offering this mythical “possible” product.
I would be the first in line to your offering of free cheeseless hamburgers. Where do i sign up?
> So you agree that your argument has shifted from complaining about inadequate disclosure that coffee contains caffeine, to complaints about lack of decaf offerings.
My argument has never shifted.
But the reason the argument shifted was because someone specifically asked about how you'd do DDoS protection without those downsides.
And you continued asking how it could be done.
> It would also be trivial for google and facebook to turn off all ads and logging of your activity. They would need to do strictly less than they do now. It would benefit all users too!
Isn't cloudflare supposedly not tracking private information in the websites they proxy...? If you think they make money off it, that's pretty bad...
> In CF case they would have to build a completely different infrastructure to detect bots using different technology to what they have now, including different ways around false positives for legitimate users.
I disagree.
> I would be the first in line to your offering of free cheeseless hamburgers. Where do i sign up?
First you need to put me into a situation where my business can compete with cloudflare while doing exactly the same things they do. Then I will be happy to comply with that request.
The hard part of this situation is not the effect of that tiny change on profitability, it's getting into a position where I can make that change.
> Isn't cloudflare supposedly not tracking private information in the websites they proxy...?
They are at the very least tracking the users and using that tracking as part of the heuristics they use in their product.
Whether they sell the data for marketing, i don’t know, hopefully not but conceivably, yes.
To which,
> I disagree.
Yes, we’ve established that you disagree and explicitly claim “it’s possible to offer ddos protection without mitm”
and now further that “dropping the extra feature of caching” would not adversely affect their technology or their business”
Great, claims though entirely unsupported and in the latter case obviously false if you know anything about how it works.
In particular, they would need to sponsor the free accounts via much poorer economies of scale due to not being able to cache anything, and would not help at all with a “legitimate ddos” such as being on the front page here
> They are at the very least tracking the users and using that tracking as part of the heuristics they use in their product.
They can do that without seeing the proxied contents. So your analogy to asking facebook or google to stop ads and tracking is completely broken.
> and now further that “dropping the extra feature of caching” would not adversely affect their technology or their business”
Yes. (Well, it was stated much earlier but I guess you didn't notice until now?) You're the one saying it would be a problem, do you have anything to back that up?
> in the latter case obviously false if you know anything about how it works.
Caching costs a bunch of resources and still uses lots of bandwidth, what's so obvious about it? And cloudflare users can already cache-bust at will, so it's not exactly something they're worried about.
It is sad that in this day and age, when you buy a car you need to sign a legal exclaimer that you understand it requires gasoline to run.