The real frustrating part is that Cloudflare's "definition" of suspicious keeps changing and expanding. VPN users, privacy-first browsers, uncommon IP ranges, they all get flagged. The people most likely to get caught by these systems are exactly the ones who care most about their privacy, and not the bots that they are apparently targeting.

I recently had the insane experience of filling out 15 consecutive captchas, after, I had checked out and entered my payment information into the payment processor widget. I just wanted to submit the order. I was logged in to their website, and the bank even needed a one time code for payment. If the bank is pretty sure I am human then your ecomm site can figure it out surely.

Heaven forbid you not use JavaScript, then they can't <s>track you</s> keep the internet safe!

Surprising really, because I'm a Firefox + Ublock Origin die hard and I never get Cloudflare captchas. Wonder what the difference is? I have CGNAT turned off, if that matters at all (probably not).

Maybe check your network isn't sending web traffic you're not aware of?

I'm running firefox and seeing the normal amount.

I use firefox daily and I don't encounter the problems you describe, might be worth looking if there's some other issue.

That's not Cloudflare trying to make your life hard.

It's the reality of how bad the bots have become.

I'm with a slightly older Firefox and can't use many websites at all anymore because the Cloudflare cancer.

Of course then you got sites like gnu.org too that block you because your slightly outdated user agent.

Is that because botnets spoof being Firefox? It's not really fair to blame Cloudflare it is. That's on the bots.

I’ve been getting it in safari too. It’s ridiculous frankly. My residential ip must have been flagged or something. The part that’s really annoying is its trivial for bots to bypass.

trying using firefox and then using a cellphone network for internet. sometimes i can't access a site, because i get infinite captcha. i know what a damn bus, stairwell, stop light or motorcycle looks like.

At times I'm completely locked out of a website and Cloudflare asks me to email the website owner to get the issue resolved.

.. how do they expect me to find the website owner's email if I can't access said website?

sometimes when there is mafia you get no option but pay pizzo

hence i am just using cloudflare remote browser rendering.

Is anyone talking about the fact that this is a fundamental design flaw of the web? Or arguably even the entire Internet?

These days I just close sites that show that "checking if you're a bot" shit. If this is how the web is going to be now, I don't care, I'll just not use it. I didn't need to see that article or post that badly anyways. I'm tired of paying the price for the sociopathic, greedy actions of others. It's especially bad for anyone who uses an open source OS like Linux or *BSD (to the extent many sites just block me automatically with a 403 Forbidden simply for using OpenBSD + Firefox, completely free pass if I try the same site from a Windows or Linux computer).

Exactly. For the most part all this bot protection is only protecting these websites against humans.

I don't do free work. I'm not going to label 50 images of crosswalks and motorcycles for free.

[flagged]

Well, that's for the public internet.

I'm building Safebox and Safecloud, where this won't be the case anymore. Not only will you have a decentralized hosting network that can sideload resources (e.g. via a browser extension that looks at your "integrity" attribute on websites) but also the websites will require you to be logged in with a HMAC-signed session ID (which means they don't need to do any I/O to reject your requests, and can do so quickly)... so the whole thing comes down to having a logged in account.

https://github.com/Safebots/Safecloud

As far as server-to-server requests, they'll be coming from a growing network of cryptographically attested TPMs (Nitro in AWS, also available in GCP, IBM, Azure, Oracle etc.) so they'll just reject based on attestations also.

In short... the cryptographically attested web of trust will mean you won't need cloudflare. What you will need, however, to prevent sybil attacks, is age verification of accounts (e.g. Telegram ID is a proxy for that if you use Telegram for authentication).