Cloudflare Accused of Blocking Niche Browsers

Long-time Slashdot reader BenFenner writes: For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with promises to do better. (See 2024-03-11, 2024-07-08, and 2025-01-30.)

This time around it has been over six weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs.
That last link is an update posted today by Pale Moon's main developer: Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.

I wish I had better news.
In a comment, Slashdot reader BenFenner shares a list posted by Pale Moon's developer of reportedly affected browsers:

• Pale Moon
• Basilisk
• Waterfox
• Falkon
• SeaMonkey
• Various Firefox ESR flavors
• Thorium (on some systems)
• Ungoogled Chromium
• K-Meleon
• LibreWolf
• MyPal 68
• Otter browser

Slashdot reader Z00L00K speculates that "this is some kind of anti-bot measure that fails. I suspect that the reason for them wanting a NDA to be signed is to prevent ways to circumvent the anti-bot measures..."

Re:

[Anonymous Coward]

They said 'niche' browsers, not 'Nietzsche'.

Re:Nazi's

[Pf0tzenpfritz]

What books of Nietzsche are you referring to? Because the ones I've read are either unrelated or contain massive attacks against "this 'aryan' nonsense" and "these idiots from the 'aryan' movement". He actually refused to argue with some dimwit insulting him in public because "the simple fact that this man is a member of the 'aryan' movement tells me that he is an idiot unable to understand any rational argument". (F.W. Nietsche, "Morgenröthe")
So, if you want to convince me that F.W. Nietzsche -who died decades before the advent of the NSDAP- was a Nazi I hope you have solid evidence. Or are you, by any chance, an idiot who doesn't know jack about what he is talking about?

Re:

[OrangAsm]

I did not see that coming.

Re:

[Narcocide]

I don't think this is about fascists as much as it is about incompetents. At some level they must be fundamentally relying on client-side security (which the competent know is really no security at all) and think that they can mitigate the risk by just blocking traffic from anything their browser identification heuristics don't recognize. Now this is starting to become a more widely recognized problem because, due to the combined enshitification of Chrome and Firefox, there have recently been a proliferatio

Re:

[2TecTom]

Classism and corporatocracy in action, the inevitable consequences of greed and irresponsibility. Is it any surprise we're seeing the decline of our civilization? This is always what happens to unethical societies.

web sites that CloudFlare gate-keeps

[rossdee]

Are any of the web sites that CloudFlare gate-keeps important?

Re:web sites that CloudFlare gate-keeps

[Tony Isaac]

Wikipedia says that nearly 20% of all web sites use CloudFlare. https://en.wikipedia.org/wiki/... [wikipedia.org] That's a pretty big swath of the internet, and is likely to include some important sites.

Slashdot uses CloudFlare, so if you consider Slashdot "important" then you have one example. https://leadiq.com/c/slashdot-... [leadiq.com]

Other notable websites that use Cloudflare include:
- Shopify
- Walmart
- Best Buy
- Vimeo
- Stack Overflow
- OpenAI

Re:

[Tony Isaac]

Relevant? No, "important."

Are any of the web sites that CloudFlare gate-keeps important?

Apparently, slashdot is important enough to you, that you are here posting.

Re:

[jvkjvk]

Do you just post to enjoy the shitstorm?

You appear to be a bad faith actor with posts like this.

Re:

[PPH]

Those would be advertisers sites. CloudFlare doesn't seem to do much to block bots and other stuff. But just try to tighten up your ad blocker or tracking protection and they throw a hissy-fit.

Re:web sites that CloudFlare gate-keeps

[JamesTRexx]

For me it's so far the supermarket site where I order my online groceries, and I made it work by using the user agent Mozilla/5.0 (X11; Linux x86_64 for the specific domain.
This tells me it's an arbitary blocking of browsers by Cloudflare on nothing but user agent string and not by treath vector.
Cloudflare is a scam is the conclusion.

Re:

[outsider007]

That's more likely the supermarket blocking you, and how exactly is it a scam? If they decide to block you that's their choice since they pay for the bandwidth you're sucking down.

Re:

[WidjettyOne]

My university uses Cloudflare WAF for all of its websites, to my moderate despair.

I run a niche browser

[Rockoon]

While it was once niche in Scandinavian countries and large parts of Africa, it is now mainly niche in southeast Asia.

Either my browser isnt niche enough to make the cut, or I have not wandered into any clodware hosted pages.

I know they have

[FudRucker]

I love to hunt for minimalist browsers for android that use the webview engine and i found a few good browsers that were rejected by cloudflare

Configurable

[Neuroelectronic]

Isn't this up to the sites who configure and use cloudflare? DeepSeek locked down their site hard when getting DDoSed it even blocked Firefox with UBlock. Once the ddos stopped they opened it up

Re:Oh no! A 16-year-old fork of obsolete Firefox c

[Mononymous]

And Safari is a 22-year-old fork of obsolete Konqueror code. So what?
This isn't an accident; they're deliberating only telling the makers of the biggest browsers how to get in.

Re:

[phantomfive]

And Chrome is a 15 year old fork from Safari.

Example of affected websites?

[test321]

From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1

Re:

[dimko]

From the link "affected browsers" in TFS, this would affect http://www.steamdb.info/ [steamdb.info] https://sourceforge.net/ [sourceforge.net] but both open fine for me with palemoon-33.6.1 and ungoogled-chromium-133.0.6943.141_p1

Linux Firefox ESR user is here. SteamDB did not pass bot check yesterday.

Re:

[fafalone]

I use Waterfox and can also access those fine... I don't even get the "are you a human" checkbox (no challenge, just have to check the box) I get once or twice a week from cloudfare.

Re:

[dryeo]

I think it depends on cookies that were set earlier when it was easy. I can load sourceforge fine as I've been going there on and off for a long time. Never tried steamdb.info until now, it gets into a loop checking if this SeaMonkey browser is secure

Re:

[Bert64]

Theres a LOT more to it than just the browser...

First it checks where you're coming from. If you're coming from a clean source address then you're fine as it gives you the benefit of the doubt. If however you're coming from a shared NAT address and it's seen lots of users from that address then you go into the shitlist.

The sites you've listed have IPv6 enabled, so any user with IPv6 will be hitting them from a unique address. Other sites (eg slashdot) don't publish AAAA records which forces traffic to downg

The Pale Moon guy's attitude sucks

[h33t l4x0r]

3 fixes within a week and the thanks they get is being called incompetent by their main developer?

Re:The Pale Moon guy's attitude sucks

[BenFenner]

Yes.

1) CloudFlare launches a DOS attack on your browser (and others), then ignores your communication, and only stops the attack only after a huge user outcry. Promises are made that this won't happen again.

2) 4 months pass and the exact same thing happens. Your bug reports and similar get completely ignored, the DOS attack only stops after a huge user outcry. Promises are made this should not and will not happen again. Your browser will be added to their test suite.

3) 6 months pass and they are DOS-ing you again. Your comms get tossed in the trash. A huge user outcry doesn't work this time. A full month goes by and bad media coverage finally brings CloudFlare to the able. They give you the run-around. 6week in and the DOS continues.

You're blaming the browser dev in all this? Calling them incompetent is being kind. Likely they are being malicious.
Fuck off.

Re:

[Anonymous Coward]

I dislike Cloudflare as much as anyone, but, if this is Cloudflare's fault then why do other browsers have no problem?

Firefox, no problem. Brave/Chrome, no problem.

I like Palemoon and have been using it as my main browser for quite a while. But the question remains, why can other browsers work with Cloudflare but Palemoon can't? Sounds like shitty programming by the Palemoon devs.

Re:

[caseih]

Cloud fare is checking the user agent string and deliberately blocking these other browsers.

Re:

[h33t l4x0r]

That's not how it works. Cloudflare's customers asked for extra protection from suspicious traffic because their website is under attack. Meanwhile, Pale Moon is suspicious traffic. CF is just giving their customers what they asked for.

Re:

[JamesTRexx]

CF is just giving their customers what they asked for

Security theatre?

Re:The Pale Moon guy's attitude sucks

[markdavis]

>"Cloudflare's customers asked for extra protection from suspicious traffic because their website is under attack. Meanwhile, Pale Moon is suspicious traffic."

This is just totally unacceptable behavior on their part. They should be looking at what the incoming machine is DOING, or its source address/location, not just assume it is "bad" because it isn't chrom* or Firefox. It would be somewhat analogous to your grocery store hiring a security team that bans you from entry into the store (and then attacks and harasses you) because you came in wearing a green scarf, and they are not used to seeing people wear those.

At a time where Google has decimated browser diversity and the only real contender left is Firefox, we desperately need additional pushback against anything that tries to narrow the field like this.

Re:

[h33t l4x0r]

If you find it unacceptable that's just tough shit. You can't expect the entire internet to accomodate you when you're using an obscure hobby web browser, that's just common sense.

Re:

[Cochonou]

That's probably the expectation of Cloudflare customers, though. They do not want visitors blocked over meaningless rules.

Re: The Pale Moon guy's attitude sucks

[BetterThanCaesar]

Why accomodate any browser at all? HTTP is a standard. TLS is a standard. Why does the software matter if it implements the necessary standards?

Re:

[Khyber]

Damn shame the tech world doesn't have its own Luigi.

Anti-bot measures

[Kernel Kurtz]

So what happens if they don't block bots? Does the internet get worse or something?

Re:

[ArchieBunker]

These days bots account for a significant amount of internet traffic.

Payment model

[commodore73]

Is there a model where bots pay for their consumption? I can only marine companies hurting competitors just by racking up AWS bills. AI agents would seem to enable this.

Re:

[Kernel Kurtz]

These days bots account for a significant amount of internet traffic.

Yes, I know. So does spam. And advertising. I was being a bit facetious but it is long since true that the majority of traffic on the internet is garbage.

Operation: Impersonation

[pbry4n]

Maybe bespoke browsers should impersonate other "acceptable" browsers, through `User-Agent` and possibly other fingerprinting measures, so that they pass such checks. It inevitably becomes an arms race, which no one should really want, but I prefer that over the browser landscape becoming a monoculture. Perhaps while we're at it, this can also be used to thwart fingerprinting technology being used to track our browsing habits without cookies.

Re:

[Tony Isaac]

Cloudflare is malware

As a part of a group that runs a genealogy website, we have had to implement CloudFlare to thwart scraping attempts. Before we moved to CloudFlare, these scrapers would literally bring down our site, like a DDOS. Maybe it's malware to you, for us, it's what keeps us online.

Re:

[markdavis]

And yet they can still perform that function without just automatically assuming that an unusual browser is an automatic threat.

Re:

[dryeo]

Depending on the browser, it is not good enough to change the user-agent, I just tried at https://steamdb.info/ [steamdb.info] with SeaMonkey and it didn't help. Maybe some JavaScript that isn't supported or last time this happened, the SeaMonkey newsgroup blamed it on using WebGL, which SeaMonkey doesn't support.
Haven't tested something like the newest Chromium which should support the latest JavaScript. They might even be testing DRM support, I'm not an expert.

Re:Operation: Impersonation

[dryeo]

Replying to myself as anonymous coward as I'm trying a different browser, Dooble. Slashdot doesn't do the Cloudflare thing until I try to log in. Kind of surprised that I seem to be able to post as ac.
Actually it didn't allow it, failed with anonymous posting not allowed when I pressed preview but gave me an alternate login page that didn't invoke Cloudflare.

Re:

[Kyogreex]

SeaMonkey not supporting WebGL isn't Cloudflare's fault. SeaMonkey being blocked by Cloudflare because it doesn't support WebGL and therefore fails their fingerprinting is Cloudflare's fault.

I'm glad it's not me...

[sizzlinkitty]

I thought I was losing my mind recently, like every site giving me a captcha, so much so I wouldn't even bother solving it or going to that site. I run mostly Firefox ESR but am starting to use Librewolf. Cloudflare is becoming a cancer I'm afraid...

Palemoon user here...

[sinij]

Palemoon maintainer, Moonchild, rejected NoScript add-on and even put it on a warn list. Guess what? NoScript stops this Cloudflare bullshit.You need to have precise control over JS, it isn't all or nothing.

Re:

[dryeo]

Is there a recipe to use noscript to block cloudflare because all it does here is leave you on the 1st page that says to enable JS and cookies.

Posting from Falkon

[HiThere]

There was a checkbox saying "confirm that you are human", but no delay after I checked it.

Blame the bad actors, not CloudFlare.

[tlhIngan]

All CloudFlare is doing is fingerprinting users to determine how "good" or "bad" they are.

They notice what kind of traffic hits the sites they protect. If a lot of bad traffic comes from a particularly IP, that IP gets put on a blacklist for extra scrutiny.

And there are a lot of bad actors out there - which means CloudFlare gets hit with bad traffic the moment a new Tor exit node opens up, or a new VPN server runs, or anything else. The people doing a DDoS using Tor or VPNs are causing CloudFlare to lock down that sort of traffic.

If oddball browsers are causing the same thing, then maybe those browser vendors need to lock down their use of those browsers. Because obviously CloudFlare sees more bad actors using those browsers than legitimate traffic.

You don't have to do anything. It's just in the analytics - if more people using Pale Moon are trying to hack the site, then you're going to target Pale Moon users as more likely to be troublemakers and challenge them more often.

It's simple behavioural analysis. If people are trying to hack websites come from an IP, you limit access from that IP. It's just the same when you block say, China from accessing your SSH server. If all the hacking attacks come from those places, you limit the access.

Of course, CloudFlare has the added problem in that sometimes you do have legitimate traffic, so you can't block all site access. But you need a way to discriminate between legitimate traffic and traffic that is just there to cause problems.

It's nothing personal, it's just the way it is. It's why VPN users get checked more frequently, why Tor users get it constantly, and why obscure browser users suffer. Because more often than not, bad traffic uses Tor, or VPNs, or obscure browsers.

If Pale Moon started spoofing itself as Firefox, it probably would work unless the percentage of Pale Moon users is high enough that it suddenly makes Firefox traffic suspect because suddenly it looks like a lot more Firefox users are using it to hack websites.

You want to eliminate the checks? Make it so legitimate traffic is what comes out of your VPN or tor node or browser.

Re:

[Bert64]

Pretty much this. What exacerbates the situation for niche browsers is that they are generally trying to block the type of tracking cloudflare (and others) will use to differentiate users.

The notion that "bad" traffic uses obscure browsers is wrong, malicious traffic generally tries to masquerade as the most common browsers.

If you're coming from a shared address (CGNAT, VPN etc) *and* you're using a browser which blocks tracking they have no way to tell you apart from other users including malicious ones.

I

More browsers

[sgunhouse]

Unless you just classify them as " unGoogled Chromium", there are multiple users of both Opera and Vivaldi reporting this issue. Strangely, it doesn't effect me personally in either browser, but I suppose that just proves how inconsistent their test is.

This is a stunning display of incompetence

[Arrogant-Bastard]

And everyone who's paying Cloudflare should be appalled by it. It's not a DoS defense at all; it's the equivalent of trying to stop armed robbieries of banks by not allowing people with blue shirts to enter the building. It's utterly stupid.

Techniques for dealing with DoS attacks are well-known, well-documented, and have NOTHING to do with the user-agent sending HTTPS requests -- because of course any competent attacker can easily cause their attacking software to impersonate any browser (and they often

Stock Firefox

[darkain]

In the past six weeks, I've also noticed a massive uptick in getting hit by these blocks with stock Firefox while attempting to load Cloudflare "protected" web sites. CF is just off the hook entirely, trying to destroy the internet as we know it, I guess?