“Exactly” would imply just one issue. It would be like asking Greta what exactly is her issue with climate. Or asking Snowden what exactly is his issue with mass surveillance… or tell RMS he can only pick one problem with non-free software.
The first problem I encountered with Cloudflare was being in the excluded group. Being blocked from websites that were presented as though they were open to the public was how CF’s existence became known to me. The more you study CF, the more wrongdoing you find. The exclusivity problem just scratches the surface. There’s a good outline of the Cloudflare problem here: https://git.kescher.at/dCF/deCloudflare/src/branch/master/subfiles/rapsheet.cloudflare.md
Knowing what I know now about CF, I actually prefer to be excluded from their walled garden. I seek out tools that will help me avoid it. Thus I’ve come to actually see the blockade as a benefit. So perhaps I could answer your question after all with a single issue: the problem is that Cloudflare is growing and thus shrinking the decentralized free world as a consequence.
You don’t see the wall because you’re in the included group. Unlike Facebook, Cloudflare hides the wall from those they welcome into their garden. If you click on the screenshot on the OP, you can see what the barrier looks like to those of us who are in the excluded group.
Otherwise I hope you’re not viewing the world through a simplistic “good guys” / “bad guys” lens s.t. those you deem forces of good surely could not be a “walled garden”. The term serves well w.r.t. places where content is published. Restricted access venues: (Facebook, Cloudflare [with restricted access enabled], LinkedIn, Yelp, Quora,…) are not open access. They are walled gardens.
While #Signal is in fact technically a walled garden, it’s bizarre to bring it up simply because it’s a p2p platform with no public content to speak of. The term doesn’t really serve us well in a discussion of p2p private chat platforms. Although it’s important to recognize Signal:
See https://github.com/privacytools/privacytools.io/issues/779
The exclusivity of Signal’s design and decision making & careless marginalization of classes of people is comparable to that of orgs like Cloudflare & Microsoft.
A Cloudflare host can leave the walled garden, but steps are needed
It is possible to configure a CF host with unrestricted access, in which case you could argue those particular sites are not in the walled garden, but that’s relatively rare. And it still requires a hell of a lot of hand-waving on your part because CF algos still override the user settings in some instances.
Dynamic IPs change on average every few days
The users who would be most impacted by an attack are the ones who are right in the middle of a conversation. Having a conversation interrupted is worse than being unable to check for new news or start a new conversation. So I think using the IPs for ~2—3 days of firewall masking would give users a chance to wrap up the conversations they’re involved in. As well as give users a chance to quickly grab their archives (to the extent that the server can handle it).
(edit) Why not combine this with tar-pitting? Unknown IPs could be tar-pitted until they login, at which point their new IP becomes known.
It’s a good point but incident response amid heavy attack does not require perfection. It would certainly be borderline useless over the long-term, but I think most “dynamic” IPs rarely change. Last time I paid attention, I think I had the same dynamic IP for over a year. I would also expect IPv6 to be even less dynamic.
Perhaps users who use DDNS from afraid.org (gratis) could be accommodated along these lines.
Indeed someone in another thread mentioned these: