[HN Gopher] Cloudflare's inaccessible browser contradicts the co... ___________________________________________________________________ Cloudflare's inaccessible browser contradicts the company's mission Author : mwcampbell Score : 453 points Date : 2021-07-30 19:24 UTC (2 days ago) (HTM) web link (mwcampbell.github.io) (TXT) w3m dump (mwcampbell.github.io) | lbriner wrote: | Sad but typical and not just from big "evil" companies (not | suggesting that CF is!) | | I just ran Jekyll to migrate my Blogger blog to self-hosted and | with the default importer and default theme, I clicked the Web | Accessibility button and immediately got some several hundred | contrast errors (lots of blog post links) and some incorrect | heading levels. Just basics but people are too unaware of | accessibility requirements that this even happens before a | release. | | What is missing? Is there not an online checker like w3c does for | markup or acid does for browser tests? Oh yes, it is here: | https://wave.webaim.org/ and there is also a browser plugin so no | real excuses. | arp242 wrote: | I don't know what you did exactly, but the default Jekyll theme | is fairly simple black-on-white and doesn't seem to have any | major issues from quick spot-check. | | I think it may be an issue with your import(?) | miki123211 wrote: | This problem unfortunately applies to a lot of remote access | software, particularly when the web browser is the client. | | I know of one company that switched to Web VNC for accessing a | specific piece of software. They had a lot of offices and the | software was expensive (paid per machine). This way, they could | switch to a much smaller number of licenses, letting any employee | connect from anywhere and wait in line if necessary. A blind | person has lost a job over this. | digitallyfree wrote: | I'm not sure if remote access programs (web browser or not) | even support screen readers on the client, especially since | many of those render the entire desktop server-side and send it | back to the client as an image or video. A possible option may | be to run the screen reader on the remote desktop itself if | that's possible. | mwcampbell wrote: | > A possible option may be to run the screen reader on the | remote desktop itself if that's possible. | | For generic remote desktop access, that's what we have to do. | But piping accessibility information (in its generic form, | not pre-rendered as speech) to the client side in that case | is much harder than it would be for this Chromium-based | remote browser. (I know this from relevant experience during | my time on the Windows accessibility team at Microsoft.) | yjftsjthsd-h wrote: | > A blind person has lost a job over this. | | IANAL, but in at least the US and Europe that sounds like the | easiest lawsuit of their life | mwcampbell wrote: | You're the third person on this thread to say that. Please | check out the responses to the other two: | | https://news.ycombinator.com/item?id=28027986 | | https://news.ycombinator.com/item?id=28028116 | cratermoon wrote: | I read those "just sue them" responses as coming from | people who have never even talked to a lawyer except when | going through the paperwork of buying a house, much less | been a party to actual litigation. | | Companies keep lawyers on retainer to fight suits like | this.They have resources of time and money to easily | bankrupt someone with a disability who has just lost a job, | and typically it won't even cost the company anything above | what their normal retainer fees run. | cronix wrote: | It is also extremely difficult to _prove beyond a | reasonable doubt_ that you were let go _due to_ the | disability, especially if there is only a single case in | the company and not a track record to follow unless there | is a blatant email along the lines of "they're blind, | let's get rid of them." | ithinkso wrote: | This is a common misconception, proof _beyond a | reasonable doubt_ is only needed in criminal cases. In | civil cases most often _preponderance of the evidence_ | (i.e. 'more likely that not') is enough | [deleted] | [deleted] | hbag wrote: | Aren't Cloudflare the guys that're the only thing keeping | Kiwifarms up and running? Fuck those guys. | sokoloff wrote: | > A blind acquaintance of mine once lost his job because of a | newly added requirement that he use an inaccessible application. | | I find it hard to believe this happened as stated in the US, | where any number of lawyers would be eager to take such an open- | and-shut ADA violation case. | hobs wrote: | There are constant and flagrant ADA violations - while the | lobbying group is not weak the war of attrition is definitely | with the employers not the ADA; I have seen so many violations | it makes my head spin. | WORMS_EAT_WORMS wrote: | No doubt it could happen but I agree with you. This entire post | is very odd and makes absolutely no sense at all. | mwcampbell wrote: | Can you be more specific about what doesn't make sense? I'm | willing to clarify anything I wrote. | WORMS_EAT_WORMS wrote: | To my understanding their browser isolation text just | renders to canvas on their edge servers (don't quote me on | this). Does canvas provide any accessibility at all and is | actually a bigger problem with the creation of that | standard / element in HTML5 with text generation? It's | essentially an image block that allows text generation with | almost no accessibility in mind? That's not really | Cloudflare's fault if so. | | I agree accessibility needs to be of higher priority. It's | a shame it's seems to be almost always a secondary priority | to everything in tech. | | But this post feels like an open letter to some bigger | issue when it seems like it's a very niche and non-common | security tool. | | I mean no disrespect in this. | junon wrote: | Yes, canvas is able to be made accessible. | [deleted] | mwcampbell wrote: | > To my understanding their browser isolation text just | renders to canvas on their edge servers (don't quote me | on this). Does canvas provide any accessibility at all | and is actually a bigger problem with the creation of | that standard / element in HTML5 with text generation? | It's an image block that allows text generation with | almost no accessibility in mind? That's not really | Cloudflare's fault to be honest. | | The standard workaround is to create a parallel DOM | that's invisible, e.g. covered up by the canvas. To be | clear, this parallel DOM should be based on the | accessibility tree of the remote browser, not based on | the original DOM, as that would undermine the whole point | of the exercise. This work-around may not be perfect, but | Cloudflare hasn't implemented even this. | | > But this post feels like an open letter to some bigger | issue when it seems like it's a very niche and non-common | security tool. | | It seems to me, from Cloudflare's original pre- | announcement of this technology [1], that they intend for | it to be widely adopted. Here's the money quote: | | > Operating costs translate directly to customer costs. | The S2 system was designed to make deployment to an | entire enterprise and not just targeted users (aka: | vaccinating half the class) both feasible and attractive | for customers. | | [1]: https://blog.cloudflare.com/cloudflare-and-remote- | browser-is... | x0x0 wrote: | How does building a parallel dom help, given the point of | this is to not execute code on the endpoint? | | nm, see (your answer) | https://news.ycombinator.com/item?id=28028892 | arp242 wrote: | > Does canvas provide any accessibility at all and is | actually a bigger problem with the creation of that | standard / element in HTML5 with text generation? It's | essentially an image block that allows text generation | with almost no accessibility in mind? That's not really | Cloudflare's fault if so. | | Not everything needs to be accessible; there are plenty | of non-accessible reasonable use cases for canvas. | | For example, I made a small game with canvas some years | ago. This isn't accessible for blind users, and that's | okay. There is no real way to make this accessible as | it's fundamentally a graphical game. It's called a | disability for a reason: there are some things you just | won't be able to do. | | The problem isn't with the non-accessible technologies, | but when people use this in ways that make every-day | stuff required for basic participation inaccessible. | That's basically the issue with Cloudflare's product. | wffurr wrote: | It's absolutely Cloudflare's fault to build their cloud- | based browser on inaccessible tech. There are | alternatives. | mwcampbell wrote: | The pre-announcement [1] lays out at least some of those | alternatives. I understand why they chose the approach | they did, but they needed to do the work to make it | accessible, as I advised them when that post came out. | | [1]; https://blog.cloudflare.com/cloudflare-and-remote- | browser-is... | true_religion wrote: | Are screen readers capable of reading interfaces | generated with QT or other desktop UI toolkits? | | A cursory look at QT's documentation seems to indicate | that they are aware of screen readers, but I didn't dig | deeply enough to find out if they were compatible by | default. | | I know VoiceOver on OSX can at least read out the | interfaces on the included apps, but I also don't know if | that's true for every app---or if it actually extends to | the browser and canvas/plugin rendered (flash, java, | etc.) interfaces. | | As an addendum, I'm pretty hopeful that in this decade | we'll get AI vision enabled screen readers so anything | that's displayable to a sighted person can also be | immediately used with some caveats by someone reliant on | screen reader. | mwcampbell wrote: | > Are screen readers capable of reading interfaces | generated with QT or other desktop UI toolkits? | | Qt is one of the very few UI toolkits that is more or | less accessible. And even Qt's accessibility | implementation isn't great. My advice for someone | implementing a cross-platform desktop app would be to go | with something based on the web platform. That doesn't | have to be Electron; Tauri [1] looks promising, though I | haven't tested it lately. | | > As an addendum, I'm pretty hopeful that in this decade | we'll get AI vision enabled screen readers so anything | that's displayable to a sighted person can also be | immediately used with some caveats by someone reliant on | screen reader. | | Sadly, that might be what it takes to get access to | applications using the long tail of UI toolkits. | | [1]: https://tauri.studio/en/ | mwcampbell wrote: | Here are the two (edit: three) public blog posts I could find | from this guy. I'll let you decide whether I misrepresented | what happened. | | https://blindaccessjournal.com/2006/02/the-cold-equations/ | | https://blindaccessjournal.com/2006/02/torn-from-the-collect... | | Edit: Found the original announcement: | https://blindaccessjournal.com/2006/02/my-job-lost-due-to-in... | | And yes, it was in 2006. And as it happens, his employer | rehired him shortly after, but only because they found | something else for him to do. I believe my point still stands; | for a short time, he lost his job, without knowing what | happened next, and he went through the emotions associated with | that. | brudgers wrote: | ADA is Federal Law. It provides no damages. No attorney fees. | The USDOJ is the plaintiff. Fines are imposed. | | California Law is different in that it is like other civil laws | with damages and attorney fees. | | Consequently, cases from California make attention commanding | headlines. Elsewhere in the US, citizens must beseech the USDOJ | to act on their behalf...it usually doesn't. | vmception wrote: | Man, California sounds so great until you get here. | kolanos wrote: | Any U.S. resident can file an ADA complaint with the DOJ. You | don't need to be disabled, you just need to be aware of an | ADA violation. You can also file on someone else's behalf. | [0] | | [0]: https://www.ada.gov/filing_complaint.htm | brudgers wrote: | You file a complaint with the DOJ. The DOJ is part of the | Executive Branch. It is not part of the Federal Courts. | bladegash wrote: | That is not entirely accurate. | | While ADA is federal law and awards no damages, situations | like what was described would be more appropriate as an EEOC | matter. | | An award of damages is a potential remedy when discrimination | (e.g., not providing a reasonable accommodation) is found to | have taken place. It is also a perfectly acceptable offering | during alternative dispute resolution or as a settlement. | | Lastly, civil litigation involving the ADA does not require | support from the DoJ. The DoJ, as with other matters brought | before courts on behalf of the government, CAN bring about | suit and are generally responsible for enforcement. | | People with disabilities sue private companies all the time | for alleged/actual discrimination without the DoJ. | Animats wrote: | We're probably headed for a world in which everything is rendered | to an image server-side. The HTML/CSS/Javascript mess has become | so bloated and attack-ridden that sending images needs less | bandwidth and is simpler. | rossmohax wrote: | Reinventing X Server protocol? | Jaxkr wrote: | God I hope you're wrong. | Animats wrote: | Me too, but that's where Cloudflare and Google [1] seem to | want to go. | | [1] https://thenewstack.io/google-docs-switches-to-canvas- | render... | novok wrote: | Canvas rendering is not server side computation and | streaming video, it's turning the web browser into even | more of a desktop application platform. After a certain | point, html breaks down. | mwcampbell wrote: | That wouldn't be so bad if the server sent down a tree of | semantic UI elements, a.k.a. an accessibility tree, along with | that image. That's basically what I advised Cloudflare to do | ~18 months ago. | miki123211 wrote: | Except doing so is probably much more complicated than | actually dealing with the CSS and HTML. Hell, it would | probably take twice as much manpower to make this remote | browser thing accessible than it took to make it work in the | first place. | mwcampbell wrote: | I doubt that. Chromium's internal accessibility tree is | already serializable; it has to be, so it can be sent from | the renderer process to the main process. So Cloudflare's | modified Chromium could send that tree down to their JS- | based client, which could then construct a DOM with the | appropriate HTML tags and ARIA attributes. This DOM | wouldn't have any JavaScript or any references to remote | resources, so it wouldn't pose the same security risks as | the original web page. | miki123211 wrote: | Does this handle (lots of) (sometimes large) page | updates, particularly across a semi-slow, semi-reliable | network? Think lazy loading, sPA-style diff-based page | transitions, or realtime progress bars. What about | element positions (i.e. for switch control overlays that | visually mark specific elements on the page)? Assuming | this just sends keys directly to the remote browser, what | about cursor-related events in editing fields? If | latencies are over a few ms with those, some screen | readers get confused. | mwcampbell wrote: | Good questions. You have an especially good point about | the latency of responses to cursor movement commands; the | developers of NVDA and JAWS might have to rethink their | approach to that. | | But as far as I know, Cloudflare hasn't even tried yet. | ggreer wrote: | There are several problems with that approach. First, | there's not enough information in the serialized | accessibility tree to reconstruct the DOM.[1] | | Second, the serialization format is an internal API, so | there are no constraints on backwards compatibility. It | can change in any version of Chromium. In fact, the | interface is updated all the time.[2] Cloudflare would | have to constantly update their JS client to handle those | changes. It's not an abstraction that can be relied upon. | | Third, the bandwidth and latency requirements for inter- | process communication are far higher than what is | available for most client-server communication. Even if | the API were stable, I doubt it would be feasible to use | on typical Internet connections. If you don't believe me, | go to chrome://accessibility/ and click "Start recording" | on a tab. I did this for an IRCCloud tab and got 4500 | events in approximately 2 seconds. | | 1. https://chromium.googlesource.com/chromium/src/+/HEAD/ | docs/a... | | 2. https://source.chromium.org/chromium/chromium/src/+/ma | ster:t... | mwcampbell wrote: | > First, there's not enough information in the serialized | accessibility tree to reconstruct the DOM. | | There doesn't have to be enough in there to reconstruct | the original DOM, just enough to expose all of the | information that screen readers and other accessibility | tools need. The fact that that information would be | exposed through an HTML DOM in this case is irrelevant; | we know the Chromium accessibility tree has all the | necessary information. | | > Second, the serialization format is an internal API, so | there are no constraints on backwards compatibility. | | OK, you got me there. Maybe the server side has to go all | the way and construct the HTML. | | > Third, the bandwidth and latency requirements for | inter-process communication are far higher than what is | available for most client-server communication. | | OK, again, maybe the server side has to digest the data | some more before sending it. But at least Chromium is | already pushing serialized tree updates. I'll withhold a | rant on how it could be much worse. | x0x0 wrote: | Would you need the css? | | And mutations to this dom would need to be tightly synced | to image updates to not confuse the hell out of nvda? | | Or am I misunderstanding? | mwcampbell wrote: | > Would you need the css? | | Since this DOM would be invisible, hidden behind the | canvas, I'd say you'd need just enough CSS to make each | element have the same bounding box as the original. Bonus | points if you can safely do enough CSS to make the font | size and colors match; screen readers do have commands | for querying those things. | | > And mutations to this dom would need to be tightly | synced to image updates to not confuse the hell out of | nvda? | | Chromium has already taken pains to make sure this works, | because its whole accessibility implementation is | dependent on pushing tree updates from the renderer | process to the main process. | x0x0 wrote: | got it, thanks! | 5faulker wrote: | Interesting. For images with few colors, manually optimized PNG | can work better than WebP. | cxr wrote: | > _Their "client" was basically a fancy, highly specialized | graphics terminal; all the real work was done on the server. | For example, when you issued a command to an object, instead of | sending a command message to the object on the server, the | client would send the X-Y coordinates of your mouse click. The | server would then render its own copy of the scene into an | internal buffer to figure out what object you had clicked on._ | | <http://habitatchronicles.com/2004/04/you-cant-tell-people- | an...> | sneak wrote: | This makes logical sense. Smaller companies have fewer innovation | tokens; large organizations like Cloudflare carry heavier burdens | when releasing new products (i18n and a11y primarily among them). | devoutsalsa wrote: | It seems like Cloudflare could embrace accessibility and use | that in marketing as a competitive advantage. | daviddever23box wrote: | ...as a competitive advantage against whom? Who else is | providing this capability at the moment, and are they more or | less accessible? | yjftsjthsd-h wrote: | If they don't already have competitors, they will soon | enough, and a11y is a moat to have. | nonbirithm wrote: | Anecdotally, even with websites like Twitter that obfuscate their | CSS class names to prevent the use of selective adblock, they | still leave the readable ARIA strings in predictable places, | allowing uBlock Origin users to create blacklist rules matching | them. I'm wondering if those two features are at odds. | novok wrote: | You can do ad block with text in tag types I've found out. I | use it to block the email nag from reddit. | wolfgang42 wrote: | Do we know that Twitter is intentionally doing that to defeat | adblockers? It's a common speculation I see about them (and | maybe it's a convenient side-effect), but these sorts of | mangled class names are also a common feature of popular CSS- | in-JS libraries. (I work on an internal app that does the same | thing, and it's incredibly annoying but definitely not | explicitly intended to be hostile.) | madjam002 wrote: | Twitter uses react-native-web which generates random class | names, they're not doing it to evade ad blockers. | MattGaiser wrote: | For people who have worked on accessibility related stuff in | production projects, how much more expensive is it vs just | ignoring it? | BoorishBears wrote: | Does it matter? Tomorrow morning you can wake up needing those | accessibility features. | MattGaiser wrote: | I am trying to get a sense of how big an ask this is. Is it a | million dollar ask? 100K? A million a year (does it need a | full time team)? | isbvhodnvemrwvn wrote: | The cost is considerably lower if you watch out for a11y | from the get-go, retrofitting it is more expensive since | you have to retain the existing behavior, sometimes of | existing and complex but non-accessible components. Add to | that the need to e.g. caption all the existing pictures and | it gets even worse. | arp242 wrote: | It really depends on the specifics; for something like this | I suspect it's a non-trivial investment. For a lot of other | things it's not that hard. | | For a lot of things a18y features are just good features in | general; zooming text for example is something loads of | people do, not just blind or low-vision people. | mwcampbell wrote: | For the specific project of making this remote browser | accessible, my wild guess is that if Cloudflare were to | hire me to work on the project (no, not available at the | moment), it could easily take a few months, but probably | not more than a year. They could probably cut down that | time if they hired away someone from the Chrome or Edge | team who's actually an expert on Chromium accessibility | specifically; I admit my main expertise is in Windows | accessibility. | BoorishBears wrote: | That's like asking "is writing a feature is a million | dollar ask" without defining "feature". | | Need to define it at least a little to get anything | resembling a useful answer. | robin_reala wrote: | It's part of every product team's baseline requirements to | own and assess. It's considerably easier to do that up | front than to retrofit. Think of it as analogous to | security in this situation. | wyager wrote: | Of course it matters. If your model of the world is "we need | to spend infinite resources ensuring every system can be | operated by anyone with any disability", that's obviously | nonsense. | | Accessibility is valuable but not infinitely so. Sometimes | (usually) it's best not to encumber an innovation just | because the innovation doesn't immediately apply to everyone. | grishka wrote: | I did screenreader support in a rather popular Android app. It | took me several days to get from "can't focus anything at all | on the main screen" to "all icon buttons are labeled and most | of the functionality is usable, including the many very complex | custom views with clickable elements inside". | cupcake-unicorn wrote: | Thanks so much for holding Cloudflare accountable for this. It's | upsetting that they had so much input from you leading up to it | and now they're dropping the ball. A lot of accessibility stuff | and mission statements just honestly amounts to virtue signalling | with companies and sad to see that's the case with Cloudflare so | hope they step up. It shouldn't have to get to the point where | they're sued but I feel like more often than not that's the only | thing that changes things like this. | daviddever23box wrote: | Why not push the screen reader component upstream? | | It'd be another service add-on, but it might also be useful for | folks who want to have narrative browsing, e.g., the equivalent | of someone reading the news sites to the listener without having | to interact with the site itself. | marcinzm wrote: | A screen reader is a two way device since it needs to expose | ways to INTERACT with the site and not just read it. I assume | there's many different settings for screen readers including | voices, speed, ways of interaction with site elements (click, | voice command, shortcuts, etc.), etc. It'd be like forcing you | to use IE 6 to browse the modern web and then if you're not as | efficient as someone on modern Chrome firing you. | mwcampbell wrote: | > It'd be like forcing you to use IE 6 to browse the modern | web and then if you're not as efficient as someone on modern | Chrome firing you. | | I might have to use that analogy next time this comes up. | daviddever23box wrote: | This scenario might very well require a FedGov or security | audit-compliant reader application with a uniform interface. | mwcampbell wrote: | > Why not push the screen reader component upstream? | | Are you suggesting that a screen reader should run on the same | remote machine as the remote browser and push its audio down to | the client? Or something else? | daviddever23box wrote: | Yes - in the same manner as game streaming. | mwcampbell wrote: | That would be better than nothing, and if Cloudflare had | done that, I don't think I'd be complaining publicly at | this point. But there are still problems with this | approach. The ones that come to mind: | | 1. Assuming the remote service only sends down streaming | audio, this doesn't work for blind people that must use a | refreshable Braille display, e.g. deafblind people. Perhaps | one could hack a way to get their local screen reader to | render specific text on the Braille display, but probably | not without that screen reader speaking the same text. That | leads me to... | | 2. A blind user is already running a screen reader, with | its own text-to-speech engine, configured the way they want | it. Adding a remote screen reader to the mix would mean two | different TTS engines, and the user would need to have a | way of configuring the remote one, e.g. to adjust its | speed. For blind people, TTS settings are very personal. | | 3. The remote screen reader and the local one may clash on | keyboard commands. And, depending on the screen reader, | this is another thing that the use may have customized | already; for example, some screen readers have desktop and | laptop keymaps. | | 4. Also speaking of keyboard commands, some of them might | not be implementable in a browser-based application. It's | common, at least on Windows, for screen readers to use non- | standard modifier keys, e.g. Insert or Caps Lock. | daviddever23box wrote: | To point 1, text/plain can be streamed; as for point 2, | there may already be limited options, subject to | application security audits. | | I hate to say this, but if there was one place I'd look | for vulnerabilities within a purportedly-secure | environment, screen readers would be near the top of the | list. | devwastaken wrote: | Public services, even online, which are not accessible to those | with major disabilities, is a violation of the ADA. | https://youtu.be/IQjUCqVo4II | | This may apply in other ways to Cloudflare, and if so fines must | be issued. It's 2021, there's no excuses for it other than not | wanting to put in the work. | ceejayoz wrote: | The fines would apply to the companies _using_ CloudFlare, | wouldn 't they? | daviddever23box wrote: | Yes. | ggreer wrote: | By that logic, isn't every screen sharing app violating the | ADA? A screen reader can't read the text on someone else's | screen in Zoom, Webex, Slack, etc. Zoom even admits to this in | their accessibility FAQ and encourages speakers to supplement | with notes.[1] | | 1. https://zoom.us/accessibility/faq#faq11 | mwcampbell wrote: | > By that logic, isn't every screen sharing app violating the | ADA? | | We'd love it if the legislation had that kind of teeth. As it | happens, in my day job I've been developing a product to work | around the inaccessibility of screen sharing in online | meetings, starting with providing real-time access to | PowerPoint slides. But I'm not here to plug that product. | ggreer wrote: | Just curious, but where do you draw the line? To use a | silly example: we don't legally require every that everyone | who posts an image on social media include a written | description. There must be some ratio of cost to benefit at | which accommodations stop being reasonable. | | If we required that screen sharing tools were compatible | with screen readers, we'd have to revamp many layers of | abstractions. It would require changes to every operating | system, every UI framework, every browser, and every screen | sharing application. An alternative would be to throw a | bunch of machine learning at the problem (to try to turn | pixels back into meaning), but that would have a lot of | broken corner cases. The issues would likely be as bad as | auto-generated subtitles, which are generally not good | enough to be considered ADA compliant.[1] | | My guess is that if the law changed tomorrow and mandated | that screen sharing tools accommodate the blind, we'd end | up with no cross-platform screen sharing tools. Microsoft | would make their Windows screen sharing. Apple would make | their MacOS screen sharing. Google would make their | ChromeOS screen sharing, and none of them would be | interoperable. Also desktop Linux would be SOL. | | 1. UC Berkeley was forced to delete over 20,000 videos of | lectures because their auto-generated subtitles weren't | accurate enough: https://news.berkeley.edu/wp- | content/uploads/2016/09/2016-08... | dasyatidprime wrote: | > we don't legally require every that everyone who posts | an image on social media include a written description | | Not that it takes too much away from your point, but I've | experienced an interesting gap in this example. While not | legally required, big chunks of the short-form-text | fediverse (Mastodon/Pleroma/...) have had circulating | posts recommending descriptive text for image posts, and | I'm actually surprised by how many people get into the | habit of complying naturally--perhaps because there's | also an easily-noticeable slot in the UI for it? Ten or | so years ago I remember it being like pulling teeth to | explain to some people doing media projects on the Web | that this kind of accessibility was important, and now | with what seems to be culturally a similar crowd... huh, | y'know? | mwcampbell wrote: | > My guess is that if the law changed tomorrow and | mandated that screen sharing tools accommodate the blind, | we'd end up with no cross-platform screen sharing tools. | | Solving this problem in a cross-platform way is hard, but | not impossible, especially for a company as well-funded | as Zoom. And yes, I have ideas about how it could be | done, though like my suggestion about the Chromium | accessibility tree, they're not necessarily fully baked. | nanankcornering wrote: | and they're still passing traffic of 8chan and kiwi something.. | gnicholas wrote: | They wouldn't be the first. An SVP of a major SV company once | told me "[my company] doesn't give a shit about accessibility, | and no one in Silicon Valley does." When I went to the CSUN | accessibility conference that year, guess which company's logo | was emblazoned across the lanyards? Yup, their marketing | department was happy to write checks that their company had no | intention of cashing. | | Silicon Valley is famous for its 'patina of accessibility': | https://medium.com/@nicklum/silicon-valleys-patina-of-access... | mwcampbell wrote: | I understand and can relate to the feeling that nobody gives a | shit. And it may be true that the leadership of all of these | companies only care about the bottom line. But let's not make | things look worse than they are. Whatever the motive, some SV | companies _are_ doing good work in accessibility. The most | obvious example is Apple; the introduction of VoiceOver on the | iPhone in 2009 was groundbreaking and has been tremendously | useful to blind people all over the world. Microsoft | (disclosure: my former employer) is also doing good work on | accessibility, e.g. its Seeing AI app. Of course, we have | constructive criticism for these companies as well, but the | state of accessibility in mainstream tech is not all bad. | gnicholas wrote: | I understand that no one is perfect. What bothers me is the | hypocrisy: making it seem like they care when they really | don't. Did they spend $100k to sponsor that conference? I'd | prefer they spend that money actually training people to | care. | novok wrote: | A more charitable explanation is they may care, but their | organization might not put their money where their mouth | is. | | Also organizations are not monolithic singular minds, | especially as they get bigger and bigger. They are groups | of people and one end doesn't talk to the other is quite | common. | lazide wrote: | It is going to cost a whole lot more than $100k to train | everyone necessary on accessibility. Especially when you | factor in the opportunity cost involved in focusing on that | over new features or the like. | akagusu wrote: | Why people are still using and promoting Cloudflare when the | company is repeatedly trying to position itself as an internet | gatekeeper? | | There is already a consensus that internet gatekeeping is bad for | people, so why people are volunteering for this? | | This company already has a tremendous control over what people | can or cannot see on internet since a lot of websites use it has | CDN, but there should be a limit on what companies can do or | cannot. | | In this particular case, we have blind people blocked from | internet, and it doesn't matter if this is not on purpose or it | is just a side effect, because in practice they are been blocked, | and yet something like this is unable to make a scratch its | reputation. | wombarly wrote: | Because without CloudFlare we would: Pay thousands in bandwidth | costs per month; Double or triple our servers to handle peaks | (they cache and serve the HTML for us); Be down constantly | because of DDOS attacks. | grishka wrote: | Is DDOS such a frequent occurrence that you would be down | "constantly"? | MrStonedOne wrote: | Yes | rhizome wrote: | Demand wouldn't drive bandwidth prices down? | netr0ute wrote: | If you're lucky, bandwidth is free. | SimeVidas wrote: | > Why people are still using and promoting Cloudflare | | I use Cloudflare because it hosts my website for free. | vorpalhex wrote: | I don't think Cloudflare is intentionally trying to gatekeep | the internet. At the same time the road to hell is paved with | good intentions. | | Their CDN service has allowed a lot more sites to exist than | the two it has harmed (and I don't consider those two to be | great losses). | | However they are certainly becoming an internet chokepoint and | we need more alternatives to them for the good of the internet. | saagarjha wrote: | Perhaps they don't see it as "gatekeeping", but it is clearly | an explicit goal of theirs that the internet goes through | them. | pxue wrote: | Because the pendulum is swinging towards ease of creation over | control. | | I can spin up a simple web app or a simple cloud function and | get it globally distributed in minutes, for free. That's | amazing | alabamacadabra wrote: | Perhaps amazing shouldn't be what wins in the long run? | arodyginc wrote: | If your function could be shutdown in minutes on a bad will, | would that be amazing? | pxue wrote: | Nop. But likei said the tradeoff is clear, ease vs control. | | Im sure we would have had this talk when on-premise | transitioned to the cloud. Same arguments apply | MattGaiser wrote: | People don't want the Internet gate kept. They do want their | sites protected though. | vbezhenar wrote: | I like Cloudflare, because it provides some very essential | services with free tiers. It is big enough, so I can trust | them. I can be sure that they won't inject ads into my HTML | pages. I can be sure that their DNS will not replace NXDOMAIN | with fake ad responses. I can be sure that they won't log my | VPN traffic trying to extract passwords or something like that. | | For sure I don't support their decision to ban blind users and | hope to see that resolved. But that's not enough to change my | mind, not even remotely. | grishka wrote: | > I can be sure that they won't inject ads into my HTML | pages. | | But they will harass your visitors with captchas for no good | reason. I also sometimes run into Cloudflare's "this website | is using a protection service" with no way around; it turns | out it's a geoblock because it does load just fine when I use | a VPN through Germany. | | The internet was meant to be decentralized. The IP addresses | were meant to be used for routing and for routing only, and | otherwise treated equally. | mattl wrote: | People use Cloudflare to limit traffic from particular | countries and Cloudflare exposes Tor as a country that can | be blocked. | | The Internet wasn't meant be decentralized. The ARPANET was | meant to be able to function in the event of a war. | grishka wrote: | > People use Cloudflare to limit traffic from particular | countries | | Why would a website care where I'm from? | azalemeth wrote: | Companies use geo-ipv4 a _lot_ and it 's inaccurate and a | giant, giant pain in the arse. | mattl wrote: | They only sell products in some countries and the vast | majority of abuse comes from other countries is the one | use case I've seen for it. | grishka wrote: | What if I want to just look at a product with no | intention to buy it? What if I do want to buy it and use | a parcel forwarding service to get it to me? | Aldo_MX wrote: | International customers are more trouble than it's worth | when you're a small company and you as a seller are the | one who absorbs the loss in cases of delayed, defective, | lost or damaged items. | mike_d wrote: | > I can be sure that they won't inject ads into my HTML | pages. I can be sure that their DNS will not replace NXDOMAIN | with fake ad responses. I can be sure that they won't log my | VPN traffic trying to extract passwords or something like | that. | | But they have built the perfect shim in the middle to do ALL | of these things at some point in the future. | | The only thing preventing it is a handful of moral | executives, who someday will move on or retire. At that point | a smart Wall Street type is going to figure out that a merger | between CloudFlare and $adnetwork is going to generate a shit | ton of money (think Google+DoubleClick). | | I don't doubt that CloudFlare is full of smart well meaning | people, but what they have built is a ticking timebomb. The | solution is to have ten CloudFlares so that the path between | consumers and websites isn't regulated by a single | organization. | | Edit: to be clear, the internet was successful because any | host could talk to any other host. If people did dumb shit | you could work around it in creative ways. Even in the most | oppressive countries censorship is still bypassable. | CloudFlare's business model is centered around convincing | companies to effectively disconnect their services from the | internet so they only talk to CF servers. | plankers wrote: | I was with you up until "The solution is to have ten | CloudFlares so that the path between consumers and websites | isn't regulated by a single organization." | | This is hardly a solution, it just spreads the pain around. | A solution would be a democratically planned organization, | or group thereof, which is responsible to all shareholders | including users, employees, executives, and investors. | lbotos wrote: | Uh, I still don't one one company to be between me and | most of the internet, no matter how it's governed. | | (And if you wanna be snarky and say "what about your ISP" | I can choose to use different ISPs. And even that is | getting threatened.) | kinjba11 wrote: | To me saying any $X big company is a ticking time bomb is | nonsense. | | The fact is, a number of companies control a huge number of | eyeballs. An unethical exec taking advantage of that would | cause enormous PR nightmare. If you're making money with a | great brand reputation, you don't mess with the recipe. | edoceo wrote: | Yes, they do mess with the recipe. They've got money to | mask it out and assist with conditioning the population | to the new norm. And they can do this cause the service | is sticky. Mass client exodus is very unlikely. And the | ones that move out for morals are quickly replaced. | | Juggernaut is unstoppable. | ignoramous wrote: | > _But they have built the perfect shim in the middle to do | ALL of these things at some point in the future._ | | Ngnix/Websever-as-a-service is _literally_ their business. | They could not have provided the services that they do, any | other way. | manquer wrote: | Is there a case for ML based advanced screen readers which do not | need assistance from the application ? | | The problem seems fairly tacklable . Learning what is on a | display screen is relatively easier than most computer vision | problem spaces. There are many repetitive patterns in typical | application UX. | | For example let say there is a label for Save Icon that is an | image (a Floppy Disk in most apps) and not alt tagged. By | visually reading the image of the screen the model should not | have to much difficulty in tagging it that as Save button ? | | Most consumer / biz app UX do follow many standard conventions if | only out of convenience and lack of imagination, so building a | learning algorithm around these components should be possible ? | peterkos wrote: | This paper[0] takes a look at something like this, but it's | notable that this is seen as a springboard for more accessible- | focused design, rather than the beginning and the end (See | "Discussion & Future Work"). | | [0] https://dl.acm.org/doi/abs/10.1145/3411764.3445186 | | Edit: I realize I've just linked to the same paper as the | comment below. Oh well! | mwcampbell wrote: | This is being worked on. AFAIK, Apple is the first to | incorporate this approach into a released product, with the | Screen Recognition feature of VoiceOver starting in iOS 14. | manquer wrote: | Thanks for the response Matt. I leave the link here for | others to look into [1]. | | Their effort seems currently limited to iOS based Phone | screens. iOS is perhaps easier to solve given the strong | Apple design guidelines for apps to pass the App Store review | process. | | Perhaps a community supported distributed approach to help | build the database of annotated screens for the model to | learn from, combined with open source models for all kinds of | screens and applications( not just Apple) would be | interesting project to work on. | | [1] https://machinelearning.apple.com/research/creating- | accessib... | nickdothutton wrote: | When requesting new functionality please complete the "revenue | opportunity size" field in the Jira and indicate what quarter you | expect this opportunity to close. | geofft wrote: | You're not wrong, and the answer is that this sort of thing | needs to impact their bottom line somehow - either because | customers insist on it as part of a purchase checklist, or | because the legal system will actually go after violations, or | because they'll lose important employees. | | I don't have a real sense of which of those is most realistic. | daviddever23box wrote: | I'm not so sure that there's a legal recourse for this on | Cloudflare's part, but it's certainly possible for the | customer-at which point, the demand will increase to a | tipping point. | tomklein wrote: | Out of curiosity: Do screenreaders use OCR nowadays and if so, is | it working good or rather bad due to the lost HTML markup? | arp242 wrote: | OCR is a poor substitute since it can't really effectively | navigate things due to lack of navigational information, | recognition of semantic elements like headers, etc. | | I'm not blind myself, but I've tried to use some screen readers | in the past to get a feel of what it's like. While I'm a _very_ | inexperienced user, one thing I noticed is that even with the | best designs it 's actually really time-consuming compared to | regular browsing. I would imagine that an OCR solution would be | even more time-consuming, if it even works well at all. | thatguy0900 wrote: | I've heard that actual blind people train themselves to use a | speed of speech that is almost unintelligible, so it might be | significantly faster for them to use the same software | mwcampbell wrote: | Please be careful about drawing conclusions on what web | browsing must be like for blind people, based on your limited | experience with a screen reader. One of my blind friends put | it more eloquently: | https://news.ycombinator.com/item?id=9284744 | | A sibling comment makes a good point about blind people | running their speech synthesizers at high speeds. Experienced | screen reader users are also good at using their screen | reader's many keyboard commands to jump around a web page. | arp242 wrote: | Sorry, I didn't mean it to come off as definitive or to say | that it's _exactly_ like your experience - that would of | course be silly and misguided. | | It's one thing to listen to people talk about it, but it's | another to actually use it. Not to be stubborn about it, | but wouldn't you agree that while you can certainly be | effective with screen readers, that in general it's (or can | be) less convenient than "normal" computer usage and comes | with some downsides? After all, if it was of equivalent | convenience then loads of people would be using it, no? | | I should get back to this; but unfortunately I found it | very hard to get a screen reader running on Linux :-/ | mwcampbell wrote: | > Not to be stubborn about it, but wouldn't you agree | that while you can certainly be effective with screen | readers, that in general it's (or can be) less convenient | than "normal" computer usage and comes with some | downsides? | | Of course. Vision is a higher-bandwidth medium than | speech or Braille. But you don't always need all of that | bandwidth. And, at least in my experience, sighted people | tend to underestimate how well a blind person can | compensate for their impairment, in this case by being | really good at using a screen reader. That's why I | replied the way I did. Sorry if I came off as too | accusing. | | BTW, I'm not even an especially skilled screen reader | user. I have enough sight to read the screen up close | with largish fonts, and I used computers that way for a | long time before I started routinely using anything | resembling a modern screen reader. (I did use early | screen readers as a child in school, but didn't have | access to them at home.) Even now, I do my programming | visually. But make no mistake, there are blind | programmers who are very productive programming with a | screen reader; I'm just not one of them, at least not | yet. | | > I found it very hard to get a screen reader running on | Linux :-/ | | Unfortunately, IMO the best screen readers are on | Windows. | londons_explore wrote: | There is _so much scope_ for using ML to make a screen reader | work on any old software. | | Yet nobody is really investing in screen readers. | miki123211 wrote: | They sort of do. Voice Over on iOS, and it's screen | recognition, is probably the most notable example. It even | tries to recognize some UI controls and emulate common | behaviors (like sliding a slider), for example. It's far from | perfect. It might help when you need to click the odd | inaccessible button, but is definitely not enough for daily web | browsing. | miki123211 wrote: | On most Cloudflare-related HN threads, Cloudflare was really | active and eager to answer the engineers' questions. | | It's notable that this one is different. The fact that it's | Sunday afternoon may be part of the reason, but I guess they | really don't have anything to say. I'd really love to see their | internal Slack now, though. | neom wrote: | For what it's worth, I've known Matthew for many years. | Although I wouldn't at all say we're close, I feel like I've | had enough conversation to know who he is. Matthew is a good | guy, I've never considered him to be tone deaf, and I genuinely | believe he has the best interest of the many at his core. That | said, the credence given to the visually impaired across the | industry is categorically, absolutely, abysmally awful. I've | never taken it as seriously as I should in my career, near all | decision makers I know don't take it as seriously as they | should, and I think shame on me and shame on everyone else. | Things should be easier for visually impaired people, a) | because it's the right thing to do and b) because it's low | hanging fruit. While I don't think Matthew is unique, I do | think he has a particularly significant responsibility given | how important his technology is. As a shareholder, a friend, | and a customer: I hope he takes this seriously, and I suspect | he would. | mwcampbell wrote: | > For what it's worth, I've known Matthew for many years. | | And for what it's worth, I don't know him at all, and | wouldn't dare to assume anything about his character. I | appreciate that he responded at all to my cold email 18 | months ago. I just wish the company would follow through. | | I don't know you either, but if there's anything you can do | to help my message get through, that would be greatly | appreciated. | mwcampbell wrote: | I submitted this on Friday, but for whatever reason, it didn't | catch on then. Thanks to the HN mods for putting it in the | second-chance pool. I've pinged Cloudflare and eastdakota again | on Twitter, so let's see what happens. | whoaisme wrote: | When google makes arbitrary decisions we hate on google. When | hn makes arbitrary decisions we say thank you. And we wonder | why the tech industry is so fucked up. Imagine how even more | pathetic this site would be if dang paid you all 6 figures. | oknhy30ao wrote: | Hey, I don't work on the Browser Isolation team, but want to | let you know that there's a project in progress and your post | is certainly being discussed. I'm hoping we can provide a | solution that meets or exceeds your expectations. | | PS-- Please ardon the throwaway account, CF employees have | been getting targetted online. | mwcampbell wrote: | . I look forward to the results of that work in progress. | In the meantime, I still think it's reasonable to expect an | official response. As far as I can tell, Cloudflare has not | publicly acknowledged the problem yet (please correct me if | I'm wrong); even a disclaimer on the product page would be | better than nothing. And the last private response I got | about this was 4 months ago. But thanks for telling us what | you can. | floatingatoll wrote: | It's not business hours for non-emergency press concerns | until tomorrow at tech companies whose press office is in | the US, such as Cloudflare. HN can be swell, but we don't | deserve weekend hours. | mwcampbell wrote: | Fair enough. I just meant to say that I wasn't letting | the company completely off the hook because of that | response from a throwaway account, not that I expect an | official response _today_. | throwaway42day wrote: | Because the only publicly acceptable answer would be to agree | to all the poster's current and future demands, regardless of | the cost, priorities, risk of breaking other features, etc. And | it never works out because the demands tend to increase over | time, and the PR damage of rejecting the very last demand is | proportional to the number of ones previously accepted. | | Make a thought experiment: think what if Cloudflare answered | trying to explain the complexity, risks, and maybe cost | estimates for supporting something like that, but refusing to | add it right away. Nobody would listen to their reasoning. They | would be immediately labeled as blind haters or whatnot, | supported by endless news articles and retweets. | | Make another thought experiment: assume they comply with the | current demands and add the functionality at some fixed cost. | Then in the future, the poster decides that the accessibility | support is not sufficient and still makes life hard for blind | people. He would come up with another set of demands and | Cloudflare would again be forced to comply, because nobody | would listen to their reasoning. And because it is physically | impossible to make a blind person as productive at certain | tasks as a non-blind one, there will be always room for | improvement and room for more demands. | | If you want to truly help the blind, please go ahead and launch | a competing product. Or offer an ML-based tool working on top | of existing products. Or create Wiki-like system where people | would maintain semantic models of commonly used non-accessible | sites, letting the accessible tools work over them. But all of | that requires hard work, countless hours and numerous trials- | and-errors. Trying to strong-arm someone else to put in that | effort surely gives a much faster gratification, but it only | results in further alienation and ghosting. | | Sure, Cloudflare will release an official statement saying how | they are committed and dedicated and working and planning and | hoping, and the whole thing will get forgotten in a few weeks, | but ultimately if you want to someone to help you, maybe try to | understand their constraints and find a compromise, rather than | trying to use the buzzwords to throw the mob at them. | mwcampbell wrote: | > If you want to truly help the blind, [...] all of that | requires hard work, countless hours and numerous trials-and- | errors. | | I do work hard on products to help blind people, and I have | been for years, but I can't solve every problem by myself. I | even quit my cushy job at Microsoft (on the Windows | accessibility team) to develop a product that works around | the inaccessibility of screen sharing in online meetings -- | imperfectly, but still better than nothing. But neither I nor | my tiny company are well-positioned to compete with | Cloudflare in the field of security products (such as Browser | Isolation) targeted at corporate IT departments. And | unfortunately, this particular accessibility problem is not | one that we can work around from the outside, at least not | yet. So I felt it was worth some of my time to advocate for | Cloudflare to make this product accessible. | | > And because it is physically impossible to make a blind | person as productive at certain tasks as a non-blind one, | | Of course; vision is a higher-bandwidth medium than hearing | or touch. But that full bandwidth isn't always needed. And | unless you've watched a blind person who's proficient with | their screen reader, you may be surprised at how productive | they can be at a great many tasks. | | > there will be always room for improvement and room for more | demands. | | I appreciate that you and others on this thread don't know | me, but I've been active in the online blind community for | about 20 years, and I don't believe I'm known for making | endless demands of mainstream tech companies. And in this | case, there's a natural stopping point: when the remote | browser is either as accessible as a local browser on the | same website, or as accessible as it can be within the | constraints of the web platform (where the client for that | remote browser runs). And my original advice to Cloudflare on | this subject was targeted at getting the product all the way | to that logical endpoint. | | Having said all that, I realize that what you said may | reflect what people at Cloudflare think; after all, they | don't know me either. I vouched for your comment when it was | dead because I felt someone should be allowed to say what | others might well be thinking, and I didn't think your | comment was too inflamatory. I'd appreciate suggestions on | how to better signal that I won't, in fact, put them in a bad | PR situation by making ever mode demands of them. | Rapzid wrote: | > Now, four months later, this problem is still not solved | | Further I would have never expected something like this to | get teed up right before the start of a quarter, and so of | course it wouldn't be completed at the end of the quarter. | mwcampbell wrote: | OK, that sentence probably should have been something like, | "Now, four months later, there has been no visible progress | on this problem." | | Also, remember that Cloudflare first announced the | technology 18 months ago, and I advised them of the need to | pay special attention to accessibility back then. If I had | first raised this 4 months ago, then of course I would | understand why they couldn't have solved the problem in | that much shorter time. | frakkingcylons wrote: | I think it's more to do with the timing (it's the weekend). | You'd really want to talk to the relevant team before saying | much. Given that this isn't an urgent worldwide problem, paging | team members during their weekend would be the wrong move. | They'll probably have a meeting on Monday and I think that's | when we'd see an update from them. | _moof wrote: | Fighting discrimination is difficult and can be exhausting. As | someone in a (different) protected class I just want to say kudos | for doing this work. | dnzkw wrote: | Isn't demanding that non-trivial work is done just to | accommodate your class the opposite of discrimination? | codezero wrote: | They shouldn't have to demand accommodation. That's the | point. | dnzkw wrote: | And my point is that discrimination is an active effort, | which this is not. Things are, by default, not accessible, | because things are generally crafted for able bodied | humans. | tobr wrote: | Where did you get the idea that discrimination has to be | the result of an active effort? Anything that makes one | group of people excluded or treated worse is | discrimination, even if it is the result of an oversight. | | Your second sentence is basically exactly the problem: | able-bodied people are arbitrarily treated as the | "default", and others are left out. | dnzkw wrote: | If it's an oversight how can it be an active effort? | | Able bodied people are the default because they are the | absolutely overwhelming majority. | | Let's agree to disagree, I think. | _moof wrote: | Discrimination absolutely does not require an active | effort. Neglect is just as effective at keeping people | out. | | In any case Cloudflare's inaccessibility is a direct | result of choices they "actively" made. Technical | decisions, prioritization, maybe even company culture. | mwcampbell wrote: | And remember, I advised them of the need to pay special | attention to accessibility in this product over a year | before it launched. | Xorlev wrote: | It takes something that once was made accessible, through | active effort, and makes it inaccessible. That's the | point. | x0x0 wrote: | It's not a matter of agreeing; it's a matter of the US | govt is saying these are the rules for doing commerce or | hiring employees in the US. As codified by the ADA. Post | domino case, that clearly applies to company websites. | rini17 wrote: | In this case the data basically exist in accessible form and | they are doing nontrivial work to make them inaccessible. | chmod775 wrote: | At this point browsers are a basic building block of our society. | | There is absolutely no excuse for lacking acessibility features. | | You might as well say your "browser" can't render Arabic. | kevin_thibedeau wrote: | > There is absolutely no excuse for lacking acessibility | features. | | Then how are the kids going to have their flashy Electron apps? | mwcampbell wrote: | > Then how are the kids going to have their flashy Electron | apps? | | This Electron-bashing is misplaced. In point of fact, | Electron is one of the most accessible cross-platform UI | solutions. | em-bee wrote: | what is the legal situation here? wouldn't laws that require the | employer to make accommodations for the disabled simply force the | company to not use this tool for blind employees? | | the company would have to prove that using this tool is strictly | necessary, which i believe is hard to prove, because if it was | strictly necessary then everyone at home should be using it too. | | there should only be few places where such a tool is strictly | necessary, and those places already use it. anyone who only | starts using it now when it gets more convenient can't make the | claim that they could not do their work without it because they | could until now. | brudgers wrote: | The legal situation is akin to speeding. While technically it | is illegal to drive 56 in a 55, you won't get a ticket for it. | And lots of places the flow of traffic will be 85 in a 65 and | the cops are not about to hold things up. | | Same with accessibility only there are powerful economic | interests at play too. | adventured wrote: | > And lots of places the flow of traffic will be 85 in a 65 | and the cops are not about to hold things up. | | They sure will. They'll pull a traffic break when something | is wrong. They get out in front of a block of traffic, throw | on their lights, and begin swerving across lanes, instructing | the speeding flow of traffic to collectively slow down. I've | seen cops routinely do that in both California and on the | East Coast. | | Cops will do that for various reasons, including safety | purposes (if something has happened up ahead) or just to | reassert control if they decide the flow of traffic is going | too fast. Here is a safety example of it in action in Utah: | | https://www.youtube.com/watch?v=P9IsAu_96oo | | The Germans apparently do this for safety as well: | | https://www.youtube.com/watch?v=a-TZBhy-jDk | namibj wrote: | The German example was about debris on the traffic lane(s) | that had to be removed ASAP, and for a safe working | environment, the traffic has to be slowed down/stopped. | mwcampbell wrote: | > what is the legal situation here? | | Honestly, I don't know. | | We may disagree on whether browser isolation is strictly | necessary. But to the extent that Cloudflare's marketing | efforts convince IT departments that it is, and that it's | important to adopt it company-wide, that's bad for blind people | unless Cloudflare makes the product accessible. I don't know if | their marketing efforts are succeeding, but I'm being proactive | here. | em-bee wrote: | well, i mean strictly necessary in the eyes of the law. but | that's something we won't find out until affected people | start suing employers for discrimination or whatever the | appropriate claim here is. and until then there will be | casualties as you already predict. | novok wrote: | TBH it only becomes an issue when its required for the blind | people to use this browser. If I was running a company and ran | into this, I would just say the blind people and other unserved | edge cases should just use normal chrome until cloudflare | delivers the full version. | | Security is a probability spectrum, not a binary as many are | fond to think of it. | mwcampbell wrote: | I hope any companies that adopt this product agree with you | on this point. But in case they don't, I still think it's | important to urge Cloudflare to make this product accessible. | novok wrote: | A small company TBH would not adopt this kind of browser, | and a large company that might is too paranoid about | lawsuits & CYA behavior to not make such an exception once | it got escalated. And if it became very wide spread, I | think it would have that stuff built in too, because to get | some big company / govt contracts an accessibility | requirement eventually gets thrown in somewhere. | mwcampbell wrote: | > A small company TBH would not adopt this kind of | browser | | At $10 per month per user, that's dependent on whether | one decision-maker in that small company can be swayed by | Cloudflare's marketing, right? | Sebb767 wrote: | > A blind acquaintance of mine once lost his job because of a | newly added requirement that he use an inaccessible application. | | IANAL, but wouldn't this be grounds for a lawsuit? | Ensorceled wrote: | Yes. But then you have to hire a lawyer after just losing your | job, survive during the time the lawsuit will take, win the | lawsuit ("plaintiff was let go because position was | redundant"), collect, resume your job or job hunt with a | "trouble maker" label. | | I really wish HN contributors would not suggest the legal | system as a solution for these types of problems, it's totally | unrealistic. | Sebb767 wrote: | IMO this is a pretty clear-cut discrimination case. I'm aware | that lawsuits can be problematic for quite a few reason, but | just eating it up would be a just as horrible suggestion. | arp242 wrote: | Aside from practical concerns such as time and money, these | kind of battles can be _very_ emotionally draining. Some of | the most stressful experiences I 've had in life is when | some company or person did me a serious injustice and it's | hard to get your rights. | | I found it's better to let go, for my own sake. It's very | stressful and very easy for the situation to consume you, | which isn't healthy and on balance you may be worse off if | you factor this in. Everyone is different, and other people | may experience these kind of things different, but I've | seen the same in various other people, both publicly and in | my private life. | | Of course this really sucks and is very unfair. But it | doesn't change it. | Sebb767 wrote: | Fair enough. Let's just hope said acquaintance was in a | position to handle it without regrets. | mwcampbell wrote: | He got lucky; as I mentioned in another comment [1], | which links to more details on what happened, he was | quickly rehired in a different role. But for a short time | before then, he went through everything that comes with | unfairly losing a job. And again, it might not have ended | so well. | | [1]: https://news.ycombinator.com/item?id=28028099 | ushakov wrote: | i'm getting more worried about where Google is going with their | accessibility strategy | | flutter and the canvas-based google docs are completely | inaccessible | heavyset_go wrote: | Several months ago I asked the Flutter engineering director[1] | this question[2] on a Flutter 2 HN submission: | | > _I don 't understand how breaking accessibility with Flutter | wouldn't mean that companies that use it on the web are | violating the ADA._ | | And didn't get a response. | | I'm still left wondering how a company that adopts Flutter on | the web wouldn't be violating the ADA by breaking | accessibility. | | [1] https://news.ycombinator.com/item?id=26335062 | miki123211 wrote: | Flutter is (somewhat) accessible with the help of an alternate, | hidden DOM, only provided if an "enable accessibility" button | is pressed, for performance reasons. Unfortunately, some | privacy zealots prevented web browsers from communicating that | a screen reader was detected, so we need to press an extra | button anytime we visit a Flutter app. | | Google Docs has had two relatively good accessibility | implementations for a long time, none of which relied on the | original DOM, which was hidden from screen readers. The default | one relies on pushing raw strings for the screen reader to | speak, while the other one (called Braille mode, as the first | method couldn't provide braille display compatibility), uses | more modern APIs to provide the required information in the | DOM, relying on special announcements only where necessary. | konaraddi wrote: | > the canvas-based google docs are completely inaccessible | | AFAIK Google docs is still accessible. See the "Additional | details" at the bottom of | https://workspaceupdates.googleblog.com/2021/05/Google- | Docs-...: | | _Compatibility for supported assistive technologies such as | screen readers, braille devices, and screen magnification | features, will not be impacted by the canvas-based rendering | change. We will continue to ensure assistive technology is | supported, and work on additional accessibility improvements | enabled by canvas-based rendering_ | ushakov wrote: | see, they didn't say that canvas-based Google Docs will be | accessible - all they promise here is that it will be | "compatible" | | "compatible" could just mean that assistive technology will | work while browsing Google Docs and nothing beyond that | | this is a textbook example deceptive corporate doublespeak | arp242 wrote: | What more do you want beyond "will work"? | | Does it not actually work now? What are the issues and | practical concerns right now? | wffurr wrote: | Have you tried using a screen reader with Flutter apps or the | canvas-based Docs? | | From the very first result on "Flutter accessibility": | | >> We strongly encourage you to include an accessibility | checklist as a key criteria before shipping your app. Flutter | is committed to supporting developers in making their apps more | accessible, and includes first-class framework support for | accessibility in addition to that provided by the underlying | operating system | | https://flutter.dev/docs/development/accessibility-and-local... | ushakov wrote: | encouraging accessibility is not enforcing accessibility | | edit: what i meant here is, instead of making the framework | accessible out of the box, Google is trying to shift the | responsibility to the developers | arp242 wrote: | Enforced accessibility would be horrible. What if I want to | make an application just for me? Or a game or something | else where the basic concept isn't fundamentally accessible | for blind people? | | A lot of the open source software I release is for one | reason and one reason only: it's useful for me. I generally | try to make it a bit useful for others as well, but that's | mostly just a nice bonus. I do care about accessibility in | general (actually, I've been meaning to ask Matt about | accessibility on CLI programs) but it's not really | something I think about on these kind of programs, just | like I usually don't consider most use cases outside of my | own. If someone were to bring it up then I'd see if | something could be done (like any other issue people bring | up), but this depends on my available time and "if I feel | like it" as well. | | The alternative would be to never release it at all and | keep it in my ~/code directory. I think that would be a | loss. | mwcampbell wrote: | > (actually, I've been meaning to ask Matt about | accessibility on CLI programs | | Assuming you meant me and not some other Matt, go ahead. | In general, I'd say it's pretty hard to make line- | oriented CLI programs inaccessible. Screen-oriented (e.g. | ncurses-based) programs are, in my experience, harder to | use with a screen reader, but still generally not | terrible. Anyway, happy to answer any specific questions | you have. | daviddever23box wrote: | Whose statutory responsibility is it to enforce | accessibility? And by what methods? | | I'm not encouraging folks to flout this, but one needs to | be quite specific as to what is required where, and for | whom. | [deleted] | goodpoint wrote: | Cloudflare is also killing Tor with its blockpages. | | It's a global threat to privacy and freedom of information. | tmikaeld wrote: | It's up the the site owner if they want to block Tor or not, | the site owner cloud just as easily have blocked Tor if they | where using a normal server. | goodpoint wrote: | > It's up the the site owner if they want to block Tor or not | | No. Cloudflare does that automatically when the owner selects | "high protection" without clarifying the impact of the | choices or discouraging such practice. | | > the site owner cloud just as easily have blocked Tor if | they where using a normal server | | Not at all, it's difficult to implement to the same level as | cloudflare. | junon wrote: | It is _super easy_ to implement this at the same level as | cloudflare. You just check the connection against the exit | node lists. | judge2020 wrote: | > Not at all, it's difficult to implement to the same level | as cloudflare. | | https://check.torproject.org/torbulkexitlist | Asooka wrote: | But is blocking Tor a decision the site owner has to make, or | is it the default and requiring you to set up custom site | protection rules if you want to accept Tor traffic? | zinekeller wrote: | Explicit, using the special "country code" T1. However, I | also noticed that natural blockrates (on my non-CF servers) | tends to be higher on Tor exit addresses due to (seemingly) | more aggressive hacking attempts - probably the same on CF | (the real anonymity of Tor is both a blessing and a curse) | prophesi wrote: | You can explicitly block all TOR nodes, but by default | the security settings is set to "Medium" which blocks the | majority of them. | | I'd also like to know Cloudflare's definition of | "malicious traffic". I think the main fears are DDoS | attacks (which is a nonexistent threat to the majority of | site owners) and scraping email addresses for spam. Which | can be addressed by informing site owners to use a | contact form widget instead of putting their email on | their contact page. | judge2020 wrote: | > but by default the security settings is set to "Medium" | which blocks the majority of them. | | Citation needed, as my Enterprise zone with security | level set to 'high' doesn't block my own Tor visit (and | /cdn-cgi/trace does indeed show loc=T1). | zinekeller wrote: | See my corollary comment on some of my non-CF servers and | the blocking - Tor does provide important anonymity, and | I understand that Cloudflare, which is bigger, can | probably absorb it without much damage, but unfortunately | Tor exit nodes have a much higher attack and hacking | attempts than regular IP addresses. In high-security | applications when anonymity is already lost anyway | (logging into a bank, for example) it is reasonable, due | to the inherent risk, to block Tor exit nodes. | prophesi wrote: | Ironically, Cloudflare's default protections is probably | the largest contributor to any radical usage of TOR. It's | assumed you've a subversive motive since it's impossible | to navigate the open web with it. | | Edit: I'm also not sure what "attacks" and "hacking | attempts" mean. I'm guessing credential stuffing of admin | pages? Brute-forcing the SSH password for root? These | also can be prevented in a myriad other ways that doesn't | disenfranchise TOR users. | zinekeller wrote: | > Brute-forcing the SSH password for root? | | Not in this context. Cloudflare-protected pages don't | need to worry that. | | > I'm guessing credential stuffing of admin pages? | | More complex than that, but you've got the point. | | Funnily, there is silence on Fastly's filter - sure, it's | not active until you toggle it, but even without explicit | Tor block you get the same result. | prophesi wrote: | Can it not be defined beyond "it's complicated"? | zinekeller wrote: | It's quite hard, because it's not just "use known | vulnerabilities on this specific address" - you can block | it easily, and there are projects (such as CRS: | https://github.com/coreruleset/coreruleset) that tries to | emulate this. It's more of combined specific attacks, | which is amplified because if CloudFlare detected an | attempt on a single high-profile site, then that IP | address can be propagate to all of Cloudflare-protected | "properties" (as they called it). Combine that with how | random is an address allocated in Tor (and frequent | rotations), and you've got blocks without using an | explicit Tor list. | prophesi wrote: | > it's not just "use known vulnerabilities on this | specific address" | | Ok, so they're not blocking complicated attacks. Just | automation of attempts to exploit known vulnerabilities. | And then their IP is marked as high risk. Rinse and | repeat until the majority of TOR nodes are blocked. | Definitely can't see that causing issues for TOR (or VPN) | users. | | Edit: And to comment on this: | | > Funnily, there is silence on Fastly's filter | | > Cloudflare is used by 80.6% of all the websites whose | reverse proxy service we know. This is 17.4% of all | websites. | | https://w3techs.com/technologies/details/cn-cloudflare | | > Fastly is used by 5.7% of all the websites whose | reverse proxy service we know. This is 1.2% of all | websites. | | https://w3techs.com/technologies/details/cn-fastly | goodpoint wrote: | > In high-security applications when anonymity is already | lost anyway | | There are countless sites that only serve static contents | and yet cannot be accessed over Tor. | | Furthermore, many other provide an optional login that | could be made to block Tor exit node, but the default | settings of cloudflare still block the whole site. | | Additionally, "anonymity is already lost anyway" when | logging on a banking website is incorrect. Users might | want to protect their browsing from untrusted WiFi access | points or nosy ISPs or country-level censorship. | | > (logging into a bank, for example) it is reasonable, | due to the inherent risk, to block Tor exit nodes. | | How many attackers have the skills, experience and | knowledge to successfully break into a bank and yet don't | know how to anonymously rent a VPS or use a botnet or a | compromised host or a starbucks WiFi? 0.0001%? | | [Edit: silent downvotes do not help.] | zinekeller wrote: | I personally don't use CloudFlare but do manage a website | which uses one for a job, and there's a button to mangle | e-mail addresses, so I don't think this is their concern. | | DDoS attacks are surprisingly negligible, comparable for | ordinary IPs, so I don't think that's what they're | protecting at. | [deleted] ___________________________________________________________________ (page generated 2021-08-01 23:00 UTC)