I was trying to work out why it is that when I receive a notification and I click “view context” nothing happens if the msg came from lemmy.world. The screen blinks for a second but gives no prior posts. Well after digging into this, I see that #lemmyWorld has just recently joined the exclusive #walledGarden of Cloudflare.

I think I don’t want users of Cloudflared instances to see my posts because it invites broken interactions. Is there any way to block CF instances at the individual account level?

  • nachtigall@feddit.de
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    The problem with “view context” comes from the recent update and affects all instances using version 0.18.3.

    • diyrebel@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      3
      ·
      edit-2
      1 year ago

      Ah, thanks for the info. But note that there are two “show context” buttons. In principle, if I am on a broken version I should be able to visit the parent on the originating node & possibly side-step the bug. But in this case the other node blocks me (Cloudflare).

      Also note that I would still like a way to block CF instances. I’m in the #threadiverse to participate in the free world & prefer not to feed centralized walled gardens from which I am a refugee. Oppressors should not be able to thrive in the #fedi.

      #LemmyWorld is centralized in 2 ways:

      • Cloudflare
      • disproportionate user population
      • nachtigall@feddit.de
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        But note that there are two “show context” buttons. In principle, if I am on a broken version I should be able to visit the parent on the originating node & possibly side-step the bug.

        I am not sure if I can follow you but this bug affects both “show context” and “show parent” button on broken instances.

        Also note that I would still like a way to block CF instances

        I am afraid that such a measure would only be possible for admins by blocking traffic for domains that resolve to/IP ranges operated by Cloudflare.

        • diyrebel@lemmy.dbzer0.comOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          I am not sure if I can follow you but this bug affects both “show context” and “show parent” button on broken instances.

          There is a chain link icon and a fedi icon, both of which have “show context” as mouseover text. The difference is that the chain link shows the local copy, and the fedi icon links to the source node (in the case of your msg, feddit.de). Being able to view it on the originating node also means using the web client of that other node.

          • nachtigall@feddit.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Oh I see. So you accessed a comment on lemmy.world via the fedi icon and the Cloudflare proxy blocked you. Are you using Tor or a VPN? Because that never happened to me without either ^^

            • diyrebel@lemmy.dbzer0.comOP
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              1 year ago

              It’s complicated. I first used the chain link which is purely internal. This expands the msg and offers the “show context” option which gives nothing (due to the bug). Then I try the fedi icon and nothing happens at all… no expansion or anything. But I can see that the button is sensitive because it flashed as I clicked it. So then I forcefully copied that external link into a new tab in Tor Browser and it just shoots a blank. No text at all. Then I copied that same Lemmy World link into ungoogled chromium running over tor, which shows #LemmyWorld’s blockade I screencapped.

              Note that ungoogled chromium has experimental value and reveals the problem (Cloudflare), but all versions of #Lemmy I have encountered have always been wholly broken in ungoogled chromium. Lemmy forces the use of Firefox-based browsers (and last time i checked Lemmy is quite useless in text browsers as well).

              • nachtigall@feddit.de
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                Then I try the fedi icon and nothing happens at all… no expansion or anything. But I can see that the button is sensitive because it flashed as I clicked it. So then I forcefully copied that external link into a new tab in Tor Browser and it just shoots a blank.

                Indeed. I can reproduce this behaviour with this comment from this thread. See the following screenshot from my network console. The body says {“error”: “not_logged_in”}, so maybe a caching error or something like that? I’ll ping the admin of lemmy.world

                running over tor, which shows #LemmyWorld’s blockade I screencapped.

                That makes sense. Cloudflare often blocks Tor IPs or spams them with captchas.

                have always been wholly broken in ungoogled chromium.

                No problem on my side.

    • diyrebel@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      4
      arrow-down
      9
      ·
      edit-2
      1 year ago

      It’s restricted access. See the screenshot on the OP.

      BTW, Cloudflare is also #centralized, thus defeating the #decentralized purpose of the #threadiverse.

      (edit) What’s a “walled garden” to you, if not restricted access?

      • I agree that a large number of instances all setting behind CloudFlare centralizes those instances and adds a centralized point of failure. But that’s where my agreement stops.

        1. All your lemmy interactions are mediated by your instance (dbzer0). If you’re having a problem with your notifications, or loading posts, or responding to content that’s a problem with your client and your instance. Full stop. If you’re instance is having issues federating due to cloudflare, that’s certainly a problem, and it would be in your best interest to speak to your instance admins so they can work with the other instances to resolve it. IF you’re having problems communicating with your instance, that’s between you and them.
        2. Nothing about decentralization says that all instances are required to allow YOU to access their instance. The opposite really, each instance is entitled to run however they want. The fact that you can still view and interact with posts (via your instance) says that decentralization and federation are actually working.
        3. If you’re concerned about centralization and walled gardens you should be upset about the disproportionate number of users and communities that exist on lemmy.world. You are true decentralization, those communities should be distributed across the fediverse rather than being at the whims of one instances admins.
        • diyrebel@lemmy.dbzer0.comOP
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          edit-2
          1 year ago

          centralizes those instances and adds a centralized point of failure.

          Single point of failure just scratches the surface. It’s also a single point of access control, and a single point of surveillance.

          All your lemmy interactions are mediated by your instance (dbzer0). If you’re having a problem with your notifications, or loading posts, or responding to content that’s a problem with your client and your instance. Full stop.

          Full stop-- Not in the slightest. If that were true there would be no reason for web-facing publication by lemmy world to logged-out users. Having local copies of lemmy world content is an interaction convenience (and necessary for some ops) but it does not encapsulate the full UX. The discussion is openly visible to different extents from different platforms and angles. This is purposeful. And it’s important. It’s how you validate that you’re not in a malicious or oppressive bubble. You step outside of your instance to see what others see.

          Nothing about decentralization says that all instances are required to allow YOU to access their instance. The opposite really, each instance is entitled to run however they want. The fact that you can still view and interact with posts (via your instance) says that decentralization and federation are actually working.

          You’re conflating power with ethics. Sure, fedi nodes have power to pawn users to tech giants & push ads, sell data to Google & Facebook, surreptitiously share all traffic with Cloudflare Inc. without so much as even telling their users that their usernames, passwords, and DMs are visible to CF, etc. The fedi is designed to allow this. That does mean it’s just to do so. Evil nodes can and should be called out, exposed, and outcast, which the fedi is also designed to accommodate.

          If you’re concerned about centralization and walled gardens you should be upset about the disproportionate number of users and communities that exist on lemmy.world.

          I am. And I pointed this out already in another post in this thread. I deliberately join small instances.

          You are true decentralization, those communities should be distributed across the fediverse rather than being at the whims of one instances admins.

          Yes, but this only scratches the surface. Putting huge numbers of users behind Cloudflare on a single giant node is the most antithetical action a fedi node can do – and this is what Lemmy World has done.

  • kiwifoxtrot@lemmy.world
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    lemmy.world started using cloudflare many weeks ago because they were under constant DDOS attack. If you are only seeing this behavior now, it has nothing to do with it. As another user mentioned, they just upgraded to 0.18.3.

      • kiwifoxtrot@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        That was a lemmy exploit that someone gained admin credentials through the cookies. Quite a few lemmy servers were targeted, but many were able to patch quickly once it was reported through lemmy.world.

        • diyrebel@lemmy.dbzer0.comOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Your timeline is backwards. The account compromise was July 10; the DoS attack came after that (July 15th). There is also no chatter of any kind about any attacks prior to July 10th.

          • kiwifoxtrot@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            You are correct. The issue in your post isn’t caused by cloudflare though, it’s caused by the update to 0.18.3.

  • BURN@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    I’d just like to know what your solution to DDOS and other bad actors is if it’s not cloudflare. The Lemmy Devs don’t have the bandwidth to waste time reinventing the wheel on something cloudflare already does extremely well.

    A walled garden means there’s actual barriers to entry. Cloudflare isn’t a barrier to entry unless you’re planning to attack an instance or are using something like ToR as your daily browser.

    • diyrebel@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      1 year ago

      I’d just like to know what your solution to DDOS and other bad actors is if it’s not cloudflare.

      First of all DDoS from Tor is rarely successful because the Tor network itself does not have the bandwidth with so few exit nodes. But if nonetheless you have an attack from Tor you stand up an onion host and forward all Tor traffic from the clearnet site to the onion site. Then regardless of where the attack is coming from, on the clearnet side there are various tar-pitting techniques to use on high-volume suspect traffic. You can also stand up a few VPS servers and load balance them, similar to what Cloudflare does without selling everyone else’s soul to the US tech giant devil.

      on something cloudflare already does extremely well.

      CF does the job very poorly. The problem is you’re discounting availability to all users as a criteria. You might say #SpamHaus solves the spam problem “very well” if you neglect the fact that no one can any longer run their own home server on a residential IP and that it’s okay for mail to traverse the likes of Google & MS. A good anti-spam tool detects the spam without falsely shit-canning ham. This is why SpamHaus and Cloudflare do a poor job: they marginalize whole communities and treat their ham as spam.

      A walled garden means there’s actual barriers to entry. Cloudflare isn’t a barrier to entry unless you’re planning to attack an instance

      Yes to your first statement. Your 2nd statement is nonsense. The pic on the OP proves I hit a barrier to entry without “planning an attack”

      or are using something like ToR

      Tor users are only one legit community that Cloudflare marginalizes. People in impoverished areas have to use cheap ISPs who issue CGNAT IP addresses, which CF is also hostile toward. CF is also bot-hostile, which includes hostility toward beneficial bots as well as non-bots who appear as bots to CF’s crude detection (e.g. text browsers).