Is CloudFlare Always Online a leech?

As a Tor (The Onion Router) user I already have a negative impression of CloudFlare due to their captcha trolling. It therefore gives me no joy to see CloudFlare Always Online circumventing my hotlink protection in order to “cache” my content on their service.

What is CloudFlare Always Online

According to CloudFlare: With Always Online, when your server goes down, CloudFlare will serve pages from our cache, so your visitors still see some of the pages they are trying to visit.

Sounds great or what? CloudFlare’s definition of a downed server however implies that the “downed” server still returns HTTP 502 or 504 response codes (always read the fine print huh).

What is the problem with CloudFlare Always Online

CloudFlare powers a lot of scam sites that don’t produce their own content but instead takes what they need from other sites. When a scam site uses my images to promote their crap, they are linking directly to images hosted on my server and stealing my bandwidth. To battle this issue webmasters implement hotlink protection to block requests not originating from a predetermined list of domains. The HTTP header field used to determine the origin of the request is called the HTTP referer.

However, CloudFlare is aware that websites implementing hotlink protection will interfere with their service. The solution: if a server returns a 403 forbidden response then simply drop the HTTP referer on the next request. Since blocking empty referers is a very bad idea, CloudFlare will walk away with the prize.

Requested file Status Referer User-agent
/bioshock.png 403 “http://scam.tld” “CloudFlare-AlwaysOnline”
/bioshock.png 200 “-“ “CloudFlare-AlwaysOnline”
https://blog.paranoidpenguin.net/wp-content/uploads/2016/05/CloudFlareAlwaysOnline.png
CloudFlare AlwaysOnline blocked and fed to the firewall after a user agent block.

By following the link to the Always Online sales pitch, one feature stands out:

Are you here because someone hotlinked to your site? CloudFlare also can help prevent hotlinking with ScrapeShield.

So alright I should pay CloudFlare to block CloudFlare, that’s awesome :D

Since Always Online ignores robots.txt, the only viable solution is to block their user agent identified as “CloudFlare-AlwaysOnline/1.0”. Below is the ruleset I’m currently using to block unwanted user agents. The list contains a mix of SEO services and misbehaving bots.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(blexbot|mj12bot|masscan|photon|semrushbot|ahrefsbot|orangebot|moreover|exabot|zeefscraper|smtbot|yacybot|xovibot|cloudflare-alwaysonline|haosouspider|kraken|steeler|cliqzbot|linkdexbot|megaindex|sogou|yeti|siteLockspider|telesphoreo).* [NC]
RewriteRule ^(.*)$ - [L,R=403]
</IfModule>

Fake Chrome apps published with Google as the developer name

I’m pretty much done with getting annoyed by all the spam and fake applications populating the Chrome Web Store. But still, once in a while you come across something special that is just too good to pass up.

There is no secret that copying an established brand makes it easier for scammers to trick their victims into installing fake apps. However, I’ve never seen them get away with (ab)using the Google brand. I guess nothing is sacred anymore as “Google” is now pushing their own AdBlocker(s) from the Chrome Web Store.

Fake Chrome apps
Block Google Ads with Google’s AdBlocker?

Say one thing for these scammers, say they really know how to pull of a heist. And in case you’re wondering, if you should happen to install the fake application you’ll be redirected to a page serving ads from Google AdSense. It’s a simple but effective plot and I’m guessing there is plenty of good money to be had as well.

How does it work? An introduction: Chrome Web Store – Your new one stop shop for malware and spam

In conclusion, here are three simple rules for using the Chrome Web Store

  1. Don’t trust the application name.
  2. Don’t trust the application logo.
  3. Don’t trust the developer name.

For the record, the apps in question are now gone from the store.

This website is now hosted on a Raspberry Pi 3

This WordPress blog is now hosted on a Raspberry Pi 3 after a year of running on a Raspberry Pi 2. Unlike with the RPi2, I’ve not done any overclocking on this device. I’m hoping that decision will decrease the number of file system related issues and obscure kernel oopses I’ve experienced lately, but I guess time will tell.

Slackware ARM on RPi3
Slackware 14.2 on a RPi3

The RPi3 is still running Slackware ARM 14.2 and the Linux kernel is at version 4.4.7 at time of writing.

My motivation for doing the upgrade was caused by my earlier comparison of the two Raspberry Pi devices on Slackware ARM: Raspberry Pi 2 VS Raspberry Pi 3 on Slackware ARM

I hope you enjoy faster handshakes and load times on this brand new power monster :]