Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Networking The Internet Open Source

Cloudflare Accused of Blocking Niche Browsers (palemoon.org) 70

Long-time Slashdot reader BenFenner writes: For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with promises to do better. (See 2024-03-11, 2024-07-08, and 2025-01-30.)

This time around it has been over six weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs.

That last link is an update posted today by Pale Moon's main developer: Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.

I wish I had better news.

In a comment, Slashdot reader BenFenner shares a list posted by Pale Moon's developer of reportedly affected browsers:
  • Pale Moon
  • Basilisk
  • Waterfox
  • Falkon
  • SeaMonkey
  • Various Firefox ESR flavors
  • Thorium (on some systems)
  • Ungoogled Chromium
  • K-Meleon
  • LibreWolf
  • MyPal 68
  • Otter browser

Slashdot reader Z00L00K speculates that "this is some kind of anti-bot measure that fails. I suspect that the reason for them wanting a NDA to be signed is to prevent ways to circumvent the anti-bot measures..."


Cloudflare Accused of Blocking Niche Browsers

Comments Filter:
  • by rossdee ( 243626 ) on Saturday March 15, 2025 @07:57PM (#65236797)

    Are any of the web sites that CloudFlare gate-keeps important?

  • While it was once niche in Scandinavian countries and large parts of Africa, it is now mainly niche in southeast Asia.

    Either my browser isnt niche enough to make the cut, or I have not wandered into any clodware hosted pages.
  • by FudRucker ( 866063 ) on Saturday March 15, 2025 @08:08PM (#65236813)
    I love to hunt for minimalist browsers for android that use the webview engine and i found a few good browsers that were rejected by cloudflare
  • Configurable (Score:3, Informative)

    by Neuroelectronic ( 643221 ) on Saturday March 15, 2025 @08:08PM (#65236815)

    Isn't this up to the sites who configure and use cloudflare? DeepSeek locked down their site hard when getting DDoSed it even blocked Firefox with UBlock. Once the ddos stopped they opened it up

  • by test321 ( 8891681 ) on Saturday March 15, 2025 @08:13PM (#65236823)

    From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1

    • Re: (Score:2, Informative)

      by dimko ( 1166489 )

      From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1

      Linux Firefox ESR user is here. SteamDB did not pass bot check yesterday.

    • I use Waterfox and can also access those fine... I don't even get the "are you a human" checkbox (no challenge, just have to check the box) I get once or twice a week from cloudfare.
    • by dryeo ( 100693 )

      I think it depends on cookies that were set earlier when it was easy. I can load sourceforge fine as I've been going there on and off for a long time. Never tried steamdb.info until now, it gets into a loop checking if this SeaMonkey browser is secure

    • by Bert64 ( 520050 )

      Theres a LOT more to it than just the browser...

      First it checks where you're coming from. If you're coming from a clean source address then you're fine as it gives you the benefit of the doubt. If however you're coming from a shared NAT address and it's seen lots of users from that address then you go into the shitlist.

      The sites you've listed have IPv6 enabled, so any user with IPv6 will be hitting them from a unique address. Other sites (eg slashdot) don't publish AAAA records which forces traffic to downg

  • by h33t l4x0r ( 4107715 ) on Saturday March 15, 2025 @08:15PM (#65236829)
    3 fixes within a week and the thanks they get is being called incompetent by their main developer?
    • by BenFenner ( 981342 ) on Saturday March 15, 2025 @08:51PM (#65236879)
      Yes.

      1) CloudFlare launches a DOS attack on your browser (and others), then ignores your communication, and only stops the attack only after a huge user outcry. Promises are made that this won't happen again.

      2) 4 months pass and the exact same thing happens. Your bug reports and similar get completely ignored, the DOS attack only stops after a huge user outcry. Promises are made this should not and will not happen again. Your browser will be added to their test suite.

      3) 6 months pass and they are DOS-ing you again. Your comms get tossed in the trash. A huge user outcry doesn't work this time. A full month goes by and bad media coverage finally brings CloudFlare to the able. They give you the run-around. 6week in and the DOS continues.

      You're blaming the browser dev in all this? Calling them incompetent is being kind. Likely they are being malicious.
      Fuck off.
      • by Anonymous Coward
        I dislike Cloudflare as much as anyone, but, if this is Cloudflare's fault then why do other browsers have no problem?

        Firefox, no problem. Brave/Chrome, no problem.

        I like Palemoon and have been using it as my main browser for quite a while. But the question remains, why can other browsers work with Cloudflare but Palemoon can't? Sounds like shitty programming by the Palemoon devs.
        • by caseih ( 160668 )

          Cloud fare is checking the user agent string and deliberately blocking these other browsers.

      • Re: (Score:2, Informative)

        by h33t l4x0r ( 4107715 )
        That's not how it works. Cloudflare's customers asked for extra protection from suspicious traffic because their website is under attack. Meanwhile, Pale Moon is suspicious traffic. CF is just giving their customers what they asked for.
        • CF is just giving their customers what they asked for

          Security theatre?

        • by markdavis ( 642305 ) on Saturday March 15, 2025 @11:17PM (#65237083)

          >"Cloudflare's customers asked for extra protection from suspicious traffic because their website is under attack. Meanwhile, Pale Moon is suspicious traffic."

          This is just totally unacceptable behavior on their part. They should be looking at what the incoming machine is DOING, or its source address/location, not just assume it is "bad" because it isn't chrom* or Firefox. It would be somewhat analogous to your grocery store hiring a security team that bans you from entry into the store (and then attacks and harasses you) because you came in wearing a green scarf, and they are not used to seeing people wear those.

          At a time where Google has decimated browser diversity and the only real contender left is Firefox, we desperately need additional pushback against anything that tries to narrow the field like this.

      • by Khyber ( 864651 )

        Damn shame the tech world doesn't have its own Luigi.

  • by Kernel Kurtz ( 182424 ) on Saturday March 15, 2025 @08:17PM (#65236833)
    So what happens if they don't block bots? Does the internet get worse or something?
    • These days bots account for a significant amount of internet traffic.

      • Is there a model where bots pay for their consumption? I can only marine companies hurting competitors just by racking up AWS bills. AI agents would seem to enable this.
      • These days bots account for a significant amount of internet traffic.

        Yes, I know. So does spam. And advertising. I was being a bit facetious but it is long since true that the majority of traffic on the internet is garbage.

  • by pbry4n ( 7208566 ) on Saturday March 15, 2025 @08:21PM (#65236841)
    Maybe bespoke browsers should impersonate other "acceptable" browsers, through `User-Agent` and possibly other fingerprinting measures, so that they pass such checks. It inevitably becomes an arms race, which no one should really want, but I prefer that over the browser landscape becoming a monoculture. Perhaps while we're at it, this can also be used to thwart fingerprinting technology being used to track our browsing habits without cookies.
    • by dryeo ( 100693 )

      Depending on the browser, it is not good enough to change the user-agent, I just tried at https://steamdb.info/ [steamdb.info] with SeaMonkey and it didn't help. Maybe some JavaScript that isn't supported or last time this happened, the SeaMonkey newsgroup blamed it on using WebGL, which SeaMonkey doesn't support.
      Haven't tested something like the newest Chromium which should support the latest JavaScript. They might even be testing DRM support, I'm not an expert.

      • by dryeo ( 100693 ) on Saturday March 15, 2025 @09:46PM (#65236969)

        Replying to myself as anonymous coward as I'm trying a different browser, Dooble. Slashdot doesn't do the Cloudflare thing until I try to log in. Kind of surprised that I seem to be able to post as ac.
        Actually it didn't allow it, failed with anonymous posting not allowed when I pressed preview but gave me an alternate login page that didn't invoke Cloudflare.

  • I thought I was losing my mind recently, like every site giving me a captcha, so much so I wouldn't even bother solving it or going to that site. I run mostly Firefox ESR but am starting to use Librewolf. Cloudflare is becoming a cancer I'm afraid...

  • Palemoon maintainer, Moonchild, rejected NoScript add-on and even put it on a warn list. Guess what? NoScript stops this Cloudflare bullshit.You need to have precise control over JS, it isn't all or nothing.
    • by dryeo ( 100693 )

      Is there a recipe to use noscript to block cloudflare because all it does here is leave you on the 1st page that says to enable JS and cookies.

  • There was a checkbox saying "confirm that you are human", but no delay after I checked it.

  • by tlhIngan ( 30335 ) <slashdot.worf@net> on Saturday March 15, 2025 @11:39PM (#65237117)

    All CloudFlare is doing is fingerprinting users to determine how "good" or "bad" they are.

    They notice what kind of traffic hits the sites they protect. If a lot of bad traffic comes from a particularly IP, that IP gets put on a blacklist for extra scrutiny.

    And there are a lot of bad actors out there - which means CloudFlare gets hit with bad traffic the moment a new Tor exit node opens up, or a new VPN server runs, or anything else. The people doing a DDoS using Tor or VPNs are causing CloudFlare to lock down that sort of traffic.

    If oddball browsers are causing the same thing, then maybe those browser vendors need to lock down their use of those browsers. Because obviously CloudFlare sees more bad actors using those browsers than legitimate traffic.

    You don't have to do anything. It's just in the analytics - if more people using Pale Moon are trying to hack the site, then you're going to target Pale Moon users as more likely to be troublemakers and challenge them more often.

    It's simple behavioural analysis. If people are trying to hack websites come from an IP, you limit access from that IP. It's just the same when you block say, China from accessing your SSH server. If all the hacking attacks come from those places, you limit the access.

    Of course, CloudFlare has the added problem in that sometimes you do have legitimate traffic, so you can't block all site access. But you need a way to discriminate between legitimate traffic and traffic that is just there to cause problems.

    It's nothing personal, it's just the way it is. It's why VPN users get checked more frequently, why Tor users get it constantly, and why obscure browser users suffer. Because more often than not, bad traffic uses Tor, or VPNs, or obscure browsers.

    If Pale Moon started spoofing itself as Firefox, it probably would work unless the percentage of Pale Moon users is high enough that it suddenly makes Firefox traffic suspect because suddenly it looks like a lot more Firefox users are using it to hack websites.

    You want to eliminate the checks? Make it so legitimate traffic is what comes out of your VPN or tor node or browser.

    • by Bert64 ( 520050 )

      Pretty much this. What exacerbates the situation for niche browsers is that they are generally trying to block the type of tracking cloudflare (and others) will use to differentiate users.

      The notion that "bad" traffic uses obscure browsers is wrong, malicious traffic generally tries to masquerade as the most common browsers.

      If you're coming from a shared address (CGNAT, VPN etc) *and* you're using a browser which blocks tracking they have no way to tell you apart from other users including malicious ones.

      I

  • Unless you just classify them as " unGoogled Chromium", there are multiple users of both Opera and Vivaldi reporting this issue. Strangely, it doesn't effect me personally in either browser, but I suppose that just proves how inconsistent their test is.

  • And everyone who's paying Cloudflare should be appalled by it. It's not a DoS defense at all; it's the equivalent of trying to stop armed robbieries of banks by not allowing people with blue shirts to enter the building. It's utterly stupid.

    Techniques for dealing with DoS attacks are well-known, well-documented, and have NOTHING to do with the user-agent sending HTTPS requests -- because of course any competent attacker can easily cause their attacking software to impersonate any browser (and they often
  • In the past six weeks, I've also noticed a massive uptick in getting hit by these blocks with stock Firefox while attempting to load Cloudflare "protected" web sites. CF is just off the hook entirely, trying to destroy the internet as we know it, I guess?

Things are not as simple as they seems at first. - Edward Thorp

Working...