Cloudflare is utter garbage. Why are you using it?
 

I've looked at FT 3 or 4 times tonight and twice got this page:
Utter sh**fulness by Cloudflare, I'd say. I'm using the same browser and laptop I always use and the only difference is I happen to be in an airport!
This is an annoyance and the opposite to performance and security.

FWIW this was happening to me frequently as well during a trip to Singapore earlier this month.

i.e. same devices I usually use, got the challenge while I was in Singapore only (both on wifi and a local SIM). I don't recall this on previous trips (including using the same mobile SIM provider) but of course they could have added new IP blocks or whatever at Cloudflare in the intervening year.

It just happened again! Interestingly, I too am in Singapore.

I don't get to make organizational decisions for a multi-billion dollar corporation owned by a larger private equity firm

Understood; but at the same time if hypothetically Singapore's engagement numbers are underperforming relative to what might be expected for its demographics then this might explain why.

e.g. I could understand being asked once every so often, perhaps even once a day, but this was happening multiple times per hour.

Also without necessarily asking IB to replace Cloudflare, if they care about this traffic then user experiences might form the basis for a bug report/support case with Cloudflare.

This is happening consistently since I’ve been in Singapore. One might question why Cloudflare is adding additional checks to hotel WiFi in one of the world’s most popular travel destinations.

Let's add some context here.

The forum software isn't the greatest at defending itself against malicious activity. A few years ago it used to have significant outages due to IB being hit by DDOS attacks, either Flyertalk or maybe to another of their forum sites, but the collateral damage was to cause outages on Flyertalk.

Cloudflare is arguably one of the best platforms to deal with DDOS attacks as well as general web hygiene. IB have probably made a considerable investment in using Cloudflare to defend their forums. And we enjoy that as a "free" service albeit with some ads.

​​​​​​We should note that the authentication layer that the forums has is quite primitive compared to modern standards. Could IB move to something better, probably, but at the risk that they're now customising the forum infrastructure at the peril that they make future upgrades much more difficult. So they are broadly stuck with the off the shelf authentication service, which is sub-optimal.

So they're using Cloudflare with broadly the paranoia config dials to defend the forums turned up towards maximum. So source IP addresses like that of the hotel in Singapore that are probably medium risk in most situations get elevated to a higher risk level and get the annoying captchas more frequently. This keeps the site defended from DDOS and the worst the the script kiddies and spam out of the forums.

As in many situations there's no perfect solution, the medicine to defend against risks carries some compromises. The best infosec measures are transparent to users and ideally there would be no captchas or block messages, but that's not always possible when risks are too elevated. IB are damned if they do, and damned if they don't.

YMMV. Hope that's useful.

Well said. I use Cloudflare and am quite happy with their service - far from garbage.

The better question is why are certain networks being flagged. Begs the question of what is running on those networks (intentionally or otherwise).

I’ve been to 8 different hotels in Singapore this past week, and the Cloudflare pop-ups have occurred at each hotel on their Wi-Fi (it doesn’t occur on my data plan as I am currently running on a Plus eSIM that routes back to Poland).

I question why Cloudflare thinks that all IPs coming from Singapore hotel WiFi (I’m not sure if all of these hotels have the same IP space, but they seem to have different providers, at least) are more risky than other IPs. Frankly, I have never seen this in any other country, and I can’t imagine that Singapore is a hotbed for DDOS attack origination or other malicious behavior due to the rule of law here.

Obviously it's hard to tell from a distance without any hard data, but at a random guess there might be some large CGNAT in use where many different users are sharing a one or a few outbound IP addresses. Very heavy parallel use of IPs by many users is seen as a possible risk by some assessment systems. And irrespective of the rule of law, I would suggest that Singapore is hardly likely to be devoid of malicious activity although it's incidence may well be lower per capita than other nations. It's perfectly feasible that there's a bunch of customers in SG who have malware on their devices that participates in a botnet, their good connectivity and high bandwidth links makes devices in this city state high value targets. Whilst the hotels might not be the hotbed of malicious activity their IPs are close or in the same netblock as others that are and the risk has been applied to the entire netblock, or even ASN.

We have seen examples on here where entire ISP networks ASNs, like Orange Poland (their main ISP) have been blocked for accessing FT for many weeks. Not even a captcha option, blocked.

What we won't ever get is clarity on why some things get slammed into secondary for captchas, others get blocked, and others are ok. Cloudflare are continually updating their rules literally by the minute based on their very broad intelligence of malicious activity seen across all their customers, and IB are never going to disclose what knobs they have turned to what level in the cloudflare console.

I agree it's frustrating to have captchas foisted on your browsing activity but I do suggest that forums such as those being run by IB are brittle by modern standards and need a degree of paranoia protection.

I just ran into this issue for the first time while connecting to FT on my iPad with a NordVPN server based in Kansas City....Pretty annoying to see it being blocked from something located domestically. I could potentially understand if the server was based in Russia, etc., but KCMO?? :rolleyes:

FT and VPNs play badly together. There's a somewhat complicated process to whitelist specific IP addresses, but honestly...we're using a 1995 IBB and the rest of the world has moved on.

But someone in Russia or any other global location might have used the NordVPN Kansas City node for bad stuff, such that Cloudflare have it on their list of elevated risk IP addresses. Just remember when using a consumer VPN you're sharing your Internet connection with everyone else who uses the same node. That's why I suggest they are not the security solution that their marketing budgets would have you believe.