Then you're not using any of their services besides DNS, at which point you don't need to use Cloudflare at all.
As soon as you turn on any other service they offer, you need to actively migrate away. It's an inherent issue of services that actually provide a benefit. If you're saying "I can just migrate to any other nameserver" then you're telling me you have no use for Cloudflare in the first place. Because if you did, you couldn't just not use it anymore.
Let's say you're using their WAF. Sure, you can just change your domain's nameserver and you've migrated away. But now you no longer have a WAF. Same for their CDN. Or their load balancer. Or their object storage. Or their CAPTCHAs.
I think they also lock you into their DNS when you buy a domain from them, unlike other registrars who allow to change your NS freely. Sure, you can just transfer the domain elsewhere for a small price, but the point is they go the extra mile to force their NS, which I havent seen with other registrars.
I had a similar issue and evaluated alternatives. Sadly, there were none that did the job well enough.
How do you suggest to implement bot prevention that works reliably? Because at this point in time, LLMs are better at solving CAPTCHAs than humans are.
We solved this by introducing a silent block. If the system notices unusual behavior (too many payment attempts per user, for example), it no longer sends the payment attempt to the provider. Instead, it idles for a second or two and then just fails with a generic “payment declined.” Most attackers don’t notice they’re being blocked and just assume all credit cards are bad.
thousands of $1 charges and refunds in a 7 hour period seems unusual to me. then again, i've never run a site that received thousands of charges ever, so seeing it in a few hours would be obvious.
Genuinely asking, are you a product manager? You’re giving me flashbacks to all of the PMs who suggested a 2-3 branch decision tree for a complex classification problem, because that’s what struck them as intuitive. We are just a few baby steps away from reinventing the entire field of fraud detection within this thread.
Sir, I resent the implication! I do not lie with such swine!
It's easy to say that every site must add protections against every single type of attack, except it's impossible for site owners to be experts in fraud. While credit card processing vendors are expected to be experts in fraud. I ask you where in this situation would be the better place to implement fraud detection? Of the two places, whose more financially at risk?
I think we’re 100% in agreement: let the payment processors handle the fraud. Except payment processors unfortunately hold all the cards and will shut your site down if you don’t comply with their standards :(
I’m still baffled that Minecraft is doing so well, despite the whole Bedrock thing. At this point I think Microsoft just forgot that they bought Mojang.
I think they largely let mojang do its own thing, occasionally forcing them to make some dumb change that usually stays exclusive to their "bedrock edition". The mojang people capitulate since the original version and the one they actually develop for is largely untouched by microsofts decision making since the backlash for dumb decisions would lose infinitely more money than if they just let it continue to be a cash cow
They'd lose a whole lot of users if they killed Java edition, since the modded community is so large. They'd quickly find one of the Minecraft clones reaching feature parity. And there's no good reason for it - it's not like Java is a threat anymore.
Exactly. So why isn't Microsoft doing just that? Isn't that how Microsoft usually handles things? Just look at Xbox. They essentially screwed up everything they could and then some.
Its had its fair share of outages and outrageous changes that overreach the bounds as well. Its more stable than github is but its had at least 2 sessions of downtime this year that I recall and they were both quite long (day length).
They don’t enforce or even default to 2fa to change the account email. In addition, they have no process to get a human to reverse account takeovers. Just a web form that tells you to call a number that redirects you back to a web form
On the other hand, they aggressively log out legitimate users, and require the master Microsoft account password to log back in (because your kids need access to your one drive settings, etc).
reply