homelessdinoSubscription bombing and how to mitigate it
https://bytemash.net/posts/subscription-bombing-your-signup-form-is-a-weapon/
It's a problem, but I really dislike the solution. Putting a website with known security issues behind Cloudflare's Turnstile is comparable to enforcing code signing—works until it doesn't, and in the meantime, helps centralize power around a single legal entitiy while pissing legitimate users off.
The Internet was carefully designed to withstand a nuclear war and this approach, being adopted en masse, is slowly turning it into a shadow of its former self. And despite the us-east1 and multiple Cloudflare outages of last year, we continue to stay blind to this or even rationalize it as a good thing, because that way if we're down, then so are our competitors...
Honestly I really like CloudFlare as a business. There's no vendor lock-in, just a genuine good product.
If they turn around later and do something evil, literally all I need to do is change the nameserver to a competitor and the users of my website won't even notice.
So your solution would be to do nothing?
Cloudflare is an excellent solution for many things. The internet was designed to withstand a nuclear war, but it also wasn’t designed for the level of hostility that goes on on the internet these days.
And your solution is assume everyone on the internet is a good actor?
How would you solve this at scale?
How about a signup flow where the user sends the first email? They send an email to [email protected] (or to a generated unique asdress), and receive a one-time sign-in link in the reply. The service would have to be careful not to process spoofed emails though.
Another approach is to not ask for an email address at all, like here on HN.