- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
tl;dr: No. Quite the opposite, actually — Archive.is’s owner is intentionally blocking 1.1.1.1 users.
CloudFlare’s CEO had this to say on HackerNews:
We don’t block archive.is or any other domain via 1.1.1.1. […] Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. […] The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.
I am mainly making this post so that admins/moderators at BeeHaw will consider using archive.org or ghostarchive.org links instead of archive.today links.
Because anyone using CloudFlare’s DNS for privacy is being denied access to archive.today links.
Yes, which makes Archive.is a terrible service… Because they don’t get super fine details of where your connection is originating from they poison the DNS response they give cloudflare. Any site that weaponizes DNS then blames me for choosing to not allow them to do so… Fuck them.
It might be terrible for you but it’s very handy for the rest of us.
If it’s so bad, maybe just pay to bypass all the paywalls that the site removes from your way. Having your local ISPs details sent through is a small price to pay for the convenience.
Or I can just use Firefox reader mode… which works for like 90% of the sites that are paywalled that I’ve ever visited.
But honestly I don’t care what you say with an attitude like that. People who give up security for some fake semblance of “convenience” make the internet worse for everyone. I’m not sure how a company/website violating your rights is “handy” for you… but you do you.
What, stop using Chrome?? Unthinkable… Google says it’s the best and we can trust them. They want what’s best for us. /s
Not really a paywall then, is it? I don’t know why you think it’s fake, it’s a very real convenience.
Violating my rights ? Is geolocating your users violating their rights now?
Well no shit… It wasn’t a real paywall if archive.org or archive.is can bypass either no? What’s your point with this statement?
What/when did I say anything was fake? See above question… I said they’re a terrible service. Not that they’re fake. I’m telling you that it’s not any more convenient than the reader view button and that doesn’t give your data to some shady third party that doesn’t NEED your data… even though they’ll apparently go to war with one of the biggest transits on the internet over it to get it.
Yes… attempting to punish users who don’t want to be geolocated… or FORCING users to geolocate would be collecting personal data. That is a literal violation of rights in many countries, specifically the EU… and California. So yes.
Are we done?
Archive.is can and does bypass real paywalls. That’s why it’s useful.
You literally called it a fake convenience in your previous comment. Do you have the memory of a goldfish?
Geolocation of users of course does not violate GDPR, don’t be ridiculous.
You have no idea what you’re talking about and clearly don’t understand the issue at hand, so yep, we’re done.
Firefox reader mode does as well…
Yes… so less button presses and faffing with bullshit just using the built in feature on firefox… See how archive.is isn’t that convenient at all?
You seem to have the intelligence of one. You just said “fake”, assuming that someone would understand what the hell you’re talking about… When you communicate poorly, don’t be mad when people don’t understand you.
They’re not just using geolocation and throwing the data away after they’re done. otherwise they wouldn’t be fighting cloudflare. Storing that data for whatever other purpose they could have with it would absolutely be a violation of GDPR and similar laws. You’re the one being ridiculous here.
I’m literally a CISO… It’s my job to make these kinds of decisions. So jokes on you. My company would fail compliance audits if we did dumb shit like this.
JavaScript paywalls are not real paywalls. So no, Firefox can’t bypass real paywalls.
Unlucky for your company to have a CISO with such poor reading comprehension.
Alright… Find me a page where archive.is can bypass the paywall… that Firefox cannot.
I’m going to refer you to my previous statement
You didn’t mention “Only Javascript” until just now… And for some reason you believe that those are fake? You’ve got some weird definitions here.
How is it more handy than Archive.org? You can submit URLs for archival just the same, and it doesn’t require user tracking.
I’ve used Archive.is before,
but seeing this I won’t anymore.EDIT: after some digging (see comment thread) and further consideration… I’m not sure anymore.
It’s way faster for one. It actively scrapes articles from behind paywalls, using a bank of credentials it has. Archive.org respects robots.txt and will take down copyrighted material on request. Archive.is doesn’t do any of that.
I would view it as complementary to archive.org. it’s more like sci-hub to me. A useful tool, run by one person who likes the idea of providing such a service.
What exactly do you think is being tracked by your ECS being sent along with DNS requests? All it means is that archive.is can’t load balance properly because they don’t know what their nearest server to your location is. If you’re so privacy conscious that leaking a portion of your IP to a DNS provider, then hardcode archive.is IPs into your hosts file or use a VPN. Not that your problem can really be with archive.is, because you’re visiting the site anyway, giving them your full IP.
It just seems like such a non issue to me.
I see… not sure I approve, but I see.
That’s precisely one of the issues with EDNS, already described 10 years ago:
(https://00f.net/2013/08/07/edns-client-subnet/)
From the CEO’s reply on YC:
(https://news.ycombinator.com/item?id=19828702)
Seems like dropping the originating address is a reasonable action on their part.
Only thing they could possibly do, would be to replace the originating address with the address of the particular DNS resolver in their network, which they said they had 180 of… but that would still reveal your geographic area in case of a VPN leak.
On the other hand, if you don’t care about any of that, why not use Google’s 4.4.4.4?
The reason I’m saying use a VPN is because you’re presumably visiting the site anyway, so leaking your full IP to them anyway. You can route your DNS lookups through what server you like, obviously. (Again, the privacy issue would be not that you’re leaking part of your IP to archive.is, but to everyone in the chain of recursive DNS resolvers). You could use TOR too, I think even in this thread someone posted a TOR url for it.
Cloudflare do make the DNS queries from 1 of their 180 locations, so there is some information being passed through about where the request is coming from in terms of load balancing.
I’m not arguing that Cloudflare are doing the wrong thing by omitting ECS data in general. Just that site owners have a right to do as they like WRT people using their website and if that includes blocking Cloudflare, so be it. What he is doing is not legal (or at least grey area) in many countries so anything that makes his life easier is understandable IMO.
Also, ECS leaking does not seem like a real concern for the vast majority of people surfing the net.
Lastly I don’t think Google own 4.4.4.4, did you mean 8.8.4.4?
I know what you meant with the VPN. Just saying that CloudFlare is using the VPN leakage case to justify not supporting ECS. As for the rest of the problems, DNS servers that suport ECS, hopefully have already implemented countermeasures.
Indeed Archive.is is free to block whoever he wants… he’s just using a weird argument, particularly when there is an onion address for it, which is kind of the opposite of a CDN… or I don’t understand his side completely. It feels to me like both sides are sticking to their stances, when either or both could fix the issue without much of a problem.
Damn. Yeah, I meant 8.8.8.8 and 8.8.4.4. Brain fart.
There’s a comment on one of the HN threads that gives a little more insight - basically it helps him combat abuse by routing requests to the closest server outside of the requesting ips area: https://news.ycombinator.com/item?id=36971650
Not sure how that argument really holds up to scrutiny but it’s something.
Oh, so he’s not using a CDN, but a sort of “anti”-CDN.
Wonder why 😆
Yes, that holds up to scrutiny pretty well.
…and that’s a dick move on part of CloudFlare.
In what way is it “very handy for the rest of us”?