Why Cloudflare CAPTCHAs to even see the forum??

[DukeComposed]

Attacks.
FF 139.0 (64 bit), updated by MX gets right in, but LibreWolf 138.04 choked on Cloudfare. I'm on here with Brave which also gets right in.

It's one thing to suggest that one browser works and another doesn't; it's another thing entirely to point out that the forum's RSS feed has been offline for a few days. Since my RSS[0] reader and the browser I use to access the forum are different things, it makes sense to correlate that browsers needing to pass through an extra validation layer and RSS going offline are related.

[0] RSS is Really Simple Syndication. It doesn't allow for solving CAPTCHAs because it's supposed to be completely automated.

[Eadwine Rose]

We need to protect the forum from going down, as we are under bots attack, again. Unfortunately Cloudflare is a necessary consequence of that so we can keep things up and running.

At least you can use the workaround and still access the forum.

[Stevo]

Debian sites have also been under attack for months now; both official and the user forums.

[richb]

It seems to be a burgeoning problem. Many sites I frequent regularly, or one time have captchas prior to getting in. The ones that are particularly annoying for example are "click all images that have stairs" or some such object".

[Eadwine Rose]

"Which one is not a cake" and then having images so blurry everything looks like one.

More and more are indeed incorporating the CF protection.

[/df]

If the forum can live with whatever CF (I assume) settings StackExchange gets, that would be great. The settings here break SeaMonkey's somewhat antiquated JS but even FF 128ESR has trouble sometimes. At SE sites I never get the "human" checkbox and the challenge always succeeds, though no doubt RSS would still fail.

Even better if the challenge-passed cookie lasted longer.

[Eadwine Rose]

We can set the setting to lower when attack frequency allows. So.. basically.. all we all can do is suck it up. It sucks, but it is that or no forum at all.

[jj 5117]

It's one thing to suggest that one browser works and another doesn't;

Yup. It was that one thing.

[jj 5117]

It seems to be a burgeoning problem. Many sites I frequent regularly, or one time have captchas prior to getting in. The ones that are particularly annoying for example are "click all images that have stairs" or some such object".

Stairs I'm fair with, motorcycles, not so much.

[AK-47]

For this post, I shall temporarily take my dev hat off for a moment, to speak solely on behalf of AK-47, ie. not on behalf of the dev team and definitely not on behalf of the mod/admin/website team (which I will not do even with the dev hat on), these are solely my perspective and experience with the situation.

I certainly sympathise with the many concerns people have raised about Cloudflare, and even on regular Firefox (ie. non-ESR, official version) I get the Cloudflare stuff. I am probably going to set my forum stuff up in a VM just to access the forum, but yes there are reasonable concerns with how it operates. And just because more people use it doesn't mean it's a good idea all the time either.
That said, having been an admin of a small private forum myself, I can also appreciate the troubles admins and mods have to go through to block spam and other bots. As Eadwine Rose said, would you rather not have a forum at all?

From that experience, perhaps an answer to the original question "Why Cloudflare CAPTCHAs to even see the forum??" The reason is, protection mechanisms such as Cloudflare cannot distinguish between a page that requires a login and one that doesn't, without some heavy logic. It protects websites, not user accounts. There is nothing on the market that can protect just logged in users, and bots don't discriminate either (many of which aren't logged in).

I actually suggested an alternative to Cloudflare further up, which is used by the Arch Wiki. "However, for circumstances where you can't or won't use Cloudflare, Anubis is there for you." But again, can completely appreciate if it turns out not to be suitable, it's up to the admins to decide.

Now that I'm done, dev hat back on. Cue dancing with a cane to "Hello my baby, hello my honey, ..."