I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site?
However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search.
Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.
(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)
This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)
Both sides look like they have been bullied in the past and not found their way out of reproducing the pattern yet.
The blog has a lot of more posts on random topics. Why do you imply that the owner of the bloh is part of a harassment campaign and "only" that is the reason for this years old blog to exist?
There are only two posts about archive.today on the blog, and one of them only exists because archive.today started DDoSing them. I fail to see how you could consider the entire blog to be a "harassment campaign", especially considering that the original blog post isn't even negative, it ends with a compliment towards archive.today's creator.
But it's not? This was published between the two posts about archive.today: https://gyrovague.com/2025/02/23/anatomy-of-a-boarding-pass-...
Writing about being ddos'd seems eminently reasonable. So if you elide that, you are talking about a single article in four years.
It's genuinely nothing.
What is the purpose of the DDoS JS in the archive website then? Not DDoS?
Easy stuff, no?
Why are you pretending to be surprised by this view that is held by approximately every single person in the world?
Or do you think we should have different standards for DDoS and actual violence?
Doxing? Yes.
It's clear that the person running archive.today does not actively publicize their identity.
> As far as I read the tone of the post is full of admiration
Exactly like an unhinged fan stalking a celebrity.
Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
It's not surprising that the owner of archive.today does not like being exposed, archiving is a risky business.
So public services should DDoS is your argument?
> Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
I scrolled pretty far through the blog and didn't find anything of that sort. Just a bunch of travel stuff. Now I'm curious what sort of "harassment" you hallucinated in the sites that were previously targeted by archive.today's DDoS attacks.
That's a pretty small sin in my book. To be written off as wildly unsuccessful but entirely justified self defense.
DDoSing gyrovague.com is silly, not evil.
The content on gyrovague.com which targets archive.today is evil, plain and simple.
The ‘small sin’ of wielding your userbase as a botnet is only palatable for HN’s readers because the site provides a desirable use to HN’s readers. If it were, say, a women’s apparel site that archived copies of Vogue etc. (which would see a ton of page views and much more effective takedown efforts!) and pointed its own DDoS of this manner at Hacker News, HN would be clamoring for their total destruction for unethical behavior with no such ‘it’s just a evil for so much good’ arguments.
Maintaining ethical standards in the face of desire for the profits of unethical behavior is something tech workers are especially untrained to do. Whether with Palantir or Meta or Archive.today, the conflict is the same: Is the benefit one derives worth compromising one’s ethics? For the unfamiliar, three common means of avoiding admitting that one’s ethics are compromised: “it’s not that bad”, “ethics don’t apply to that”, and “that’s my employer’s problem”. None of those are valid excuses to tolerate a website launching DDoS attacks from our browsers.
Just my 2 ¢, not that it really matters anymore in this current information-warfare climate and polarization. :/
Wow, I had no idea. Thanks.
It allows website owners and third parties to tamper with archived content.
Look here, for example: https://web.archive.org/web/20140701040026/http://echo.msk.r...
Archive.today is by far the best option available.
1) The act of archive.today archiving stories (and thus circumventing paywalls) is arguably v low level illegal (computer miss-use/unauthorized access/etc) but it is up for interpretation whether a) the operator or the person requesting the page carries the most responsibility b) whether it's enforceable in third party countries neither archive.today or the page requester reside in
2) DDoSing a site that writes something bad about you is fundamentally wrong (and probably illegal too)
I think you're missing that circumventing paywalls is unlawful in most parts of the world.
And a necessity if you want to archive the content correctly, also necessary if you want the archives to be publicly available.
Not really, no. It's not unlikely to result in the service ceasing to exist.
Edit: I misread the comment initially as from someone with more insight. However, I guess it is obvious that anyone can see the JavaScript and participates involuntarily in the DoS.