Cloudflare Web Analytics

[foxx-doxx]

What do the people of this forum think about Cloudflare Web Analytics?

[Mæstro]

I hate Cloudflare with a passion. It imposes the requirement for many sites to enable JavaScript and cookies, which I always disable by default and the site proper does not actually require, and thereby turns me away. (If I wish to access the site’s text, I will use the Internet Archive instead. I have only excepted two sites from this policy, one of which actually needed cookies anyway.) For some months earlier this year, the Cloudflare turnstile failed in Pale Moon, which was a headache for everyone involved, and leaves me little confidence in Cloudflare’s other services. The only nice thing I can say about it is that it is not Recaptcha.

[Crazyroostereye]

Well it's a Cloud based Analytics Platform, I am always a bit skeptical of them. The Insight they Provide is valuable to the Website owner but can also vary easily breach the Terms of Privacy first Design. Especially if they share Visitor Data between Customers. Which can be used to create a big inferred Data Network about everyone who has Visited your site.

Cloudflare, as Maestro mentioned already, has many Issues. While my experience with their Services isn't Bad. I have a heard a lot of Horror Story's with Customer Support and Marketing Departments. So I be careful to use them.

[Mæstro]

As an alternative, I think the best examples of captchas for ensuring all and only natural persons may access the site are those which appear on DuckDuckGo and Xcancel when JavaScript and cookies are disabled. The first requires selecting three pictures of ducks from a grid of nine, as in the picture. The other resembles a traditional site captcha in reading numbers from an image, where the numbers are a one-time password generated by means unknown to me. The only fault in them which I could imagine is that I do not know how they would treat the blind. Many sites have also lately implemented Anubis. While it still requires scripts and cookies, it is, at least, far less intrusive than Cloudflare.

[Crazyroostereye]

As an alternative, I think the best examples of captchas for ensuring all and only natural persons may access the site are those which appear on DuckDuckGo and Xcancel when JavaScript and cookies are disabled. The first requires selecting three pictures of ducks from a grid of nine. (I will update this post with an example when the site next demands it.) The other resembles a traditional site captcha in reading numbers from an image, where the numbers are a one-time password generated by means unknown to me. The only fault in them which I could imagine is that I do not know how they would treat the blind. Many sites have also lately implemented Anubis. While it still requires scripts and cookies, it is, at least, far less intrusive than Cloudflare.

Anubis isnt really a Captcha System, it only makes it harder and therefor more expensive to visit your Website. Harder meaning in Resources not in actual effort on the User Side. It's more there to prevent continues Scrapes of your pages. By making the Computer that is scrapping you do some hard Math.

[Mæstro]

Because I disable cookies by default, I can attest that Anubis denies rejected users access and is therefore a proper captcha, even if it requires no user input. It does not merely punish scrapers the way that an email server punishes spammers by tolling the client’s processor whenever a message is sent.

[Crazyroostereye]

Because I disable cookies by default, I can attest that Anubis denies rejected users access and is therefore a proper captcha, even if it requires no user input. It does not merely punish scrapers the way that an email server punishes spammers by tolling the client’s processor whenever a message is sent.

Cookies don't determine if smth is a Captcha. Anubis blocks Connections that couldn't execute the Proof of Work or which don't have Cookie Capabilities. Regardless of it being a Bot or a Human. But that doesn't make it a Captcha. That is only a Feature Requirement. A Captcha does require a form of Human Interaction, like a Text you have to type in or as simple as Clicking a Check Mark. The goal of a Captcha is to determine if smth is a Bot and, if set to do so, block it.
At least in my Interpretation of what a Captcha is.

[Mæstro]

Cookies don't determine if smth is a Captcha.

Verb sap. The full argument is as follows: Anubis blocks traffic to those whom it denies, its behaviour towards cookieless browsers serving as evidence of this.

Different sources give slightly different definitions on whether human interaction is necessary, or are vague enough that it is unclear whether a user or his computer must complete the challenge. (My usual dictionary, Collins, defines ‘captcha’ narrowly enough to exclude this site’s registration form’s.) The word’s coiners define it as ‘a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.’ Anubis’ hashing tests do this. In my case, activating cookies is a manual process, so it is a captcha in your sense also.

[Crazyroostereye]

You make a Good Point.

But In the Definition of Collins and the word's coiners its goal is to determine if a Connection is from a Human or a Bot. Anubis doesn't, nor it tries to determine if a Connection is Human or Bot. It just sets a Requirement your Browser has to meet and requires you to do a Calculation.

‘a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.’

This is also not the case with the Proof or Work test that Anubis Presents, as Computers are the only ones that can preform the Calculations in a timely manner.
The way Anubis works is by making Hard to Compute calculation that the Computer has to preform, which its intent is to increase the Computing bill of Bot Networks that access the Website frequently.

[Mæstro]

Now, this is more interesting than bickering over the real definition of captcha.
For my part, I would define captcha as software intended to filter online requests so only those by natural persons succeed.

Anubis doesn't [determine if a Connection is from a Human or a Bot], nor it tries to determine if a Connection is Human or Bot.

I think this is false, for Anubis itself and its official documentation state otherwise. Anubis’ official instance introduces itself to users as ‘making sure you’re not a bot’, as shown in the attached screenshot. The readme describes Anubis as a firewall and an alternative to Cloudflare, an unambiguous captcha (where ticking a box is the challenge), which is why I had brought it up in the first place. The developer’s explanation states that Anubis is intended to block scrapers, although it does so by testing features.

]Computers are the only ones that can preform the Calculations in a timely manner.

This is literally true, and when I spoke of vagueness in my post, this is what I had in mind. Anubis says on the official instance if cookies are blocked that it ‘requires cookies [for] making sure you are a valid client’. ‘Client’ can refer just as well to the end user himself or the computer which he uses to access the server. The user, not the computer, is reading the message, but Anubis tests the computer itself. None of the definitions I have found are pedantic enough to bother splitting this hair, so neither do I.

The way Anubis works is by making Hard to Compute calculation that the Computer has to preform, which its intent is to increase the Computing bill of Bot Networks that access the Website frequently.

It is true, from the the developer’s comments, that Anubis uses the same technology, that also in Hashcash, which is used (among other things) for punishing spambots, but from the above documentation, Anubis infers from the results whether to deny bot networks access. The readme also mentions that legitimate web crawlers will fail to index sites wielding Anubis, which would not happen if it only tolled the user’s processor like some antispam measures.