Recently, I have began facing several issues with Cloudflare’s systems that need to be fixed and/or changed that make it impractical to use Cloudflare to protect many sites.
First of all is the hypocritical and obviously intentional blacklisting of several VPNs from Cloudflare’s own community page as well as blocking access from many Cloudflare protected sites. It should be obvious that many people now use VPN services for online security and forcing people to disable it is a massive red flag. I guess that shouldn’t be surprising though considering Cloudflare’s “WARP” has a similar concept but collects your online information anyways.
My second issue is with their new “Turnstile” system, which although they say is in beta, is promoted like a finished product and, when not functional, still causes major issues to websites. Cloudflare likes to boast about their concept of saving people time by not having captchas, but maybe that should be reconsidered considering the several issues that introduces. Looking into the systems, the only real difference between it and a system like reCAPTCHA v3 is that Google’s will stay out of the way, save the user more time since they don’t need to click an additional check, and has a failsafe if the user is deemed untrustworthy. Can you guess what happens if you fail Cloudflare’s captcha? Nothing. You simply can’t continue what you were doing because Cloudflare deems you a robot. Having no way to verify if you fail means that sites will simply loose potential users and customers all because it was so important to not have a 20 second puzzle.
Relating to issues, judging a user’s authenticity based off of their OS and browser doesn’t add much meaningful security, it just makes the bad guys spoof their information and causes regular people to leave the site or waste time getting extensions to spoof their browser. It’s not like this issue is very uncommon either considering there have been several reports from people using iOS, Brave browser, and Raspberry PI systems.