Cloudflare Accused of Blocking Niche Browsers (palemoon.org) 153
Long-time Slashdot reader BenFenner writes: For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with promises to do better. (See 2024-03-11, 2024-07-08, and 2025-01-30.)
This time around it has been over six weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs.
That last link is an update posted today by Pale Moon's main developer: Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.
I wish I had better news.
In a comment, Slashdot reader BenFenner shares a list posted by Pale Moon's developer of reportedly affected browsers:
This time around it has been over six weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs.
That last link is an update posted today by Pale Moon's main developer: Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.
I wish I had better news.
In a comment, Slashdot reader BenFenner shares a list posted by Pale Moon's developer of reportedly affected browsers:
- Pale Moon
- Basilisk
- Waterfox
- Falkon
- SeaMonkey
- Various Firefox ESR flavors
- Thorium (on some systems)
- Ungoogled Chromium
- K-Meleon
- LibreWolf
- MyPal 68
- Otter browser
Slashdot reader Z00L00K speculates that "this is some kind of anti-bot measure that fails. I suspect that the reason for them wanting a NDA to be signed is to prevent ways to circumvent the anti-bot measures..."
web sites that CloudFlare gate-keeps (Score:4, Interesting)
Are any of the web sites that CloudFlare gate-keeps important?
Re:web sites that CloudFlare gate-keeps (Score:5, Informative)
Wikipedia says that nearly 20% of all web sites use CloudFlare. https://en.wikipedia.org/wiki/... [wikipedia.org] That's a pretty big swath of the internet, and is likely to include some important sites.
Slashdot uses CloudFlare, so if you consider Slashdot "important" then you have one example. https://leadiq.com/c/slashdot-... [leadiq.com]
Other notable websites that use Cloudflare include:
- Shopify
- Walmart
- Best Buy
- Vimeo
- Stack Overflow
- OpenAI
Re:web sites that CloudFlare gate-keeps (Score:4, Insightful)
Re:web sites that CloudFlare gate-keeps (Score:2)
It turns out, Firefox isn't a "niche" browser. This might explain why you haven't had trouble with slashdot.
As for the garbage messages blocking you, the rules and messages are set by the website owner. You can blame *them* if the message doesn't mean anything to you, or if you were inappropriately blocked. https://community.cloudflare.c... [cloudflare.com]
Re:web sites that CloudFlare gate-keeps (Score:2)
Relevant? No, "important."
Are any of the web sites that CloudFlare gate-keeps important?
Apparently, slashdot is important enough to you, that you are here posting.
Re:web sites that CloudFlare gate-keeps (Score:2)
Do you just post to enjoy the shitstorm?
You appear to be a bad faith actor with posts like this.
Re:web sites that CloudFlare gate-keeps (Score:3)
Those would be advertisers sites. CloudFlare doesn't seem to do much to block bots and other stuff. But just try to tighten up your ad blocker or tracking protection and they throw a hissy-fit.
Re:web sites that CloudFlare gate-keeps (Score:5, Informative)
For me it's so far the supermarket site where I order my online groceries, and I made it work by using the user agent Mozilla/5.0 (X11; Linux x86_64 for the specific domain.
This tells me it's an arbitary blocking of browsers by Cloudflare on nothing but user agent string and not by treath vector.
Cloudflare is a scam is the conclusion.
Re:web sites that CloudFlare gate-keeps (Score:2)
I run a niche browser (Score:3)
Either my browser isnt niche enough to make the cut, or I have not wandered into any clodware hosted pages.
I know they have (Score:4, Informative)
Configurable (Score:4, Informative)
Isn't this up to the sites who configure and use cloudflare? DeepSeek locked down their site hard when getting DDoSed it even blocked Firefox with UBlock. Once the ddos stopped they opened it up
Example of affected websites? (Score:3)
From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1
Re:Example of affected websites? (Score:2, Informative)
From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1
Linux Firefox ESR user is here. SteamDB did not pass bot check yesterday.
Re:Example of affected websites? (Score:2)
Re:Example of affected websites? (Score:3)
I think it depends on cookies that were set earlier when it was easy. I can load sourceforge fine as I've been going there on and off for a long time. Never tried steamdb.info until now, it gets into a loop checking if this SeaMonkey browser is secure
Re:Example of affected websites? (Score:5, Informative)
Theres a LOT more to it than just the browser...
First it checks where you're coming from. If you're coming from a clean source address then you're fine as it gives you the benefit of the doubt. If however you're coming from a shared NAT address and it's seen lots of users from that address then you go into the shitlist.
The sites you've listed have IPv6 enabled, so any user with IPv6 will be hitting them from a unique address. Other sites (eg slashdot) don't publish AAAA records which forces traffic to downgrade to IPv4, which can cause it to go over a NAT gateway in many cases.
When lots of users originate from the same address, as is common with NAT gateways, it then tries to use other methods to separate the users. This would include the typical tracking via cookies etc. The problem with these niche browsers is that most of them are privacy-centric and will block a lot of these tracking methods. If your traffic comes from a suspicious address and it's not already trackable via other means, you'll get the captcha or an outright block.
Being stuck behind a shared CGNAT gateway and accessing sites without IPv6 is the worst case scenario.
The ISP here uses CGNAT out of necessity, and i experience this problem frequently but only on sites that don't publish AAAA records. For any site which uses IPv6 there's no problem at all.
Re:Example of affected websites? (Score:4, Interesting)
This is indeed a problem we have to deal with- getting asshole content networks to stop blocking my eyeballs.
I can say, we offer low-price static IPs, though. Your provider probably does too.
Re:Example of affected websites? (Score:3)
They do not, only on business plans which are significantly more expensive.
Based on their BGP announcements they simply don't have enough legacy addresses for the number of customers.
Most of the content networks support IPv6, and any site that has IPv6 enabled there's no problem. The assholes are the cloudflare (and other) customers that explicitly turn off IPv6 for their sites.
Re:Example of affected websites? (Score:2)
We got all of ours by acquiring companies. These days, people are renting it.
Comcast runs a "statics only for business" racket, too. That sucks.
My CGNAT networks have about a 2.9% static IP rate. It's not bad.
I think they're fucking you.
Re:Example of affected websites? (Score:2)
They're a proxy provider. They proxy whatever the backend site wants, with whatever security mechanisms the backend site wants enabled.
It does, indeed suck, that there are still sites out there without IPv6 reachability.
Re:Example of affected websites? (Score:4, Informative)
The backend does not matter, cloudflare provides the frontend which is what the end users interact with.
In fact, cloudflare always provide a dual stack frontend irrespective of what the backend is, but some customers don't publish the AAAA records (slashdot being one such example), so if you control your own dns resolver you can add the AAAA back but most users wouldn't know how to do this. There are a few tools that can automate this.
So it's the cloudflare (and other cdn) customers entirely to blame for not publishing AAAA records.
Having to respond with captchas or outright blocking when faced with malicious traffic is a necessary evil these days, and nat is only intended to be a temporary stopgap measure.
Re:Example of affected websites? (Score:2)
The Pale Moon guy's attitude sucks (Score:2, Informative)
Re:The Pale Moon guy's attitude sucks (Score:5, Informative)
1) CloudFlare launches a DOS attack on your browser (and others), then ignores your communication, and only stops the attack only after a huge user outcry. Promises are made that this won't happen again.
2) 4 months pass and the exact same thing happens. Your bug reports and similar get completely ignored, the DOS attack only stops after a huge user outcry. Promises are made this should not and will not happen again. Your browser will be added to their test suite.
3) 6 months pass and they are DOS-ing you again. Your comms get tossed in the trash. A huge user outcry doesn't work this time. A full month goes by and bad media coverage finally brings CloudFlare to the able. They give you the run-around. 6week in and the DOS continues.
You're blaming the browser dev in all this? Calling them incompetent is being kind. Likely they are being malicious.
Fuck off.
Re:The Pale Moon guy's attitude sucks (Score:3, Informative)
Re:The Pale Moon guy's attitude sucks (Score:3)
CF is just giving their customers what they asked for
Security theatre?
Re:The Pale Moon guy's attitude sucks (Score:5, Insightful)
>"Cloudflare's customers asked for extra protection from suspicious traffic because their website is under attack. Meanwhile, Pale Moon is suspicious traffic."
This is just totally unacceptable behavior on their part. They should be looking at what the incoming machine is DOING, or its source address/location, not just assume it is "bad" because it isn't chrom* or Firefox. It would be somewhat analogous to your grocery store hiring a security team that bans you from entry into the store (and then attacks and harasses you) because you came in wearing a green scarf, and they are not used to seeing people wear those.
At a time where Google has decimated browser diversity and the only real contender left is Firefox, we desperately need additional pushback against anything that tries to narrow the field like this.
Re:The Pale Moon guy's attitude sucks (Score:3)
Re:The Pale Moon guy's attitude sucks (Score:2)
Re:The Pale Moon guy's attitude sucks (Score:2)
Re: The Pale Moon guy's attitude sucks (Score:4, Insightful)
Re: The Pale Moon guy's attitude sucks (Score:4, Insightful)
Cloudflare isn't in the business of blocking HTTP/S speakers. They're in the business of blocking bots, or other kinds of not-actually-a-browser HTTP traffic.
Detecting them is, in fact, a trick.
Their customers pay them a lot of money for this.
Re: The Pale Moon guy's attitude sucks (Score:2)
Why accomodate any browser at all? HTTP is a standard. TLS is a standard. Why does the software matter if it implements the necessary standards?
This has nothing to do with HTTP or TLS. The problems being solved are on a network layer above that, and they are solving it using a layer below it. If HTTP / TLS had something like DDOS protection or anti-bot tech then none of this would be happening.
Re: The Pale Moon guy's attitude sucks (Score:2)
the http and tls is ok, the problem is that many people create bots to either scape, abuse or DoS a site. Some are easy to detect (curl, no javascripr), but others are harder (say selenium or nodejs doing those requests).
Cloudflare sells protection for the sites, so they need to find a way to detect real users and bots, when both are sometimes almost the same behavior. They need to rely on what normal users do (several steps) vs bots usually doing direct access to urls. but that alone isn't enough and they have to do magic!
they check corner cases, small details and even bugs. Using that, they hope to detect a real users... but that is always hard and if the bot makers/attackers know what CF is checking, they can workaround and have free access to abuse the sites. That is why CF request a NDA, small browsers are failing some checks (missing feature, different bug behaviour, etc) , but to fix it, CF needs to disclose what is checking. the NDA is a attempt to avoid that info to leak and make useless the check.
this is a hard balance to manage and both sides have things to lose if it is badly managed
Re:The Pale Moon guy's attitude sucks (Score:3)
You can't expect the entire internet to accomodate you when you're using an obscure hobby web browser, that's just common sense.
Found the guy with no sense.
Re:The Pale Moon guy's attitude sucks (Score:2)
I had to modify a NAT translation modules not to use
We could argue that cloudflare is offering them a broken service here, but it's still the individual site operator that selects this particular form of proxy validation.
I have to deal with this bullshit all the time for my eyeball networks trying to get to certain cloudflare protected sites.
Re:The Pale Moon guy's attitude sucks (Score:2)
Unacceptable according to whom?
Part of the design of the web is that anyone can run any service which exchanges any data they wish. While everyone is entitled to share an opinion on those protocols, it's not up to anyone else to proclaim what is and is not acceptable.
Ultimately what individual hosts o the web do is up to them.
Re:The Pale Moon guy's attitude sucks (Score:2)
Re:The Pale Moon guy's attitude sucks (Score:3)
Damn shame the tech world doesn't have its own Luigi.
Re:The Pale Moon guy's attitude sucks (Score:2)
hehe I'm still living rent free in your head and sig, I see! I still don't know who Jessica Price is. Did you ever tell me?
Re:The Pale Moon guy's attitude sucks (Score:2)
Cloud fare is checking the user agent string and deliberately blocking these other browsers.
Re:The Pale Moon guy's attitude sucks (Score:3)
Yes it is. Because they have to build something that works in EVERY browser if they basically run the web. You think about palemoon know. What about minimalist browsers that do not even use Gecko, Webkit or Blink? Do you need a fancy browser with recent html5 support and a modern javascript engine just to read some article on a cloudflare hosted site?
The idea of the web is, that each software needs to make the best effort to support clients/servers that do not implement the full features, as long as they implement the required features. The required feature to access a static website hosted by cloudflare would be an HTTP/0.9 implementation. Their arbitrary limits do not only need a recent Javascript engine, but also features with security implications like webassembly. Just to allow you to read a static website.
Anti-bot measures (Score:3)
Re:Anti-bot measures (Score:5, Informative)
These days bots account for a significant amount of internet traffic.
Payment model (Score:2)
Re:Anti-bot measures (Score:2)
These days bots account for a significant amount of internet traffic.
Yes, I know. So does spam. And advertising. I was being a bit facetious but it is long since true that the majority of traffic on the internet is garbage.
Re:Anti-bot measures (Score:2)
It's over ten years that people reported that. It's just like that, you have search engines, nowadays you have AI bots ... some even had the dead internet theory. But let's get real, most data processing is done transparently in the background. Your browser does not make a difference, most things that you use daily only work because hundreds of cloud services and web crawlers work together to provide you the modern internet experience.
Re:Anti-bot measures (Score:2)
before we enabled better bot detection and filtering, bots accounted around 1/3 to 1/2 of our traffic. This make us lose money as we have to scale the infra to serve that traffic and worse, as real users need lower latency, we scale aggressively to keep the response times low.
with better bot detection, we end blocking many and created a new infra setup just for bots with limited scale and relaxed scaling rules (also, using a read-only replica, bots making orders or changing data is for sure malicious). now bots are around 1/10 of the traffic and the special bot infra is costing us a fraction of the past. End users also have more stable response times, as bots can't trash our cache system with many thousands of useless requests that end evicting valid cache entries..
Also don't forget the bots trying to brute force logins or vouchers, doing DoS or probing security holes. Cloudflare isn't perfect, but it do really helps blocking a huge amount of junk... that is why they have 20% of the sites, it works and for most people, it is very cheap (free) and even if you pay, it usually have a good value
Operation: Impersonation (Score:3)
Re:Operation: Impersonation (Score:2)
Depending on the browser, it is not good enough to change the user-agent, I just tried at https://steamdb.info/ [steamdb.info] with SeaMonkey and it didn't help. Maybe some JavaScript that isn't supported or last time this happened, the SeaMonkey newsgroup blamed it on using WebGL, which SeaMonkey doesn't support.
Haven't tested something like the newest Chromium which should support the latest JavaScript. They might even be testing DRM support, I'm not an expert.
Re:Operation: Impersonation (Score:4, Informative)
Replying to myself as anonymous coward as I'm trying a different browser, Dooble. Slashdot doesn't do the Cloudflare thing until I try to log in. Kind of surprised that I seem to be able to post as ac.
Actually it didn't allow it, failed with anonymous posting not allowed when I pressed preview but gave me an alternate login page that didn't invoke Cloudflare.
Re:Operation: Impersonation (Score:3)
SeaMonkey not supporting WebGL isn't Cloudflare's fault. SeaMonkey being blocked by Cloudflare because it doesn't support WebGL and therefore fails their fingerprinting is Cloudflare's fault.
Re:Operation: Impersonation (Score:2)
Requiring WebGL for simple website access is Cloudflares fault. There is no reason to have WebGL enabled as long as you're not trying to play a browser game. And WebGL does not only have security implications but also fingerprinting issues.
Re:Operation: Impersonation (Score:2)
bing, and that is why they try to use it, to see if it is a real users or some bot trying to fake any other browser
as i said, trying to detect bots is hard and all small details and corner cases help doing it
Re:Operation: Impersonation (Score:2)
That's a bad idea. A main part of web firewalls like cloudflare is to discover such lies. If your browser is a Firefox sending a Chromium user-agent, Cloudflare flags it as potentially suspicious.
Re:Operation: Impersonation (Score:2)
Changing the user-agent makes it more suspicious. Cloudflare doesn't just believe that string, it verifies it. Check for features that the browser is supposed to have, looks for telltale signs of the Javascript engine in use, the way stuff like canvas and WebGL are handled etc.
As a result browsers that enhance your privacy or don't support those things tend to fail the checks.
Re:Operation: Impersonation (Score:2)
that is totally the wrong way to do it!
that is what the bots are doing, trying to fake real user browsers! that is why cloudflare is checking weird things, to detect those fake browsers.
what the other browsers must do is really use their own user-agent and announce their real features... and talk with cloudflare to even add extra checks to help CF and others to detect them
Re:Operation: Impersonation (Score:5, Insightful)
Cloudflare is malware
As a part of a group that runs a genealogy website, we have had to implement CloudFlare to thwart scraping attempts. Before we moved to CloudFlare, these scrapers would literally bring down our site, like a DDOS. Maybe it's malware to you, for us, it's what keeps us online.
Re:Operation: Impersonation (Score:2)
And yet they can still perform that function without just automatically assuming that an unusual browser is an automatic threat.
Re:Operation: Impersonation (Score:2)
They certainly could. But is that the most logical thing for CloudFlare to do?
The reality is that 99.99% of people use regular browsers, so if somebody uses an unusual browser, there could be legitimate reason to assume that something less than honorable is going on. Think of it like some random salesperson coming to your door offering you a really good deal on a product. You have every reason not to trust him because you don't know who he represents. The fact that he doesn't come representing a known name, in a vehicle with a recognized logo, is reason enough for suspicion.
Re:Operation: Impersonation (Score:2)
Seeing something unusual should certainly be *a* factor in determining if something bad is afoot. But it shouldn't be the ONLY factor necessary to then jump into full nuclear response (which is what this seems to be). It is just irresponsible.
Re:Operation: Impersonation (Score:2)
Why would you say that it shouldn't be the only factor? Why not?
If that unidentified salesperson comes to my door, and I didn't call them, I'm not answering. Period. That's the only reason I need to be suspicious. Why shouldn't web site operators treat unknown browsers with the same suspicion, even if that's the only thing that seems suspicious?
Re:Operation: Impersonation (Score:2)
I guarantee that very few, if any, of CloudFlare's customers knew that legit customers were being harassed or even blocked just based on their browser choice. Even if it is a tiny amount, most businesses would probably still not like that decision, especially when it doesn't have to be that way. This is especially problematic when CloudFlare is being slow to react and/or difficult to work with on complaints.
I am not saying it should be "illegal", but that it is "wrong." Especially when it is being done somewhat secretly/nefariously, by a huge corporation with lots of power to shape and affect all of us, and has some real negative consequences. What happens if CloudFlare decides that Linux machines are more of a bot threat because they are less "mainstream" and starts harassing based on that? What happens if they decide that the only remaining multiplatform competition to Google's control over web browsers, Firefox, is not "mainstream" enough and starts harassing those users?
Thankfully, other postings indicate it isn't just the browser, it is also looking at where the traffic is coming from, and the NAT situation. Still not ideal, but perhaps nothing is.
Re:Operation: Impersonation (Score:2)
It's hard to tell exactly what is going on here, because the only source is a complaint site, criticizing CloudFlare. There's nothing from an unbiased source describing what's happening. As you pointed out, it's possible that there is a combination of factors involved, not simply the choice of a "niche" browser.
Re:Operation: Impersonation (Score:4, Informative)
we have had to implement CloudFlare
No, you didn't have to.
There are plenty of alternatives to CloudFlare that are actually good at what they do.
Barring that, there are hosts that provide excellent, creative, and sometimes passive protection against DOS and bots while also giving you the tools to further build your own protection to that end. I've run a 10k+ user site with guest (non-login) features for 8+ years now with zero DOS attacks and bot behavior below the level of noise. I host with Nearly Free Speech, but there may be others like it.
https://www.nearlyfreespeech.n... [nearlyfreespeech.net]
Re:Operation: Impersonation (Score:2)
So you made a great case that there are other choices besides CloudFlare. That's fine, I didn't suggest that CloudFlare is the only option. It's one option of many.
Do you believe that CloudFlare is "malware"? If so, why?
Re:Operation: Impersonation (Score:2)
CloudFlare decrypts HTTPS traffic on the way to a server, then re-encrypts it before sending it on to the destination server. They are a man-in-the-middle.
As a user making an HTTPS request to a web server, I expect my request to reach that server exactly as-is. CloudFlare breaks this fundamental aspect of trust.
(That is without mentioning the gate-keeping bullshit they pull.)
Re:Operation: Impersonation (Score:2)
If I am a website operator, and I implement CloudFlare, then from my perspective, CloudFlare *is* part of my server infrastructure. I don't see the issue, nor do I buy that it's a "man in the middle" attack. By your logic, a VPN is also a "man-in-the-middle".
I'm glad it's not me... (Score:2)
I thought I was losing my mind recently, like every site giving me a captcha, so much so I wouldn't even bother solving it or going to that site. I run mostly Firefox ESR but am starting to use Librewolf. Cloudflare is becoming a cancer I'm afraid...
Palemoon user here... (Score:5, Informative)
Re:Palemoon user here... (Score:2)
Is there a recipe to use noscript to block cloudflare because all it does here is leave you on the 1st page that says to enable JS and cookies.
Re:Palemoon user here... (Score:3)
Palemoon maintainer, Moonchild, rejected NoScript add-on and even put it on a warn list. Guess what? NoScript stops this Cloudflare bullshit.You need to have precise control over JS, it isn't all or nothing.
In fairness, at the time there were a lot of posts in the Palemoon forums complaining that some site or other "was broken" in Palemoon. And it almost always turned out that they were using NoScript. With NoScript turned off, the sites in question worked fine. I switched to uBlock Origin a long time ago and I've found it very effective, and I haven't experienced these Cloudflare issues.
Re:Palemoon user here... (Score:2)
Pale Moon doesn't support Web Extensions, it continues to use the much more powerful XUL extension technology. The last version of NoScript that supported XUL has long been abandoned by its developers [noscript.net] so how tf is it Pale Moon's fault if they refuse to update it? It's the job of the extension to support the browser, not vice versa. Or do you think Firefox and Chrome extensions are written once and run forever?
And if you think Pale Moon is a frozen obsolete version of Firefox stuck in time thanks to the propaganda spread by Firefox fanboys, think again [palemoon.org].
Posting from Falkon (Score:2)
There was a checkbox saying "confirm that you are human", but no delay after I checked it.
Blame the bad actors, not CloudFlare. (Score:4, Insightful)
All CloudFlare is doing is fingerprinting users to determine how "good" or "bad" they are.
They notice what kind of traffic hits the sites they protect. If a lot of bad traffic comes from a particularly IP, that IP gets put on a blacklist for extra scrutiny.
And there are a lot of bad actors out there - which means CloudFlare gets hit with bad traffic the moment a new Tor exit node opens up, or a new VPN server runs, or anything else. The people doing a DDoS using Tor or VPNs are causing CloudFlare to lock down that sort of traffic.
If oddball browsers are causing the same thing, then maybe those browser vendors need to lock down their use of those browsers. Because obviously CloudFlare sees more bad actors using those browsers than legitimate traffic.
You don't have to do anything. It's just in the analytics - if more people using Pale Moon are trying to hack the site, then you're going to target Pale Moon users as more likely to be troublemakers and challenge them more often.
It's simple behavioural analysis. If people are trying to hack websites come from an IP, you limit access from that IP. It's just the same when you block say, China from accessing your SSH server. If all the hacking attacks come from those places, you limit the access.
Of course, CloudFlare has the added problem in that sometimes you do have legitimate traffic, so you can't block all site access. But you need a way to discriminate between legitimate traffic and traffic that is just there to cause problems.
It's nothing personal, it's just the way it is. It's why VPN users get checked more frequently, why Tor users get it constantly, and why obscure browser users suffer. Because more often than not, bad traffic uses Tor, or VPNs, or obscure browsers.
If Pale Moon started spoofing itself as Firefox, it probably would work unless the percentage of Pale Moon users is high enough that it suddenly makes Firefox traffic suspect because suddenly it looks like a lot more Firefox users are using it to hack websites.
You want to eliminate the checks? Make it so legitimate traffic is what comes out of your VPN or tor node or browser.
Re:Blame the bad actors, not CloudFlare. (Score:5, Insightful)
Pretty much this. What exacerbates the situation for niche browsers is that they are generally trying to block the type of tracking cloudflare (and others) will use to differentiate users.
The notion that "bad" traffic uses obscure browsers is wrong, malicious traffic generally tries to masquerade as the most common browsers.
If you're coming from a shared address (CGNAT, VPN etc) *and* you're using a browser which blocks tracking they have no way to tell you apart from other users including malicious ones.
I have CGNAT here because the ISP has no choice but to use CGNAT to provide access to legacy sites, but they also provide native IPv6. I notice that sites with IPv6 are fine, but many sites that don't have AAAA records ends up throwing captchas or outright blocking access. The "ipvfoo" browser extension shows which protocol is being used and you quickly notice the pattern.
Re: Blame the bad actors, not CloudFlare. (Score:2)
In this case, it would be because of your offensively stupid analogy.
More browsers (Score:2)
Unless you just classify them as " unGoogled Chromium", there are multiple users of both Opera and Vivaldi reporting this issue. Strangely, it doesn't effect me personally in either browser, but I suppose that just proves how inconsistent their test is.
This is a stunning display of incompetence (Score:2)
Techniques for dealing with DoS attacks are well-known, well-documented, and have NOTHING to do with the user-agent sending HTTPS requests -- because of course any competent attacker can easily cause their attacking software to impersonate any browser (and they often do). These techniques are focused on traffic behavior at the IP layer and on its origin(s) - and they work. But of course deploying these would require competent personnel (not in evidence), careful study (not in evidence), and baseline expertise in network management (not in evidence).
Cloudflare is a scam. Unsurprising, really, given that the CEO is an enthusiastic Nazi supporter.
Stock Firefox (Score:2)
In the past six weeks, I've also noticed a massive uptick in getting hit by these blocks with stock Firefox while attempting to load Cloudflare "protected" web sites. CF is just off the hook entirely, trying to destroy the internet as we know it, I guess?
Re: Stock Firefox (Score:2)
Well, Firefox is a "niche browser" now, isn't it?
Re:Stock Firefox (Score:2)
Don't blame them.
Blame the assholes that think what they offer is the right way to solve the problem.
Not affected (Score:2)
Using falkon with qtwebengine 6.8
What about the even smaller ones? (Score:2)
The list in the article contains browsers with well-known rendering engines updated for the latest web-standards. What about the ones that have smaller and incomplete (with regard to the huge html5 standard) engines? Is it legal to block them from the web?
Translation: Eliminate secure anonymous browsing (Score:2)
Cloudflare has been compromised by three letter agencies and doesn't want any nontraceable activity.
Ok, I got my sad tale of woe (Score:3)
So I use Brave as my primary browser, do not happen to use Firefox except on Linux boxes. But...
I cannot connect to my landing page, ighome.com, on Starbucks WIFI. Nowhere in the Phoenix area. On Android devices ONLY. Pixel 8 Pro, Pixel tablet.
I've cleared everything, reinstalled, no joy. Tried to change DNS, but, but, cannot do that easily on Android.
For proof, if I use my phone hotspot, the table connects no problem at all. The phone also. So, I suspect Starbucks WIFI...
Here's the clinker. No such problems on Windows laptops. No problems at all.
Why do I blame Cloudflare? Because Starbucks WIFI uses Cloudflare. Cloudflare DNS. Etc.
Starbucks support promised me a call to discuss this. Nope, they will not return the call, I'm sure it's just no point in saying they have a reason. But it's unnecessary, my landing page is not a threat. Cloudflare is just doing what they said they would.
Re:Ok, I got my sad tale of woe (Score:2)
Oh, and before you ask, all browsers I can carry, Brave, Edge, Chrome, all those.
Firefox too (Score:2)
I see the described behavior regularly in Firefox: endless reloading of the CloudFlare 'I'm not a robot' checkbox. I suspect one of my extensions is causing this, but haven't taken the time to test this.
Lynx (Score:2)
I want to use the web in a terminal.
Re:Lynx (Score:2)
Actually works pretty well with many sites. Not so well when Clownflare tries to make sure you are running JavaScript*.
*In my experience, the best thing you can do to block the operation of most bots is to turn off JavaScript. But Clownflare has to make sure it still runs on your system because of all the adware they are protecting.
Re:Nazi's (Score:2, Funny)
They said 'niche' browsers, not 'Nietzsche'.
Re:Nazi's (Score:4, Insightful)
What books of Nietzsche are you referring to? Because the ones I've read are either unrelated or contain massive attacks against "this 'aryan' nonsense" and "these idiots from the 'aryan' movement". He actually refused to argue with some dimwit insulting him in public because "the simple fact that this man is a member of the 'aryan' movement tells me that he is an idiot unable to understand any rational argument". (F.W. Nietsche, "Morgenröthe")
So, if you want to convince me that F.W. Nietzsche -who died decades before the advent of the NSDAP- was a Nazi I hope you have solid evidence. Or are you, by any chance, an idiot who doesn't know jack about what he is talking about?
Re:Nazi's (Score:3, Insightful)
I did not see that coming.
Re:Nazi's (Score:2)
First visible comment. Why did you propagate the vacuous Subject?
Re:Nazi's (Score:3, Informative)
I don't think this is about fascists as much as it is about incompetents. At some level they must be fundamentally relying on client-side security (which the competent know is really no security at all) and think that they can mitigate the risk by just blocking traffic from anything their browser identification heuristics don't recognize. Now this is starting to become a more widely recognized problem because, due to the combined enshitification of Chrome and Firefox, there have recently been a proliferation of forks.
Re:Oh no! A 16-year-old fork of obsolete Firefox c (Score:5, Insightful)
And Safari is a 22-year-old fork of obsolete Konqueror code. So what?
This isn't an accident; they're deliberating only telling the makers of the biggest browsers how to get in.
Re:Oh no! A 16-year-old fork of obsolete Firefox c (Score:3)
Re:Oh no! A 16-year-old fork of obsolete Firefox c (Score:2)
This isn't an accident; they're deliberating only telling the makers of the biggest browsers how to get in.
They will literally tell anyone who will sign an NDA.
Re:Oh no! A 16-year-old fork of obsolete Firefox c (Score:3)
NDAs are a convenient way to kill Open Source: you can't "not disclose" things you are embedding in source code you will release to the public, and if that NDA is required for the Open Source program to be usable, then the Open Source program is not usable any more.
Super convenient if you like to have only a few rich people to deal with instead of a bunch of other people too.