Potential downtime this weekend (2 Sept - 5 Sept)

[denise]

Beginning this weekend (2 Sept - 5 Sept), users may experience short periods of site slowdowns or difficulty accessing the site. If you do have access issues, they shouldn't last long for you in particular, but the length of time where access issues are possible should last for about a week or so. We wanted to warn you in advance. You may not notice anything, or the site may be down, slow, or unreachable for you for brief periods. The exact length of downtime, and the total potential downtime window, will depend on your internet provider's settings.

This downtime is necessary to move our domain nameservice, our content delivery network (CDN) services, and our denial-of-service protection services away from Cloudflare, our current provider of those services. We've been discussing migrating away from Cloudflare recently due to their refusal to deny services to sites that endanger people's offline security and incite and target people for offline harassment and physical violence. That conversation became more urgent yesterday when, in a blog post about the campaign to encourage Cloudflare to behave more responsibly regarding the types of sites they enable to remain on the internet, Cloudflare's CEO revealed that they regret past enforcement actions where they closed the accounts of sites containing child sexual abuse material and sites that advocate for white supremacist terrorism.

We do not believe we can ethically continue to retain the services of a company that could write that blog post. As those of you who've been with us for a while know, our guiding principles involve supporting our users' expression to the maximum extent possible, and we reaffirm our commitment to protecting as much of your content that's unpopular but legal under US law as we can. However, we also believe it's more vital, not less, for a company with such free-speech maximalist views to have clear, concrete, and well-enforced policies regarding content that does cross their lines, including refusing to provide services to sites that actively incite and manufacture threats to people's physical safety, contain child sex abuse material, or advocate or instruct people how to conduct terrorism. That Cloudflare refuses to refuse services to those types of sites, and has expressed regret about the instances in the past where they have refused services to those types of sites, means we feel we can no longer ethically retain their services.

Things may be slightly bumpy for a bit as we make the transition and work to find the best replacements for the services we've been relying on Cloudflare to provide. We're very sorry for any slowdowns or downtime that may happen over the next week and a half or so, and we hope you'll bear with us as we make the move.

[EDIT: Because there are many of you and one of me, please check the comments before replying to see whether your issue has been addressed! Also, in accordance with the official DW community comment guidelines, please refrain from personal attacks, insults, slurs, generalizations about a group of people due to race/nationality/religion, and comments that are posted only to mock other commenters: all of those will be screened.]

[EDIT 7:12pm EDT: Because the temperature of many comments is frustratingly high, people don't seem to be reading previous replies before commenting as requested, and some people are just spoiling for a fight, I'm screening all comments to this entry by default while I can't be directly in front of the computer for the remainder of the day. We'll unscreen comments intermittently for the rest of the night as we have time, and I'll systematically unscreen all good-faith comments that don't contain personal attacks, insults, slurs, generalizations about a group of people due to race/nationality/religion, and comments that are posted only to mock other commenters when I return.]

[Edit 9/2 6:05pm EDT: having left comment screening on overnight, and seeing the percentage of abusive, bad-faith, or detached-from-reality comments, comment screening will remain on for this entry indefinitely. I'll keep an eye on it for another day or two and unscreen what needs to be unscreened, but probably not longer after that.]

Comments

[igenlode]

My beef with Cloudflare is simply that I'm starting to encounter increasing numbers of sites where Cloudflare have erected a security wall which prevents my viewing the contents at all -- I can no longer read any of the stories on fanfiction.net, for example. I can understand the possible need to check security before users can *submit* data (although amateur fiction is hardly the stuff of gold-dust), but what kind of security checks are involved in viewing free content on fanfiction or historical journal sites?

[dewline]

That is...disturbing in its own ways. Certainly worthy of some investigation.

[shadowspar]

If you lock down your browser privacy/security settings enough, Cloudflare's DDoS protection seems to think you're a bot, and won't let you into the site you're trying to visit. Here's one example from the Firefox bug tracker; I'm sure there must be more.

[lilacsigil]

I'm having the same issues with them. Sometimes a long delay then access, sometimes a long delay then no access. I have no idea why, and it's always Cloudflare.

[vass]

Would you by any chance be using a VPN? Wondering if what they're blocking is the IP numbers of known VPNs.

[denise]

It's not "IPs of known VPNs" so much as "IPs and IP blocks they've seen suspicious/abusive traffic from". It's really common for people to use a VPN for their spamming/DDoS, so if your VPN provider isn't good at weeding them out, their addresses get a terrible reputation.

[meinterrupted]

I regularly browse the internet with a (popular commercial) VPN, and the amount of static I get from Cloudflare for just doing that is incredible. DW has actually been one of the worst offenders in that way; its CF protection really doesn't like me expanding comment threads while on VPN. And I know the developer of FanFicFare has had to implement workarounds for fanfiction.net specifically because of their Cloudflare protection.

However, it's better than the one random hardware online store that won't even connect when I'm on my VPN. It doesn't even show a blank or error page, it just continually times out.

[denise]

Yeah, unfortunately if VPN providers are hosted in the same datacenters or the same IP ranges as people run their spambots and DDoS clients from, it's difficult to identify as legitimate use. A lot of VPN providers are hosting the spambots and DDoS clients, too; your provider may be one of them. I would let them know that their IPs are getting flagged by DDoS protection services and ask them to take a closer look at the type of traffic they're proxying in case it's one of their clients misbehaving.

[denise]

Unfortunately, Cloudflare (and other DDoS prevention services) work on a reputational basis: if they see a lot of bad traffic coming from a specific IP or IP range, that IP has to complete a range of security checks before loading a site that has its DDoS protection turned on. A lot of spam and DDoS bots use VPN services, so unless your VPN provider is vigorous about removing them, you probably keep getting issued IP addresses that are flagged as abusive because the person who had it before you was doing abusive things with it. You may want to contact your VPN provider and let them know it's happening, because it usually means they're not being proactive enough about abuse on their network. Or it could be the browser settings problem shadowspar mentioned! But if it happens in multiple browsers, it's probably the IP reputation.

It's the same reason a lot of Tor exit nodes get blocked everywhere: the people who are using the services for legitimate privacy/security purposes often get drowned out by the people who are using the services for abusive purposes, and once the percentage of people using a service for abusive purposes gets high enough, sites have to block the entire service even though it collaterally blocks people using the service for privacy/security purposes. We try to keep our protection settings turned down as far as possible to avoid catching as much legitimate use as possible, but we get a lot of abusive traffic, so sometimes we need to be indiscriminate.