There was a time where you could actually make money by having text ads. But then the whole ecosystem got diluted by fake impressions and clicks. One easy solution would be to require people to solve "captcha", for example when logging in, before being served a text ad.
Have you ever browsed the web using Tor? Cloudfare hits you with a captcha for every other site, it gets annoying very fast. You don't want this experience for the whole Internet.
Using US Tor exit nodes (as an exercise or obligation, not out of personal necessity), I often see access denial pages by Cloudflare, up to and including within the last day.
Cloudflare is much more permissive if you enable JS for the site. Then, if you're going from a Cloudflare error page denying you permission (presumably because of Tor), you might reluctantly decide to enable JS, and reload... then you'll probably load and sit on a different Cloudflare page for a few/several seconds, before the actual content page probably will finally load.
For the scenario above, I don't know whether the site owners (usually news sites, in my case) are aware that their site has been made difficult or more dangerous to access, for some people who feel threatened/oppressed in their countries.
I appreciate that Cloudflare infrastructure is probably under constant abuse, including through Tor, and of course I don't have any snap answers for what they should do differently. What I mention above is just some of the behavior I can see.
The site owners might be explicitly blocking Tor, the "Cf-Country" header will show "T1" if the request comes from Tor, so site owners can block those requests via a Cloudflare firewall rule or at their origin. It can be tempting to block all of tor if you keep getting attacked via the tor network, even if you're a news site.
> if you keep getting attacked via the tor network
This is why we can't have nice things. Given enough time and traffic, eventually the worst-behaving actors will poke at everything vulnerable any way they can, until everything gets locked down so tight that everyone with half a brain develops acute paranoia and an intrusive sense of defeat. I honestly think it's genetic, though, and there will continue to be a lack of easy answers.
Try to find a few humans in meatspace you can trust. Preferably with skills that balance well with yours.
I would imagine it is getting worse because very recently a lot of US local news and sites are blocking so many external countries its hard to tell what is really happening inside the USA if not a large city or popular topic. Ironically, this is exactly what Tor was built to fight against but the perceived risk is too high now for some reason.
I can't figure out how you only serve the alt-srv onion address only via the tor browser. Browsing via tor otherwise does not return that header.
I have tried mimicking the user agent and many other headers, but I cannot get CF to send me the alt-srv onion address when using tor unless I am using the tor browser.
Think from the publisher side of view. You want to have an easy way to monetize content, and ads used to work well, but now you get very little or nothing from ads because most impressions and clicks are made by bots.
So instead of adding a "paywall" to see the content, you add a "captcha" and the users will be able to see the content for free along with some unobtrusive text ads.
I think it's already proven that users rather solve a "captcha" then use their credit card to gain access.
As it happened, that was only true for a minority of visitors. Many people would happily punch in an answer to recaptcha v1 to read the article one of their friends sent them, and might not have even known it was to increase the legitimacy of ad clicks.
Any publisher with any sense at all knows that annoying users will simply drive them away. Then there will be no audience at all, except perhaps bots which can solve captchas.
I mean, that's what a pay wall is isn't it? think of all things people do on HN to go around those. Solving a captcha is probably worse because it's not annoying enough to go around so you actually just have to do it, but now it's more likely a legitimate user.
Doesn't Google's current version of reCaptcha work mostly invisible? I am confident that they use a similar system atm to detect bots. I know the "checkmark" version used e.g. mouse movement to detect humans.
Iff the answer to paywalls (and not site access) is CAPTCHA, then I would have been game. Problem is that I'm still not going to disable uBlock due to the poor practices of ad companies destroying web usability.
i actively avoid sites that serve me captchas now, clicking through images of cars/bicycles/firehydrants is the most excruciatingly boring thing i've ever done
I've found sometimes the robots get really upset at your terrible performance and will ask you a lot more frequently, but eventually tire of asking new questions and are like "Sure, whatever." You'll get prompted a lot more often with the usual captchas though.
