When CDNs say you have malware


I lock down my browsers pretty tight. Cookies are routinely wiped, I block JavaScript and trackers by default, and I have a sophisticated Curmudgeon Engine. I wish I could say it was for privacy and security – two related, but discrete reasons – but it’s the only way to make the modern web tolerable.

While I assert the usability benefits still outweigh the limitations, it does cause problems with a few sites. For example, Cloudflare always needs to validate my existence with CAPTCHAs. Under a giant yellow exclamation mark it reads (numbers added):

Why do I have to complete a CAPTCHA? Completing the CAPTCHA proves you are a human (1) and gives you temporary access to the web property. (2)

Point (2) is definitely true for me! But forgive my nitpicking for once, point (1) is incorrect. CAPTCHAs assert the likeliness of you being a person. There are already sophisticated tools now that beat these kinds of checks at rates higher than simple trial and error.

What can I do to prevent this in the future? If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware. If you are at an office or shared network, you can ask the network administrator to a run a scan across the network looking for misconfigured or infected devices.

This sounds like questionable advice. A home user encountering this page will reasonably assume their machine is infected after seeing that message, and will rush out to buy expensive anti-virus software. All because their browser environment couldn’t be verified.

I’m assuming Cloudflare have the metrics to correlate browser behaviour and infection rates. I also concede my use case is probably very rare. But normalising these kinds of alerts also seems a bit irresponsible; and frankly grates when I’m seeing this precisely because I browse with an abundance of caution.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person in bios. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.