Some context the article misses: there's a court order that allows the Spanish Football League to block websites which may be unlawfully broadcasting football, and the ISPs have to comply. Since Chrome activated ECH, LaLiga requested the order to be expanded to block individual IPs, to which the court happily obliged, and this order is being used to block Cloudflare's IPs ranges.
The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play. This is a breach of the court order itself, which clearly states that "no unrelated sites may be affected", all while the court order itself probably being illegal as well. And, of course, IPTV pirates found ways around the block.
bandaancha.eu is doing a fantastic job on the reporting of this.
> bandaancha.eu is doing a fantastic job on the reporting of this.
And LaLiga’s response to their reporting? Sending false abuse notices to their hosting provider [1]
[1]: https://x.com/bandaanchaeu/status/1892992576069783825?s=46
>The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
At the risk of non-Spaniards being unable to understand: that's the most pandereta thing I've heard this year so far.
More context: Telefónica used one of its group companies to file a complaint against itself and all other telecom operators in Spain, instead of filing a complaint against Cloudflare. As the operators, including the plaintiff Telefónica, acknowledge and accept the claims, the judge granted the measures.
> The result is that web browsing in Spain on weekends, when football is on, is severely impaired, with thousands of web sites going down as matches play.
Aaah, this explains some stuff. I'm on holiday in Spain right now, and a bunch of little blogs and similar sites just don't work at all for some reason. I bet they're hosted on Cloudflare Pages or using Cloudflare as a CDN layer.
I assumed it was just the hotel WiFi doing something weird!
I think the cloudflare issue only happens with movistar/digi. At least in my case I couldnt use github yesterday
Orange and Vodafone are also implementing the blocking but users are not noticing because they are doing it wrong: instead of blackholing the IPs or only blocking when connecting through ECH, they are blocking by DPI the access when using the IP address as the SNI/Host header.
# curl http://104.21.16.1
<META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Expires" CONTENT="-1"><html>Por causas ajenas a Vodafone, esta web no est� disponible</html>
# curl http://104.21.16.1 --header "Host: blockedsite.com"
error code: 1001
Which is really useless, but I guess fulfills the court order (pandereta meets undefined specifications).
So "only" the biggest broadband provider in the country :)
I've seen reports that Orange may have imposed the block as well, which is the #2 provider. Definitely a nontrivial slice of the population
They've been routinely blocking GitHub, I think because there are several repos tracking lists of IPTV streams? I often have to VPN to the US just to access my open-source repos.
Only Vodafone refused to implement the blocking.
Other ISPs are blocking as well.
This previously happened in Italy, and was quickly undone as "a mistake" after being called out.
I see in Spain it isn't a mistake.
As one would need more reasons to hate football. It's a disgrace, here in Italy last year there were flooding in the center, some matches had to be postponed, people were digging up sand, basket clubs complained in silence, but there were some clubs like AC Milan trying to bitch about their important matches and league point, something that a person with common sense would never think, for real, people digging sand, people dying, and they had the guts to complain about their league points, they're psychos
What is ECH?
Encrypted Client Hello https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
> court order itself probably being illegal as well
How so?
The simplified answer is that Spain has greater net neutrality laws than most other places, and on top of that the relevant European Union laws specifically forbid any lawful blocking/enforcement action if it causes a nontrivial amount of collateral damage to unrelated parties. So in theory the court order should've violated both Spanish and European law.
https://www.redes-sociales.com/bloqueo-cloudflare-parte-lali...
Legally is it collateral damage to unrelated parties. It is cloudflare's servers providing the infringing content, and the cloudflare's servers being blocked. Does Spain net neutrality protections grant some kind of common carrier protections to CDN networks? Would be nice if they did.
I can't find a violin small enough for cloudflare here. They're known for ignoring abuse and now they want to retaliate for someone blocking them like they're some kind of required utility provider? Maybe it's time for legal action from all the people randomly blocked by cloudflare without recourse?
There's no violin small enough for LaLiga.
What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
The only saving grace here, is that premium broadcasts kinda succeeded in getting the fans, rather than corrupt politicians and the state, to mostly fund the entire scheme that is the sport.
Other than that, cry me a river with how much we allow football to bend (and break) so many of our laws and regulations (not to mention ethics and decency).
It is CloudFlare that should be shutting down websites to comply with the law. If they did that, LaLiga wouldn't need to resort to a bigger hammer.
Needless to say, companies should comply with the law of the place where they do business in.
Did they serve Cloudflare a court order?
Why does there need to be a court order?
I do not require an order from a court to do the right thing.
Requiring a court order to do the right thing is like being an abusive asshole who replies “so sue me, bitch” whenever you confront them.
> Why does there need to be a court order?
Because there needs to be a fair legal process involving legal experts to determine whether a site is breaking the law. That's the court.
Cloudflare is not the content police.
[dead]
> There's no violin small enough for LaLiga.
Both?-both.gif
>What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
It could be that CloudFlare does absolutely nothing to aid any site, big or small, when asked to stop hosting & concealing blatantly malicious origins. I don't even care who it is at this point, at least someone is causing problems for CF who, frankly, behave as if they're untouchable.
Literally every scam site I've checked out in recent years, pretending to a government entity, or parcel delivery service, in order to defraud millions from those not blessed with much technological literacy, has been hidden behind CF. Their responses are excruciatingly slow, if they even do anything at all. Usually they don't.
“Every scam comes from Cloudflare” is an asinine metric.
“Every one of those scams” are also on the internet, use email, DNS, whatever.
The metric that matters is how much of Cloudflare is a scam, and can the rate of scamming on Cloudflare be reduced without significantly impacting legitimate uses of it, and how.
Let's get ISPs to instablock IPs shared by thousands of sites immediately, making the internet an excruciating experience on weekends, because we may be loosing some football euros on our way to charge as much as the market will bear is just indefensible. If for no other reason, because IPs are a scarce resource.
Yes, piracy will take advantage of privacy technology (EDNS in this case). If we're cautious of violating privacy to catch child abusers, again, cry me a river about LaLiga not being able to fund the next hundred million euro transfer.
It's not blocking hundereds of services, it's blocking one, cloudflare. A service that routinely is used to share copyright material.
> What (other than greed) can possibly justify blocking hundreds of different services, with little to no oversight?
In this case? A court order: https://bandaancha.eu/articulos/esta-nueva-sentencia-autoriz... which is a pretty heavyweight oversight mechanism.
Personally I'm broadly pro-piracy and anti-big-sports-organisation. But alas the legal system disagrees.
The court order provides the means of doing it, it isn't itself a justification for wanting to do it.
(Unless your view of ethics/morality is that anything ordered by any court is automatically good, which I'm sure some people believe but I suspect many more do not have such a binary view.)
> people randomly blocked by cloudflare without recourse?
Cloudflare does not randomly block access to sites that don't deal with Cloudflare.
Cloudflare customers buy blocking service to their sites from Cloudflare. Any randomness there is just customer service issue.
They buy a service which should block a specific type of traffic, for example bots or attacks. I don't believe any of their customers have purchased a "block a random version of a specific browser" plan. The fact this is occasionally treated as a bug and fixed confirms that idea.
If the customer specifically set a header match to block some Firefox variant, people wouldn't complain to cloudflare about it.
Customers can pick several levels of aggressiveness when it comes to blocking bots. Some of the more obscure browsers easily pass the "low" threshold but don't make it past the "high" threshold. Some older browsers like Palemoon seem to crash or break the JS Cloudflare serves but that seems to be a browser issue.
If your favorite website is blocking you, let them know. They can tweak a lot in their WAF settings. I don't think many websites care about obscure browsers, but it's something websites can control.
That's why I wrote
>... just customer service issue.
I'm not sure what point you're trying to make. Cloudflare has been failing this way for ages. At this point they're just accepting it and it affects people who don't understand or care who cloudflare is. It's an issue with cloudflare business model as a whole these days.
You covered everything except the most important case: Cloudflare blocks innocent people trying to access websites protected by Cloudflare.
For instance they block me because I'm behind CGNAT and because some of the millions of machines also behind that CGNAT once did something unsavory.
I'm not a customer of Cloudflare, so I have no one to call, I just get blocked from endless websites or have to click a checkbox, solve puzzles and suffer other indignities because I'm using a reputable and popular ISP in my country.
Fuck Cloudflare. They're accelerating the utter shittiness of the web because of their indiscriminate solutions to web malfeasance, which are worse than the disease.
I've experienced similar problems in the past. Cloudflare decides that something about the ISP or software I'm using is not on some secret approved list and we all get a bag of coal for Christmas instead of the content we were asking for until we've jumped through whatever hoops it decided to set up this week. And I've heard way too many anecdotes from way too many people in real life to believe this is some sort of isolated or unusual event.
If Cloudflare is now taking a hit because it's become collateral damage to an over-generalised penalty system despite having done nothing wrong itself then it is difficult to find much sympathy. If this blocking exposes how much of the web we all use every day is now being routed via a single point of failure that has been operating largely as a law unto itself then that also seems like a positive step to me.
Depends on the kind of abuse. Acting as if CloudFlare is providing bullet-proof hosting and carrier services would be insincere. I have had CloudFlare suspend accounts within 18 hours of reporting.
For what it's worth I think Cloudflare and a few other ultra-large CDNs should be considered an utility provider, given that it is very difficult to exist in the Internet without their protection - no matter if you're just running a damn blog or an online forum, you'll get hounded by hordes of automated scanners looking to exploit you the very second a 0day appears. And if it's an online forum, chances are high someone will be pissed off by some moderation action and just buy a DDoS to shoot you off the 'net.
(In the end I think governments should finally hunt down and eliminate abusive netizens, but waiting for that to happen is pointless)
curl ipinfo.io/`dig +short news.ycombinator.com`
{
"ip": "209.216.230.207",
"hostname": "news.ycombinator.com",
"city": "San Diego",
"region": "California",
"country": "US",
"loc": "32.7157,-117.1647",
"org": "AS21581 M5 Computer Security",
"postal": "92101",
"timezone": "America/Los_Angeles",
"readme": "https://ipinfo.io/missingauth"
}
Cloudflare profits greatly from you thinking it's impossible to exist on the internet without them.
Did you know they have a workflow for you to sign up start using their protection in the middle of an attack? Costs money, of course. They don't get to EEE the Internet that way so they don't make it free.
Seconding that anything this big should be nationalized. That said, the internet still worked before cloudflare. The threat of a banned troll DDoSing your forum has been a risk for 30 years, yet the flourishing golden age of forums was before anyone had heard of cloudflare.
Add in their centralized panopticon of mass decrypted traffic and it becomes undeniable CF is an enormous net negative to the internet and society at large.
While massive overreach in the name of fighting piracy it's very on-brand for LaLiga, this seems pretty wild, even for them. I can't help but wonder if perhaps they didn't realize quite how many unrelated, legitimate sites/services that their citizens use would be affected by this.
I think burns/jokes about Cloudflare are missing the point. It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block. The block included things like Redsys, a major payments processor used by tons of ecommerce sites in Spain.
Piracy or not, you shouldn't be able to get away with this kind of collateral damage, blocking an entire population from accessing a far greater number legitimate websites.
And while I do understand their problems with piracy, LaLiga's view on the matter has always been so over-the-top and reminiscent of the false logic the record companies did in the early 2000s: LaLiga believe (or at least say, all the time) that every euro's worth of football that is pirated is a euro that has been stolen from them; that if piracy didn't exist, they would have that much more money. It's simply not the case. It's a hugely outdated viewpoint, and they shouldn't be able to cause damage to the public because of their adherence to it.
> It's not about Cloudflare, it's about the millions of people in Spain who couldn't access a plethora of legitimate, unrelated websites and services because of the block.
I happen to agree that La Liga wildly overreaching is on brand. But I think this is partly about Cloudflare.
What's happening is a reminder of how centralised the internet is becoming. If blocking Cloudflare IPs brings down big chunks of the internet for Spain, that's a problem. Cloudflare could go down for a while, or collapse permanently, or get compromised.
Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
Cloudflare might get a resolution from the court that suits them in the short-term. But drawing this to government attention might not suit them in the long run.
> Putting aside my opinions on La Liga overreach, it will also be a problem if companies get to say to courts "Oh, well, if you block those IPs the internet goes down for your country, so let us know what you want to block and maybe we'll get around to it."
On the contrary, it would be an excellent outcome if the Internet became all-or-nothing, and countries could either choose to provide Internet access or block the entire Internet, with zero ability to selectively block things they don't like.
Doing that via a few centralized CDNs would be bad. Doing that at the protocol level would be excellent.
So... you don't agree with the existence of laws? And differing jurisdictions?
I think the comments here about cloudflare aren't trying to justify what LaLiga is doing, just pointing out that cloudflare does the same equally wrong thing ultimately. If you've ever ended up with an IP cloudflare decided is suspect for one reason or another, have fun being stuck in endless captcha loops all day for something like 70% of the websites you visit, with no recourse
They want cloudflare deal with pirated issue for them
Sure it's blunt. But I guess it will be rather effective in getting Cloudflare to urgently revise their policy on copyright violation.
I don't understand why Cloudflare allowed itself to be use like this and is heading to court instead of just refusing to accept LaLiga's requests. They could just request them to provide appropriate evidence and make them pay for the time Cloudflare staff would need to review the evidence
Cloudflare isn't in a position to accept or decline LaLiga's requests; LaLiga, supported by a ridiculous court order, is forcing ISPs to block Cloudflare IP addresses.
Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
I think that's probably what they'll be doing in the end, so it's interesting to observe that they haven't done so already. Do they maybe have at least an internal domain reputation system so that long-time customers mostly share IPs with other long-time customers and are less likely to get caught in the crossfire?
> Cloudflare absolutely is in a position to take down domains they're hosting on those IPs while keeping other domains sharing the same IP up.
They could. On the other hand, why should they? I would much rather see them fight this court order and make it stop across the board.
Cloudflare's customers are distributing copyrighted material. That's basic copyright law, and the host and distributor can easily take it offline after a court request.
Your response assumes I want to see sites distributing copyrighted soccer games taken down, rather than cheered on.
Ok, this explains why Cloudflare is doing this. So the issue seems to be with the court order then. Is this then yet another case of court order makers not understanding the technological consequences of the court order they made?
Or more likely not caring, or not being informed because the plaintiff doesn't care about collateral damage.
I suspect that LaLiga lawyers and lawyer-techs aren't perhaps the most technical so when they learned to figure out IP's they made it their go-to way of working without even considering that they might need to contact CF (or Github that also seems blocked in Spain).
Finding abuse contacts is actually a M:N problem for the entire industry since we skimped on IPv6 (Had we gone to IPv6 providers like CF could've just assigned customers their own IP's and third-party fallout would've been minimal).
Well, I'm guessing here but I assume pirates are happy to stand up a new website for every match. And LaLiga wants the sites taken down within the ~90 minute duration of the game, otherwise what's the point?
It's my understanding that the usual process is to ask Cloudflare to move infringing domains from shared IP addresses to fixed IP's, before blocking.
Do you have a source for this?
No, it's my recollection of words spoken by a lawyer. https://torrentfreak.com/internet-backbone-cogent-blocks-clo... is related to the topic.
This arguement on whether LaLiga or Cloudflare are the biggest dicks is kinda dumb.
Yeah, CF has stepped in it from to time and yeah, maybe they have ego-ish proclivities. What Behemoth online service doesn't?
But at the core of this debate is about LaLiga and it's peripheral relationships dragging a lot of innocent folks along with the genuine targets of their focus. It's like those Drift Netters who have demonstrated they care not for the unindended species they catch. A bit of a labored metaphore but, there you have it.
When they started doing these blocks a few weeks ago they also took down Telegram for the whole weekend and part of Monday.
I'd be interested to see if twitch is on their block list... or if running pirated tv, movies and sports from all over the world 24/7 just isn't as visible enough to them for them to say something...
Most streaming platforms actually put a lot of effort into combating live soccer broadcast piracy, more than a lot of other types of content. European soccer in is massively popular globally, as is the World Cup. Thus piracy of it is massive and global as well, and it gives the big leagues and competitions a lot of leverage. Most platforms try hard to counter soccer piracy, generally without waiting for a complaint or takedown request, and often using active methods like doing automated content detection on livestreams. The platforms simply have more to lose by poor enforcement of a huge soccer event than most anything else, including anything from Hollywood.
Honestly, I hate both parties here so much. I just wanted to say that Cloudflare is the biggest problem I have at work when trying to detect and take-down phishing websites. They do not collaborate with official entities and keep protecting malicious actors. I could not care less about someone giving them problems.
As a reminder, LaLiga got caught spying their users with their app using the microphone and the geolocation to detect illegal emissions in bars. They got fined, applying the GDPR, with 250k euros. [0]
However, the last court order, removed the fine as they interpreted the AEPD (Spanish data protection agency, and the ones that fined LaLiga) did not showed any guidelines about this kind of stuff so it couldn't be fined retroactively. And that showing a "Mic in use" warning every time the app was using the microphone, as AEPD wanted, was "excessive". [1]
[0]: https://confilegal.com/20220505-la-an-ratifica-la-sancion-de... [1]: https://www.cuatrecasas.com/es/spain/propiedad-intelectual/a...
What's laliga
LaLiga is the main football league in Spain, where Real Madrid, FC Barcelona,... play. It's also considered the second most important league in Europe after the Premier League in England. And, related to this, it manages the TV rights of the matches.
Cloudflare's ddos protection constantly locks out non-mainstream browsers, so pot and kettle, and such.
I've had issues with their captchas just not working but not providing that as feedback. Javascript enabled and all.
You can easily reproduce this by using a mainstream browser like Chrome and changing your user agent to e.g. a Firefox one (or the reverse). You'll be hit with captchas everywhere but unlike the cloudflare ones the google ones can at least be resolved.
A Firefox user agent with a Chrome Javascript engine and a Chrome TLS engine is suspicious. Any decent bot prevention mechanism will trigger on that.
I don't have issues passing these blocks in Firefox, though.
from my travel experiences with my laptop
linux + firefox + less developed country ISP = endless captcha loop or straight up ban
Not just non-mainstream web browsers but also users in certain less developed countries.
Clearly there’s a balance to be had, but Cloudflare’s shadowbans are just mean.
Can confirm. If I click certain links in the Discord Electron client on Windows they work just fine, but in Firefox on Linux I get the DDoS block page, regardless of the internet connection I'm using.
It's a service that Cloudflare customers buy for their site.
This is about messing with unrelated parties. Cloudflare is not doing that.
I'm also an unrelated party, it messes with me, Cloudflare is doing it, and I can't opt out.
You are related when you try to access a site. It's just customer service issue. You can't demand that sites allow you in.
you <---> C <---> site
you <--X--> C <---> site
|
Court order
I get locked out occasionally when travelling outside EU as well. I've got to the point I will just avoid using services with CloudFlare in front of them.
Also the one time I reported abuse which was online banking phishing they just replied that they'd informed the upstream provider and nothing happened.
I mean isn't that a feature customers have to turn on?
Most folks do not realize the consequences. Of those who do, a significant fraction thinks that the only people accessing it are from US mainland and use Chrome on Windows.
Cloudflare is a flaming heap of garbage of a company and to see them have beef with another company like this is very ironic.