Users of Waterfox Classic and Pale Moon browsers have been reporting that they're stuck in an infinite loop of Cloudflare's infamous "checking your browser" screen and can't access web sites that enabled Cloudflare's browser integrity check feature.
Ghacks' post [1] has a good summary of related links and an active discussion at comments section, though the "protection" got more strict in the meantime thus the mentioned workaround isn't effective anymore.
Some users have posted at Clodflare community forum to no avail and Cloudflare support is only available to paid customers. Visitors are told to contact respective web site owners and forum threads are locked quickly.
Let me be clear, this is not a case of a web site owner deciding to use a recent feature that's not supported by these browsers. That'd between visitors and owners of that web site, and completely understandable.
This is a serious issue. A 3rd party corporation is deliberately deciding which browsers are legitimate and which are not. They prevent users of these browsers from accessing millions of websites with a flip of a switch. There's no transparency and no accountability to their actions.
I hope this issue will be heard, fixed and never be repeated again.
WTF does that even mean?!?? What "integrity" is Cloudflare checking? Who are they to dictate what browsers are permitted to access websites or not? Half of the point of the Web is UserAgent independence and the idea that you don't need some "special" client to access resources. This seems to fly in the face of that? Am I missing something?
Well, it's a feature that Cloudflare provides that website operators are using. So your issue seems like it should be with websites that use Cloudflare.
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
Well, it's a feature that Cloudflare provides that website operators are using. So your issue seems like it should be with websites that use Cloudflare.
I don't use Cloudflare, so I'm not familiar with how that works. Thanks for the additional explanation.
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
No. Although I wonder how many people have this turned on and who don't really understand the implications of same? Hmm...
Cloudflare UI lets you pick between levels of protection.
By default I don't think it shows the interstitial "checking your browser" page. But if you pick the "I'm under attack" option, it dishes that page out freely. Popular services that experience a lot of abuse seem to stay with that option.
Though everything I've built in the gaming/gambling niche seems to attract abuse no matter how small the service is. It's pretty frustrating when your weekend project can't run on a $5 VPS because someone is keeping it offline for the lulz. I totally understand why people default to Cloudflare + "I'm under attack" mode, and I don't think it's Cloudflare's nor the website operator's fault. I think here it's useful to temper our ire with the reason people use DDoS protection.
You don't need to stay in that noise. CF is pretty decent with detecting DDoS on its own and switching on temporary protection as needed. (Not every time, not often enough)
Not they're also not the only game in town. You can use less crappy/evil providers instead.
I seriously doubt this is intentional. It sounds like a bug. I use FF with privacy protection set to strict and a couple ad/tracking blocking plugins (uBlock Origin, DDG). I run into similar redirect bugs fairly often but the same sites will work with everything disabled. I'm leaning towards Waterfox and Pale Moon are enabling some security/privacy features by default that vanilla FF doesn't causing a redirect doom loop. If I understand OP's post correctly it doesn't seem like these browsers are receiving a message saying they were blocked but getting stuck on the page.
It's unintentional that it messes up so badly that you realize how pervasive and perverse it is. But its actual mechanism of action is entirely intentional.
Yeah, from subsequent posts (including by CF employees) it sounds like that is indeed that case. That's heartening to hear. It would have been rather disappointing to think that they are outright blocking "non mainstream" browsers or something.
> WTF does that even mean?!?? What "integrity" is Cloudflare checking? Who are they to dictate what browsers are permitted to access websites or not?
If I'm a paying customer of Cloudflare, and I pay them to not only deliver my content to human users though Cloudflare's CDN but also ensure my content is not a target of DDOS, I expect and pay them to "dictate what browsers are permitted to access" my website.
I'd hate to have to pay up a hefty bill just because some random guy online whipped up a webscraping script to download huge volumes of data from my site.
but also ensure my content is not a target of DDOS, I expect and pay them to "dictate what browsers are permitted to access" my website.
But those two issues are orthogonal. Assuming a non-DDOS scenario, do you really want to keep users or specific browsers out just because of their choice of browser?
Anyway, the update from CF seems to clarify that they aren't just blindingly blocking specific User Agents for the most part, which strikes me as a Good Thing.
> But those two issues are orthogonal. Assuming a non-DDOS scenario, do you really want to keep users or specific browsers out just because of their choice of browser?
Yes, yes I want to prevent whole classes of user agents from downloading my content. I'm talking about user agents such as python scripts. Those clearly reflect traffic not from real users, and potentially malicious, and it makes absolutely no sense to fulfill the requests, let alone pay for it.
I hope there is a way for Firefox forks to spoof cloudflare to make them think it is the original Firefox browser. It would be useful in case Cloudflare don't do anything to resolve this issue.
> A 3rd party corporation is deliberately deciding which browsers are legitimate and which are not. They prevent users of these browsers from accessing millions of websites with a flip of a switch. There's no transparency and no accountability to their actions.
Yes. Private monopolies/oligopolies are bad. They're literally a threat to civilization. We already realized that monarchies are bad because they centralize (judicial) power into unelected, opaque bodies controlled by a single person, and now we've done the same through the private sector.
This is not something to solve by begging Cloudflare to be reasonable. You need to lobby to break up oligopolies.
Individuals don’t really have lobbying power. It’d be great if we could solve problems like this comprehensively with legislation, but in the meantime shaming a company into doing the right thing is perhaps all that a small but vocal group of people really can do right now.
Perfect is the enemy of the good, especially in this case.
How can you shame Cloudflare in this case? This is a very niche issue that non-technical people won't even care about. I don't even think people should be using Waterfox or Pale Moon -- it's the enormous power that Cloudflare holds that bothers me. And it's in their best interest (i.e. the interests of their owners) to do things like this.
"Corporations are too powerful" is a much more popular position than "Cloudflare shouldn't block certain browser," which means that adding your voice -- by donating, voting selectively, and/or calling officials -- is a better bet than trying to get people to care about this.
> How can you shame Cloudflare in this case? This is a very niche issue that non-technical people won't even care about
shame doesn't have to be seen by everyone to work – just by those they rely on. In this case, technical people who are responsible for choosing to adopt cloudflare in companies come to regard it badly, and discourage its use in the future or switch to competitors. Cloudflare is now motivated to change.
You want us to ask a government, an absolute monopoly sustain by force to break up Cloudflare in the name of opposing monopolies/oligopolies? Despite the fact that Cloudflare only has power to the extent individual website owners voluntarily choose to use them? That doesn't make any sense.
I'm a product manager at Cloudflare. Thanks very much for posting this here.
This looks like a bug with our "Managed Challenge" security action that's causing the loop. This feature attempts to determine browser versus non-browser traffic and block non-browsers. The fact that the challenge is currently not working for Waterfox Classic and Pale Moon is not by intent, and we do not want to be in the business of saying one browser is more legitimate than another.
I see that the name of our Browser Integrity Check feature (which is not causing the block here) is drawing some attention. This is a feature that blocks malformed HTTP request headers, and user-agents commonly used by abusive bots (like user-agents with Java and Python in them). This is a pretty simple set of rules that also does not attempt to differentiate between browsers. Here's our KB article on the feature: https://support.cloudflare.com/hc/en-us/articles/200170086-U...
I'm sorry that this has caused a serious issue for quite a large number of users, and that we were not more reachable in our community forum. I'll provide a follow-up here when we have an update on the bug. Thank you again for taking the time to write this up!
I'm sorry if my post came off as accusing Cloudflare of malice, it was never my intention. I was rather worried about negligence on supporting these older codebases, and I'm relieved to hear Cloudflare is on top of this bug.
Hardware firewalls provide some protection against the kinds of threats XP faces. More to answer your question; I'm running the latest available versions of Windows 10. I sometimes use FF 56 for its consistency in behavior, XPI addon support (NoScript and uBlock still function), customizable UI, and for critical tasks (banking (affected by the Cloudflare problem)). I use FF 90+ for daily driving, and I despise it.
> we do not want to be in the business of saying one browser is more legitimate than another
This is essentially what you do by necessity when attempting to block bots through browser checks, as bots are just unmanned browsers. This is bound to keep happening, especially with regards to more obscure browsers few people report on.
Don't know what you and your team did but the problem is resolved for me , I am able to visit the site that I got stuck at "checking your browser" loop previously. I thank anyone still support older browsers.
Quite interesting that Cloudflare responded suddenly after a post in here was done. Coincidence or plans screwed up? A person called ArktiswolfRH wrote this in here:
Ghacks' post [1] has a good summary of related links and an active discussion at comments section, though the "protection" got more strict in the meantime thus the mentioned workaround isn't effective anymore.
Some users have posted at Clodflare community forum to no avail and Cloudflare support is only available to paid customers. Visitors are told to contact respective web site owners and forum threads are locked quickly.
Let me be clear, this is not a case of a web site owner deciding to use a recent feature that's not supported by these browsers. That'd between visitors and owners of that web site, and completely understandable.
This is a serious issue. A 3rd party corporation is deliberately deciding which browsers are legitimate and which are not. They prevent users of these browsers from accessing millions of websites with a flip of a switch. There's no transparency and no accountability to their actions.
I hope this issue will be heard, fixed and never be repeated again.
[1] https://www.ghacks.net/2022/05/05/fix-pale-moon-browser-not-passing-cloudflares-checking-your-browser-verification/
Other links: https://github.com/WaterfoxCo/Waterfox-Classic/issues/107