Mastodawn

Subscription bombing and how to mitigate it

https://bytemash.net/posts/subscription-bombing-your-signup-form-is-a-weapon/

Your sign-up form is a weapon | Bytemash

How bots used our sign-up and forgot password pages to bomb real people's inboxes, and what we did to stop it. A practical guide to subscription bombing for founders and developers who think CAPTCHA is an "I'll do it later" task.

Show thread

m132 5d ago

It's a problem, but I really dislike the solution. Putting a website with known security issues behind Cloudflare's Turnstile is comparable to enforcing code signing—works until it doesn't, and in the meantime, helps centralize power around a single legal entitiy while pissing legitimate users off.

The Internet was carefully designed to withstand a nuclear war and this approach, being adopted en masse, is slowly turning it into a shadow of its former self. And despite the us-east1 and multiple Cloudflare outages of last year, we continue to stay blind to this or even rationalize it as a good thing, because that way if we're down, then so are our competitors...

Show thread

stingraycharles

So your solution would be to do nothing?

Cloudflare is an excellent solution for many things. The internet was designed to withstand a nuclear war, but it also wasn’t designed for the level of hostility that goes on on the internet these days.