Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Networking The Internet Open Source

Cloudflare Accused of Blocking Niche Browsers (palemoon.org) 146

Long-time Slashdot reader BenFenner writes: For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with promises to do better. (See 2024-03-11, 2024-07-08, and 2025-01-30.)

This time around it has been over six weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs.

That last link is an update posted today by Pale Moon's main developer: Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.

I wish I had better news.

In a comment, Slashdot reader BenFenner shares a list posted by Pale Moon's developer of reportedly affected browsers:
  • Pale Moon
  • Basilisk
  • Waterfox
  • Falkon
  • SeaMonkey
  • Various Firefox ESR flavors
  • Thorium (on some systems)
  • Ungoogled Chromium
  • K-Meleon
  • LibreWolf
  • MyPal 68
  • Otter browser

Slashdot reader Z00L00K speculates that "this is some kind of anti-bot measure that fails. I suspect that the reason for them wanting a NDA to be signed is to prevent ways to circumvent the anti-bot measures..."


Cloudflare Accused of Blocking Niche Browsers

Comments Filter:
  • by rossdee ( 243626 ) on Saturday March 15, 2025 @07:57PM (#65236797)

    Are any of the web sites that CloudFlare gate-keeps important?

  • by Rockoon ( 1252108 ) on Saturday March 15, 2025 @08:05PM (#65236809)
    While it was once niche in Scandinavian countries and large parts of Africa, it is now mainly niche in southeast Asia.

    Either my browser isnt niche enough to make the cut, or I have not wandered into any clodware hosted pages.
  • I know they have (Score:4, Informative)

    by FudRucker ( 866063 ) on Saturday March 15, 2025 @08:08PM (#65236813)
    I love to hunt for minimalist browsers for android that use the webview engine and i found a few good browsers that were rejected by cloudflare
  • Configurable (Score:4, Informative)

    by Neuroelectronic ( 643221 ) on Saturday March 15, 2025 @08:08PM (#65236815)

    Isn't this up to the sites who configure and use cloudflare? DeepSeek locked down their site hard when getting DDoSed it even blocked Firefox with UBlock. Once the ddos stopped they opened it up

  • by test321 ( 8891681 ) on Saturday March 15, 2025 @08:13PM (#65236823)

    From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1

    • Re: (Score:2, Informative)

      by dimko ( 1166489 )

      From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1

      Linux Firefox ESR user is here. SteamDB did not pass bot check yesterday.

    • I use Waterfox and can also access those fine... I don't even get the "are you a human" checkbox (no challenge, just have to check the box) I get once or twice a week from cloudfare.
    • by dryeo ( 100693 )

      I think it depends on cookies that were set earlier when it was easy. I can load sourceforge fine as I've been going there on and off for a long time. Never tried steamdb.info until now, it gets into a loop checking if this SeaMonkey browser is secure

    • Theres a LOT more to it than just the browser...

      First it checks where you're coming from. If you're coming from a clean source address then you're fine as it gives you the benefit of the doubt. If however you're coming from a shared NAT address and it's seen lots of users from that address then you go into the shitlist.

      The sites you've listed have IPv6 enabled, so any user with IPv6 will be hitting them from a unique address. Other sites (eg slashdot) don't publish AAAA records which forces traffic to downgrade to IPv4, which can cause it to go over a NAT gateway in many cases.

      When lots of users originate from the same address, as is common with NAT gateways, it then tries to use other methods to separate the users. This would include the typical tracking via cookies etc. The problem with these niche browsers is that most of them are privacy-centric and will block a lot of these tracking methods. If your traffic comes from a suspicious address and it's not already trackable via other means, you'll get the captcha or an outright block.

      Being stuck behind a shared CGNAT gateway and accessing sites without IPv6 is the worst case scenario.

      The ISP here uses CGNAT out of necessity, and i experience this problem frequently but only on sites that don't publish AAAA records. For any site which uses IPv6 there's no problem at all.

      • by DamnOregonian ( 963763 ) on Sunday March 16, 2025 @05:12AM (#65237461)
        I operate a couple of deployed CGNAT networks with a combined ~25k subscribers.
        This is indeed a problem we have to deal with- getting asshole content networks to stop blocking my eyeballs.

        I can say, we offer low-price static IPs, though. Your provider probably does too.
        • by Bert64 ( 520050 )

          They do not, only on business plans which are significantly more expensive.
          Based on their BGP announcements they simply don't have enough legacy addresses for the number of customers.

          Most of the content networks support IPv6, and any site that has IPv6 enabled there's no problem. The assholes are the cloudflare (and other) customers that explicitly turn off IPv6 for their sites.

          • Nobody's got enough IP space, man, lol.
            We got all of ours by acquiring companies. These days, people are renting it.

            Comcast runs a "statics only for business" racket, too. That sucks.

            My CGNAT networks have about a 2.9% static IP rate. It's not bad.
            I think they're fucking you.
          • Also- CloudFlare doesn't "turn off IPv6".
            They're a proxy provider. They proxy whatever the backend site wants, with whatever security mechanisms the backend site wants enabled.

            It does, indeed suck, that there are still sites out there without IPv6 reachability.
            • The backend does not matter, cloudflare provides the frontend which is what the end users interact with.

              In fact, cloudflare always provide a dual stack frontend irrespective of what the backend is, but some customers don't publish the AAAA records (slashdot being one such example), so if you control your own dns resolver you can add the AAAA back but most users wouldn't know how to do this. There are a few tools that can automate this.

              So it's the cloudflare (and other cdn) customers entirely to blame for not publishing AAAA records.

              Having to respond with captchas or outright blocking when faced with malicious traffic is a necessary evil these days, and nat is only intended to be a temporary stopgap measure.

              • I misread what you wrote. I thought you said the problem was Cloudflare, and its customers- misparsed your parentheses.
  • 3 fixes within a week and the thanks they get is being called incompetent by their main developer?
    • by BenFenner ( 981342 ) on Saturday March 15, 2025 @08:51PM (#65236879)
      Yes.

      1) CloudFlare launches a DOS attack on your browser (and others), then ignores your communication, and only stops the attack only after a huge user outcry. Promises are made that this won't happen again.

      2) 4 months pass and the exact same thing happens. Your bug reports and similar get completely ignored, the DOS attack only stops after a huge user outcry. Promises are made this should not and will not happen again. Your browser will be added to their test suite.

      3) 6 months pass and they are DOS-ing you again. Your comms get tossed in the trash. A huge user outcry doesn't work this time. A full month goes by and bad media coverage finally brings CloudFlare to the able. They give you the run-around. 6week in and the DOS continues.

      You're blaming the browser dev in all this? Calling them incompetent is being kind. Likely they are being malicious.
      Fuck off.
      • Re: (Score:3, Informative)

        by h33t l4x0r ( 4107715 )
        That's not how it works. Cloudflare's customers asked for extra protection from suspicious traffic because their website is under attack. Meanwhile, Pale Moon is suspicious traffic. CF is just giving their customers what they asked for.
        • CF is just giving their customers what they asked for

          Security theatre?

        • by markdavis ( 642305 ) on Saturday March 15, 2025 @11:17PM (#65237083)

          >"Cloudflare's customers asked for extra protection from suspicious traffic because their website is under attack. Meanwhile, Pale Moon is suspicious traffic."

          This is just totally unacceptable behavior on their part. They should be looking at what the incoming machine is DOING, or its source address/location, not just assume it is "bad" because it isn't chrom* or Firefox. It would be somewhat analogous to your grocery store hiring a security team that bans you from entry into the store (and then attacks and harasses you) because you came in wearing a green scarf, and they are not used to seeing people wear those.

          At a time where Google has decimated browser diversity and the only real contender left is Firefox, we desperately need additional pushback against anything that tries to narrow the field like this.

          • If you find it unacceptable that's just tough shit. You can't expect the entire internet to accomodate you when you're using an obscure hobby web browser, that's just common sense.
            • That's probably the expectation of Cloudflare customers, though. They do not want visitors blocked over meaningless rules.
              • Well they can simply disable "under attack mode" if that's the case but they went out of their way to enable it which suggests they want it.
            • by BetterThanCaesar ( 625636 ) on Sunday March 16, 2025 @04:09AM (#65237399)
              Why accomodate any browser at all? HTTP is a standard. TLS is a standard. Why does the software matter if it implements the necessary standards?
              • by DamnOregonian ( 963763 ) on Sunday March 16, 2025 @05:24AM (#65237473)
                lol, you sweet summer child.

                Cloudflare isn't in the business of blocking HTTP/S speakers. They're in the business of blocking bots, or other kinds of not-actually-a-browser HTTP traffic.
                Detecting them is, in fact, a trick.

                Their customers pay them a lot of money for this.
              • Why accomodate any browser at all? HTTP is a standard. TLS is a standard. Why does the software matter if it implements the necessary standards?

                This has nothing to do with HTTP or TLS. The problems being solved are on a network layer above that, and they are solving it using a layer below it. If HTTP / TLS had something like DDOS protection or anti-bot tech then none of this would be happening.

              • by higuita ( 129722 )

                the http and tls is ok, the problem is that many people create bots to either scape, abuse or DoS a site. Some are easy to detect (curl, no javascripr), but others are harder (say selenium or nodejs doing those requests).
                Cloudflare sells protection for the sites, so they need to find a way to detect real users and bots, when both are sometimes almost the same behavior. They need to rely on what normal users do (several steps) vs bots usually doing direct access to urls. but that alone isn't enough and they

            • You can't expect the entire internet to accomodate you when you're using an obscure hobby web browser, that's just common sense.

              Found the guy with no sense.

          • Individual site operators do all kinds of stupid shit.
            I had to modify a NAT translation modules not to use .0 and .255 out of every /24 segment because assholes felt they weren't valid addresses.

            We could argue that cloudflare is offering them a broken service here, but it's still the individual site operator that selects this particular form of proxy validation.
            I have to deal with this bullshit all the time for my eyeball networks trying to get to certain cloudflare protected sites.
          • Unacceptable according to whom?

            Part of the design of the web is that anyone can run any service which exchanges any data they wish. While everyone is entitled to share an opinion on those protocols, it's not up to anyone else to proclaim what is and is not acceptable.

            Ultimately what individual hosts o the web do is up to them.

          • You ever consider google and cloudflare are in bed together?
      • by Khyber ( 864651 )

        Damn shame the tech world doesn't have its own Luigi.

  • by Kernel Kurtz ( 182424 ) on Saturday March 15, 2025 @08:17PM (#65236833)
    So what happens if they don't block bots? Does the internet get worse or something?
    • Re:Anti-bot measures (Score:5, Informative)

      by ArchieBunker ( 132337 ) on Saturday March 15, 2025 @08:51PM (#65236877)

      These days bots account for a significant amount of internet traffic.

      • Is there a model where bots pay for their consumption? I can only marine companies hurting competitors just by racking up AWS bills. AI agents would seem to enable this.
      • These days bots account for a significant amount of internet traffic.

        Yes, I know. So does spam. And advertising. I was being a bit facetious but it is long since true that the majority of traffic on the internet is garbage.

      • by allo ( 1728082 )

        It's over ten years that people reported that. It's just like that, you have search engines, nowadays you have AI bots ... some even had the dead internet theory. But let's get real, most data processing is done transparently in the background. Your browser does not make a difference, most things that you use daily only work because hundreds of cloud services and web crawlers work together to provide you the modern internet experience.

    • by higuita ( 129722 )

      before we enabled better bot detection and filtering, bots accounted around 1/3 to 1/2 of our traffic. This make us lose money as we have to scale the infra to serve that traffic and worse, as real users need lower latency, we scale aggressively to keep the response times low.

      with better bot detection, we end blocking many and created a new infra setup just for bots with limited scale and relaxed scaling rules (also, using a read-only replica, bots making orders or changing data is for sure malicious). now

  • by pbry4n ( 7208566 ) on Saturday March 15, 2025 @08:21PM (#65236841)
    Maybe bespoke browsers should impersonate other "acceptable" browsers, through `User-Agent` and possibly other fingerprinting measures, so that they pass such checks. It inevitably becomes an arms race, which no one should really want, but I prefer that over the browser landscape becoming a monoculture. Perhaps while we're at it, this can also be used to thwart fingerprinting technology being used to track our browsing habits without cookies.
    • by dryeo ( 100693 )

      Depending on the browser, it is not good enough to change the user-agent, I just tried at https://steamdb.info/ [steamdb.info] with SeaMonkey and it didn't help. Maybe some JavaScript that isn't supported or last time this happened, the SeaMonkey newsgroup blamed it on using WebGL, which SeaMonkey doesn't support.
      Haven't tested something like the newest Chromium which should support the latest JavaScript. They might even be testing DRM support, I'm not an expert.

      • by dryeo ( 100693 ) on Saturday March 15, 2025 @09:46PM (#65236969)

        Replying to myself as anonymous coward as I'm trying a different browser, Dooble. Slashdot doesn't do the Cloudflare thing until I try to log in. Kind of surprised that I seem to be able to post as ac.
        Actually it didn't allow it, failed with anonymous posting not allowed when I pressed preview but gave me an alternate login page that didn't invoke Cloudflare.

    • by allo ( 1728082 )

      That's a bad idea. A main part of web firewalls like cloudflare is to discover such lies. If your browser is a Firefox sending a Chromium user-agent, Cloudflare flags it as potentially suspicious.

    • by AmiMoJo ( 196126 )

      Changing the user-agent makes it more suspicious. Cloudflare doesn't just believe that string, it verifies it. Check for features that the browser is supposed to have, looks for telltale signs of the Javascript engine in use, the way stuff like canvas and WebGL are handled etc.

      As a result browsers that enhance your privacy or don't support those things tend to fail the checks.

    • by higuita ( 129722 )

      that is totally the wrong way to do it!

      that is what the bots are doing, trying to fake real user browsers! that is why cloudflare is checking weird things, to detect those fake browsers.

      what the other browsers must do is really use their own user-agent and announce their real features... and talk with cloudflare to even add extra checks to help CF and others to detect them

  • I thought I was losing my mind recently, like every site giving me a captcha, so much so I wouldn't even bother solving it or going to that site. I run mostly Firefox ESR but am starting to use Librewolf. Cloudflare is becoming a cancer I'm afraid...

  • by sinij ( 911942 ) on Saturday March 15, 2025 @10:09PM (#65236997)
    Palemoon maintainer, Moonchild, rejected NoScript add-on and even put it on a warn list. Guess what? NoScript stops this Cloudflare bullshit.You need to have precise control over JS, it isn't all or nothing.
    • by dryeo ( 100693 )

      Is there a recipe to use noscript to block cloudflare because all it does here is leave you on the 1st page that says to enable JS and cookies.

    • by Jahta ( 1141213 )

      Palemoon maintainer, Moonchild, rejected NoScript add-on and even put it on a warn list. Guess what? NoScript stops this Cloudflare bullshit.You need to have precise control over JS, it isn't all or nothing.

      In fairness, at the time there were a lot of posts in the Palemoon forums complaining that some site or other "was broken" in Palemoon. And it almost always turned out that they were using NoScript. With NoScript turned off, the sites in question worked fine. I switched to uBlock Origin a long time ago and I've found it very effective, and I haven't experienced these Cloudflare issues.

    • by Rexdude ( 747457 )
      Quit spreading this canard, if you're even an actual user as you claim you would know the rest of what I'm saying here.
      Pale Moon doesn't support Web Extensions, it continues to use the much more powerful XUL extension technology. The last version of NoScript that supported XUL has long been abandoned by its developers [noscript.net] so how tf is it Pale Moon's fault if they refuse to update it? It's the job of the extension to support the browser, not vice versa. Or do you think Firefox and Chrome extensions are writte
  • There was a checkbox saying "confirm that you are human", but no delay after I checked it.

  • by tlhIngan ( 30335 ) <slashdot.worf@net> on Saturday March 15, 2025 @11:39PM (#65237117)

    All CloudFlare is doing is fingerprinting users to determine how "good" or "bad" they are.

    They notice what kind of traffic hits the sites they protect. If a lot of bad traffic comes from a particularly IP, that IP gets put on a blacklist for extra scrutiny.

    And there are a lot of bad actors out there - which means CloudFlare gets hit with bad traffic the moment a new Tor exit node opens up, or a new VPN server runs, or anything else. The people doing a DDoS using Tor or VPNs are causing CloudFlare to lock down that sort of traffic.

    If oddball browsers are causing the same thing, then maybe those browser vendors need to lock down their use of those browsers. Because obviously CloudFlare sees more bad actors using those browsers than legitimate traffic.

    You don't have to do anything. It's just in the analytics - if more people using Pale Moon are trying to hack the site, then you're going to target Pale Moon users as more likely to be troublemakers and challenge them more often.

    It's simple behavioural analysis. If people are trying to hack websites come from an IP, you limit access from that IP. It's just the same when you block say, China from accessing your SSH server. If all the hacking attacks come from those places, you limit the access.

    Of course, CloudFlare has the added problem in that sometimes you do have legitimate traffic, so you can't block all site access. But you need a way to discriminate between legitimate traffic and traffic that is just there to cause problems.

    It's nothing personal, it's just the way it is. It's why VPN users get checked more frequently, why Tor users get it constantly, and why obscure browser users suffer. Because more often than not, bad traffic uses Tor, or VPNs, or obscure browsers.

    If Pale Moon started spoofing itself as Firefox, it probably would work unless the percentage of Pale Moon users is high enough that it suddenly makes Firefox traffic suspect because suddenly it looks like a lot more Firefox users are using it to hack websites.

    You want to eliminate the checks? Make it so legitimate traffic is what comes out of your VPN or tor node or browser.

    • Pretty much this. What exacerbates the situation for niche browsers is that they are generally trying to block the type of tracking cloudflare (and others) will use to differentiate users.

      The notion that "bad" traffic uses obscure browsers is wrong, malicious traffic generally tries to masquerade as the most common browsers.

      If you're coming from a shared address (CGNAT, VPN etc) *and* you're using a browser which blocks tracking they have no way to tell you apart from other users including malicious ones.

      I have CGNAT here because the ISP has no choice but to use CGNAT to provide access to legacy sites, but they also provide native IPv6. I notice that sites with IPv6 are fine, but many sites that don't have AAAA records ends up throwing captchas or outright blocking access. The "ipvfoo" browser extension shows which protocol is being used and you quickly notice the pattern.

  • Unless you just classify them as " unGoogled Chromium", there are multiple users of both Opera and Vivaldi reporting this issue. Strangely, it doesn't effect me personally in either browser, but I suppose that just proves how inconsistent their test is.

  • And everyone who's paying Cloudflare should be appalled by it. It's not a DoS defense at all; it's the equivalent of trying to stop armed robbieries of banks by not allowing people with blue shirts to enter the building. It's utterly stupid.

    Techniques for dealing with DoS attacks are well-known, well-documented, and have NOTHING to do with the user-agent sending HTTPS requests -- because of course any competent attacker can easily cause their attacking software to impersonate any browser (and they often
  • In the past six weeks, I've also noticed a massive uptick in getting hit by these blocks with stock Firefox while attempting to load Cloudflare "protected" web sites. CF is just off the hook entirely, trying to destroy the internet as we know it, I guess?

  • Using falkon with qtwebengine 6.8

  • The list in the article contains browsers with well-known rendering engines updated for the latest web-standards. What about the ones that have smaller and incomplete (with regard to the huge html5 standard) engines? Is it legal to block them from the web?

  • Cloudflare has been compromised by three letter agencies and doesn't want any nontraceable activity.

  • by rickb928 ( 945187 ) on Sunday March 16, 2025 @10:04AM (#65237903) Homepage Journal

    So I use Brave as my primary browser, do not happen to use Firefox except on Linux boxes. But...

    I cannot connect to my landing page, ighome.com, on Starbucks WIFI. Nowhere in the Phoenix area. On Android devices ONLY. Pixel 8 Pro, Pixel tablet.

    I've cleared everything, reinstalled, no joy. Tried to change DNS, but, but, cannot do that easily on Android.

    For proof, if I use my phone hotspot, the table connects no problem at all. The phone also. So, I suspect Starbucks WIFI...

    Here's the clinker. No such problems on Windows laptops. No problems at all.

    Why do I blame Cloudflare? Because Starbucks WIFI uses Cloudflare. Cloudflare DNS. Etc.

    Starbucks support promised me a call to discuss this. Nope, they will not return the call, I'm sure it's just no point in saying they have a reason. But it's unnecessary, my landing page is not a threat. Cloudflare is just doing what they said they would.

  • I see the described behavior regularly in Firefox: endless reloading of the CloudFlare 'I'm not a robot' checkbox. I suspect one of my extensions is causing this, but haven't taken the time to test this.

  • by Gabest ( 852807 )

    I want to use the web in a terminal.

    • by PPH ( 736903 )

      Actually works pretty well with many sites. Not so well when Clownflare tries to make sure you are running JavaScript*.

      *In my experience, the best thing you can do to block the operation of most bots is to turn off JavaScript. But Clownflare has to make sure it still runs on your system because of all the adware they are protecting.

IF I HAD A MINE SHAFT, I don't think I would just abandon it. There's got to be a better way. -- Jack Handley, The New Mexican, 1988.

Working...