Cloudflare Starts Blocking Pirate Sites for UK Users
191 comments
·July 15, 2025amiga386
jchw
I don't actually use Reddit or Twitter, but I sometimes come across NSFW posts from links. I've found that old.reddit.com seems to allow you to bypass the filter(s) without needing an account. For Twitter, I tend to use the xcancel.com Nitter instance, though there are other Nitter instances that work fine.
Bonus for using Nitter here, you can also see the latest posts from an account instead of the most popular posts, and see replies/interactions to individual tweets. Oh, and it gives you plain HTML.
Reddit pisses me off so much that despite the fact that I don't even use Reddit, just so that my experience sucks less when I'm linked to Reddit or have another reason to lurk it,
- I use the "Old Reddit Redirect" extension to force the browser to go to old reddit
- I use the "Load Reddit Images Directly" extension to bypass Reddit's hideous image viewer that tries to load if your browser makes the mistake of having text/html in the "Accept" headers when opening an image in a new tab. (Dear Firefox/Chrome/etc: maybe stop doing that? If I open an image in a new tab, there is a zero percent chance I want HTML.)
godelski
Reddit is also very aggressive at blocking VPNs. Mullvad is constantly blocked. Occasionally I'll turn it off, but Reddit is just a terrible place so I usually go elsewhere (I'm only going because of Google search results. I'd rather use an LLM than turn off my vpn for Reddit)
dymk
Interesting, are you using any particular exit country for Mullvad? I’ve used Canada and never ran into Reddit blocking it.
gh02t
Is the reddit equivalent of xcancel/nitter (i.e., redlib https://github.com/redlib-org/redlib) also blocked? Presumably if the instance is hosted outside the UK it would work since I think it effectively proxies your requests.
peterpost2
The bypass via old.reddit.com stopped working today as well.
Normal_gaussian
I just googled 'top nsfw Reddit' and aside from some disturbing implications of 'top' all opened fine with 'old.'. The IP is UK based, is coming up as UK on all geoip sites I tried and is in all of the last 30days of maxmind as UK based.
It might be some kind of phased rollout of course.
blackhaj7
> Just don't run your torrent client using the tor network. I have never used tor so novice question: why not?
> please go to https://petition.parliament.uk/petitions/722903 Signed!
Retr0id
The tor network essentially relies on donated exit node bandwidth, and there's a finite capacity at any point in time. Torrenting is a bandwidth hog (and a lot of exit nodes will filter it out anyway)
schmidtleonard
> donated exit node bandwidth
Hey, we pay $100B/yr of tax money into the NSA/CIA/etc budgets every year so they can run exit nodes among other activities, I wouldn't exactly call it donated
noisem4ker
Is it really just a matter of my bandwidth being hogged up, or more a risk of getting my IP address (range) banned, if not worse legal risks from activities being traced to me?
ajsnigrutin
That's why some "tor-torrent" protocol should be invented, where data is sent via torrent network. There's still some bandwidth amplification, but as long as someone is seeding from within tor, the whole transfer could be done there.
...would also help with privacy and nasty telco letters.
jjmarr
Some clients by default leak your IP when using Tor, the last I checked. When announcing to other peers, the IP of the host machine is provided.
So, you anonymously make the requests through an exit node, but the request contains your IP, which defeats the entire purpose of Tor.
kobalsky
> I have never used tor so novice question: why not?
bandwidth is a scarce resource on tor.
Retr0id
Tor is great but the bandwidth/latency kinda sucks for casual browsing activity. A VPN is a more realistic workaround to this kind of geofencing.
I almost said "solution" instead of workaround, but of course the only actual solution is to fix the legislation.
ReaperCub
> Tor is great but the bandwidth/latency kinda sucks for casual browsing activity
It is reasonably decent these days. Generally there are periods where Tor network is slow.
> A VPN is a more realistic workaround to this kind of geofencing
Generally I tend to use a combination of Tor / VPN depending on what I am doing. Some gossip sites have onion urls and I will use Tor if visiting those. Other sites that are geo-fenced (sites like Odysee) are easier to get to via VPN.
> I almost said "solution" instead of workaround, but of course the only actual solution is to fix the legislation.
That isn't going to get fixed anytime soon. In fact I expect it to get worse over time.
mike-cardwell
It's actually pretty ok for casual browsing these days. Have you tried it recently?
pmdr
> PSA: UK users can visit all their favourite websites in Tor Browser.
And get to solve a dozen whack-a-mole intentionally-slow-loading reCAPTCHAs just to see the page, or worse, end up in a Cloudflare redirect loop.
tracker1
I get enough of that between Brave Browser and using Linux as my desktop OS.
mhitza
They don't show up significantly more often for me than in Brave browser.
Though at that point might as well use Tor in Brave, because the additional ad&trackers blockers improves drastically the load times.
Now, if only Brave would go the extra mile of having the Tor browser window better mimick the Tor Browser.
ReaperCub
I use tor semi-regularly to get around stupid UK geo-fencing of content and honestly it hasn't been like that in a while.
dtf
You'll need more than just an account to access "certain mature content" on sites like Reddit - you'll soon need to upload some photographic ID.
Retr0id
I wrote a similar comment but then realised that if you're using tor per GP's recommendation, you'd be fine as long as your exit node isn't in the UK, or other regressive jurisdiction.
zerotolerance
It is trivial to create a digital picture of a false ID.
Canada
Which is why you will need to provide a cryptographically secure identity credential issued by the government, and you will need to re-verify at regular intervals, not just upload a JPEG.
Make no mistake, the plan is to require 'KYC' for Google, reddit, Facebook, X soon and all that and then later require it for all web sites, even this one.
Australia recently passed a law requiring Google to KYC Australian account holders to check ages to decide if the user will be allowed to control the "safe search" setting.
alwa
Well. Certainly for people in the room here. One imagines regulators know that too, and will draw the line accordingly… that they may grudgingly tolerate validation systems that allow some degree of individual fraud, but stomp on the first of us here to vibe-code our way to a fraud-as-a-service site that gets any traction.
I’m reminded of all-around-good-guy @patio11’s evergreen The Optimal Amount Of Fraud Is Non-Zero…
https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
ReaperCub
> After you've done that, as a UK citizen, please go to https://petition.parliament.uk/petitions/722903 and ask the government to repeal their awful law.
There is literally no point in signing those petitions. The only disagreement between the major political parties in the UK is how draconian it should be.
teamonkey
If it hits 100k then it needs to be debated in parliament. However the bill was already debated in parliament and got through and the petition doesn’t bring anything new to the table.
There would be more of an impact if, perhaps, everyone in the UK who has had to shut a web site because of this law wrote to their MP.
ReaperCub
> If it hits 100k then it needs to be debated in parliament.
I don't think so. It says on the site "At 100,000 signatures, this petition will be considered for debate in Parliament".
I've seen people get excited about petitions before that got to 100,000 signatures and it all fizzled out, or it wasn't debated seriously in parliament. Often you will get a cookie cutter response with these petitions that is a paragraph long.
The reality is that most of the public are indifferent or supportive of the current legislation and most MPs know that.
> There would be more of an impact if, perhaps, everyone in the UK who has had to shut a web site because of this law wrote to their MP.
Each MP would get maybe a max of 10s of emails/letters each. Many of those MPs wouldn't even bother answering you. Those that do will often will probably give you the brush off.
I've written to my MP before (about encryption legislation), spent a lot of time presenting a clear and cogent argument and I got a "well I might have a chat with the home secretary" and they were still singing the same tune years later. What I was telling them was largely the same as other industry experts. They don't care and that is the unfortunate reality.
The fact is that the direction the UK government (doesn't matter whether it was Red Team or Blue Team) has been going in has been clear for well over a decade at this point. It would take a major political shake up for this to change IMHO.
chasil
It might be necessary to ensure that your exit node is not in the UK or another locality that is otherwise blocked.
That procedure depends upon your platform and client.
http://www.b3rn3d.com/blog/2014/03/05/tor-country-codes/
Edit: Use this link instead (thanks mzajc!):
https://web.archive.org/web/20180429212133/http://www.b3rn3d...
sherr
I get a "badware" risk on that link from uBlock Origin (Firefox).
"uBlock filters – Badware risks"
mzajc
The domain has been squatted and displays typical spam advertisements. The last good archive is on https://web.archive.org/web/20180429212133/http://www.b3rn3d...
johnisgood
I hope many UK citizens are going to sign it.
sunshine-o
I came to the realisation recently that the free Internet only happened (in the West) because:
- The Silent Generation, in charge at the time, had no idea what was this Internet thing about.
- The US Intelligence community understood it was a powerful tool to operate abroad.
- Nobody dared derailing the only engine of growth and progress in many economies
It obviously got out of control and is very abnormal in fact if you consider how power really works.
As of today, as a user of a reputable VPN, I am blocked from a lot essential websites or have to prove I am an human every 5 minutes, it sucks.
Anyway we are one major cyber disaster away for our the state to switch from a blacklist to whitelist paradigm. A safer and better Internet for everyone.
We will probably still have ways to access the "Free" Internet. It is gonna be fun, slower and might get you in serious troubles.
xtracto
The thing is, the Internet was supposed to be P2P initially (in Spanish it had the motto "La red de redes" (the network of networks, meaning that it was supposed to connect several LANs together).
But as soon as you had ISPs started, centralization came. Now, most countries will have at most 5 major ISPs, and in reality geographical availability within countries make 1 or 2 available.
Then, originally people had their own websites (I was there!) in their own servers. But Geocities started the centralization trend. And then CDNs, and then MySpace/Facebook and all that.
The only way we are going to get the "freedom" network as it was before is through mesh-networks or similar technologies. Which maybe so far are very slow and cumbersome, but they will have to evolve. I know it is not very fashionable here in HN, but the only see that capable of happening is implementing some kind of "incentive mechanism" that incenvitives people to let data pass through their node in the mesh network; aaaand cryptocurrencies offer an possible solution for that.
lxgr
> As of today, as a user of a reputable VPN, I am blocked from a lot essential websites or have to prove I am an human every 5 minutes, it sucks.
I have to do that using corporate and residential US networks, simply because I use Firefox.
As great as Cloudflares services might be to each individual user, the centralization of infrastructure, and by extension the centralization of power, doesn’t seem to be worth it at a macro level. The tragedy of the commons strikes again.
ajsnigrutin
Try disabling third party cookies, and on some sites, you'll be clicking cloudflare captchas every time you open them :)
lxgr
Ah, I guess that's why I get tons of them, thank you!
Can't they at least set a first-party cookie to avoid repeated captchas per site, given that they're terminating HTTP?
Dracophoenix
You're forgetting that that the Internet was intertwined with the phone system at a time when the latter was the only reliable form of communication at both local and long-distance levels. Interference with the Internet would be interference with the international telephone system.
int_19h
I don't see how the fact that dial-up was the norm for the internet "last mile" changes anything wrt the ability to block it. It would be done in exact same way it is done today - by forcing ISPs to do the blocking on internet protocol level.
6510
Thats a good idea, we could moderate the phone system.
pjc50
Yeah, a lot of stuff only worked because it was a "subculture". That could no longer be sustained once the first Twitter President arrived.
ajsnigrutin
The decline of internet began way before trump, I'd say with the rise of facebook and everything moving on there (your local restaurant used to have a website, then switched to facebook only).
Centralized power, centralized censorship.
At approximately the same time, social networks became less social and more propaganda feeds.... so it went from a feed of content made by your friends for other friends (from complaints in status messages to photos of their plates) and moved to whatever crap they try to serve you now,...
MaxPock
The internet was a very good tool in subverting dictatorships and influencing elections. Now that adversaries of the West have mastered it and the shoe is on the other foot ,internet bad
xandrius
Shouldn't surprise absolutely nobody, once you become the gatekeeper of the Internet, you're going to gatekeep.
Now it's torrent sites and next it's going to be other things the party in charge doesn't like.
heavensteeth
Right, it's only natural; they MitM 20% of the internet.
Similarly, I struggle to believe they're not providing much of the data they collect to the CIA.
anon191928
CIA front like snapchat with all on camera access. Nothing surprising
jasonlotito
> Shouldn't surprise absolutely nobody...
...because this is far from the first time this has happened with Cloudflare.
gjsman-1000
About a decade ago, there were proposals for a "driver's license for the internet."
Nowadays... I actually think it might be a lesser evil. Picture such an ID, if there were a standard for it, enrolled into your computer.
If it were properly built, your computer could provide proof of age, identity, or other verified attributes on approval. The ID could also have micro-transaction support, for allowing convenient pay-as-you-go 10 cents per article instead of paywalls, advertising, and subscriptions everywhere. Websites could just block all non-human traffic; awfully convenient in this era of growing spam, malware, AI slop, revenge porn, etc. Website operators, such as those of small forums, would have far less moderation and abuse prevention overhead.
Theoretically, it would also massively improve cybersecurity, if websites didn't actually need your credit card number and unique identity anymore. Theoretically, if it was tied to your ID, it's like Privacy.com but for every website; much lower transaction friction but much higher security.
I think that's the future at this rate. The only question is who decides how it is implemented.
63stack
This is so naive. Big tech would be the first to get various exceptions to train their greedy AIs. They would lobby so hard to lock down personal computers, just to make sure you are not tampering with your digital passport. Google would finally have their wet dream of locked down PCs that have no adblock.
Politicians would be salivating at the idea of getting the real identities of dissenters, and religious fucks would finally have their way of banning porn and contraceptives.
gjsman-1000
You're assuming this isn't already in the works; I simply see it as we can make the standard now, or let the standard be dictated.
We're already seeing it piecemeal, with Cloudflare supporting skipping CAPTCHAs on verified iOS and macOS devices; mobile driver's license enrollment options on iOS; age verification rollouts for websites with no-doubt people thinking how to streamline things; etc.
I personally think we are one big cyberattack from the whole concept returning fast. One big cyberattack from governments (and people in general) saying they've had enough of the free-for-all status quo. This isn't a good place to be.
rendx
German national ID has this built-in; you can cryptographically prove that you are currently in possession of an ID (and its PIN) over a certain age, for example, without revealing your date of birth. It's just not in widespread use.
thmsths
Thank you for sharing this. I have been frustrated about the lack of chip and pin for IDs for years. We have had digital IDs in the form of debit/credit card since the 90s, and yet the governments have been agonizingly slow to adopt this (at least to me) painfully obvious idea. So good job Germany!
null
dingnuts
oh good, and your authoritarian government can know you're in the closet and trying to figure out how to leave the country, too!
no, fuck this idea so hard. if this is inevitable, our duty is to build technology that defeats it
derektank
You can create an ID card system that reliably verifies some sort of personal attribute (such as age) without revealing other personal information or a validation request being sent to the government which shares what sites you may or may not have been browsing
GuinansEyebrows
the number of people who work for (or defend those who work for) firms like raytheon, northrop grumman, palantir, meta, amazon, microsoft, alphabet, flock et al leads me to believe there are not enough people left to care about building this technology. we're cooked. too many developers lack the moral position necessary to turn the tide in a meaningfully widespread way - at best, it's "if not me, someone else will do this work anyways, so i might as well be the one collecting the paycheck/stock options." at worst, it's "i think it's a good thing to create tools to surveil/manipulate/kill people."
mourn the loss of the internet we knew and be ready to sacrifice ease of use to return to lower-tech/still-underground options.
gjsman-1000
Local ID Proofs =/= Surveillance
strken
I'm in favour of A) a restricted internet with an encryption scheme based on state controlled hardware devices, like Estonia has, that's accessible by default from browsers, and B) an unrestricted internet that's available to anyone who clicks through a few scary browser warnings, but is generally regarded as weird, dangerous, and not commercially viable except for weird or dangerous stuff.
int_19h
Realistically, the moment the two are decoupled, B) is going to be banned and blocked outright - and the more they are decoupled, the easier it would be to ban. By and large, the only reason why it's still possible to access "dark" content online is because it's so intermeshed with the more mundane stuff on infrastructure level that the most efficient blocking methods have unacceptably high levels of collateral damage.
xandrius
And then wait for when the well-funded and publicly supported A decides that B is evil and needs to be taken down.
gpm
Blocking is the wrong terminology here. Cloudflare is not an ISP which fetches whatever you ask for from third parties. It's a company contracted by the web site owners to distribute their websites. It's much more accurate to say that Cloudflare is no longer acting as a host for pirate sites in the UK.
The shocking part of this isn't that they aren't participating in that form of crime in the UK, it's that they're somehow able to participate in it in the rest of the world.
And I say this as someone who thinks that copyright laws are largely unjust, preventing people from engaging with their own culture, but that doesn't make them not the law.
lambertsimnel
> It's much more accurate to say that Cloudflare is no longer acting as a host for pirate sites in the UK.
I understood from the article that it was for users in the UK, not for hosts in the UK.
gpm
The implied parentheses were intended to be "(Cloudflare is no longer acting as a host for pirate sites) in the uk" not "Cloudflare is no longer acting as a host for (pirate sites in the uk)".
pjc50
See https://cybersecurityadvisors.network/2025/04/15/la-liga-blo... : I'm slightly surprised that this hasn't caught up with them too. It used to be important to stay somewhat "below the radar" when pirating, not creating an account at one of the largest internet services. But then anti-piracy enforcement is about money and going after soft targets.
viktorcode
> Blocking is the wrong terminology here. This is geo-blocking, by definition.
Personally, it's always sad when a company agrees to censor on their own merit when they don't have legal obligation to.
gpm
> > Blocking is the wrong terminology here.
> This is geo-blocking, by definition.
Do you also refer to steam games that only sell in some regions as "geo-blocking"? I don't. Steam doesn't (they call them region restrictions). There's no blocking going on, merely declining to offer something in the first place. Cloudflare is the host here, they aren't blocking anything, they just aren't providing the pirate site in the first place.
> when they don't have legal obligation to.
While I know relatively little about UK law I'm extremely skeptical of the idea that cloudflare does not have a legal obligation to not knowingly host websites committing copyright infringement.
null
Retr0id
Previously, a convenient and low-latency way to bypass UK internet censorship was to proxy via a local datacentre - it's only the residential ISPs that are under pressure to censor traffic, commercial ones less so.
But if the blocking is happening somewhere other than the ISP, this is less effective. A hypothetical TPB user might want to proxy via Luxembourg now (seems like the shortest hop to somewhere with sane legislation)
trollied
You didn’t even need to do that. Just needed an /etc/hosts entry for the domain.
Retr0id
My ISP (Virgin Media) does DNS filtering and IP-based blocking and TLS SNI inspection. So you have to use ESNI or domain fronting, which last time I checked my browser could not be easily configured to do.
grishka
You may have some success with DPI bypass tools we've been using in Russia for years now, like GoodbyeDPI and Zapret.
acheong08
At this point, what's the difference between the UK and China other than the specific content they block? Some ISPs have even started blocking wireguard here & I've had to resort back to xray/v2ray
arp242
Is that common for all ISPs or just Virgin? When I lived in the UK (already a number of years ago) it was all just DNS-based. Running my own DNS resolver unblocked everything. I don't recall which ISP.
chickenzzzzu
Classic mafia racket economics would claim that Cloudflare themselves created the botnet ddos problem so that they themselves could solve it, and now they have the power to do this, especially when governments ask them very sternly to do so.
pixl97
Being that botnet DDOS existed before CF that's a pretty strong statement.
a2128
They existed before, but websites selling DDoS as a service were easier to track down and competitors would DDoS eachother. Cloudflare provided a strong layer of protection for everyone, including these DDoS websites, and took no action to take them down when reported
v5v3
Classic NSA tactics would be to setup a giant American Man-In-The-Middle company that most of the traffic of the world passes through.
slt2021
botnets are usually coming from residential networks due to infected hosts/IoT devices.
if cloudflare were to host malware on their own IPs, it would have been trivial to see CF's steps.
Unless you want to suggest that CF is developing and distributing sophisticated malware and making botnets across the world
chickenzzzzu
Though certain mafia economics would suggest exactly that, I personally am not suggesting it. It's just an extremely interesting possibility that could only be proven with evidence.
ryzvonusef
i thought people in the west used these things called seedboxes? basically computers in low risk countries like romania etc, download the torrent there, then copy the file over or something like that.
ReaperCub
I have one of these. However it is connected to a VPN 24/7 in my own home. It can't access the net without the VPN being connected and I've checked for IP leaks.
https://github.com/qdm12/gluetun
However at some point I will have a machine setup in a foreign country as a jump box.
v5v3
As per the URLs listed in the article, many people don't download movies nowadays.
They stream them on streaming websites.
specproc
The site suggests that VPNs may be effected. What's the mechanism here? Is this likely to cause trouble for all VPNs?
instagib
DNS blocking via 1.1.1.1 is suggested. So, change to another dns.
johnisgood
This is how I block VPNs for game servers: https://zolk3ri.name/cgit/schachtmeister2/about/. It could work for any servers. It is very easy to do so. It gives you a "score" of the IP address (README.md explains it) that connected to your server, and you can decide what to do based on that, for example in my game servers there are certain thresholds. It has been working great.
grumpyinfosec
realistically blocking low cost personal VPNs / proxies is pretty easy. Any new servers they stand up are gonna get picked up by commercial threat intel services with an hour and then just blocked. Especially if the CDNs are working with the government.
You could roll your own but wireguard/openvpn going to random hosting provider is gonna achieve the same thing if they are playing hardball.
pjc50
They're not playing hardball, it's all on a "will this do" basis, like the US state-level bans. They're certainly not going to start blocking random IPs in hosting providers, that's reserved for email spammers.
null
gonzalohm
Is this because the torrent sites are using cloudfare on their end? If so, seems like a simple solution
Retr0id
Torrent sites use Cloudflare to hide their origin IPs, among other things, so just not using it isn't an easy option.
Easier for torrent sites to tell people to use VPNs.
GoblinSlayer
CIA will DDoS them if they don't use cloudfare.
BobaFloutist
That seems less plausible than other pirate sites, random asshole teenagers, or even streaming companies DDosing them.
papichulo2023
I guess renting a vps and setup wireguard should still work?
v5v3
Yes.
And you can buy VPS using crypto.
pyb
Why is Cloudflare providing its services to known pirate sites?
throw123xz
Is the site illegal? If yes, where? And is CF required to follow the laws of that jurisdiction?
v5v3
To prevent a competitor popping up with a USP.
tlogan
So pirate sites cannot use CloudFlare. But isn’t that against their ToS?
Im just confused - can somebody explain me this?
xtracto
Pirate Sites are stupid. And the need for a Site is a stupid limitation of Bittorrent. People should use real distributed protocols like SoulSeek, Kademila or other similar file sharing protocols that do not require a website for discovery.
boramalper
> Pirate Sites are stupid. And the need for a Site is a stupid limitation of Bittorrent.
throw123xz
SoulSeek still relies on central servers for some things. Every time they go down, people go to the sub reddit to ask what's happening.
pjc50
Cloudflare used to have really open ToS and would host anybody. This included all sorts of far-right sites, and eventually they accepted that they were going to be held responsible for what their customers were doing.
PSA: UK users can visit all their favourite websites in Tor Browser. Just don't run your torrent client using the tor network. Thank you.
You can also access 4chan, Tattle Life, and other nasty gossip websites that the UK nanny state wants to ban.
And you can access the porn on Reddit and Twitter (though in some cases you'll have to make an account). And of course the "tube" sites work fine.
After you've done that, as a UK citizen, please go to https://petition.parliament.uk/petitions/722903 and ask the government to repeal their awful law.