Tell HN: Cloudflare Is Blocking Firefox Forks Waterfox Classic and Pale Moon
4 years ago
Users of Waterfox Classic and Pale Moon browsers have been reporting that they're stuck in an infinite loop of Cloudflare's infamous "checking your browser" screen and can't access web sites that enabled Cloudflare's browser integrity check feature.
Ghacks' post [1] has a good summary of related links and an active discussion at comments section, though the "protection" got more strict in the meantime thus the mentioned workaround isn't effective anymore.
Some users have posted at Clodflare community forum to no avail and Cloudflare support is only available to paid customers. Visitors are told to contact respective web site owners and forum threads are locked quickly.
Let me be clear, this is not a case of a web site owner deciding to use a recent feature that's not supported by these browsers. That'd between visitors and owners of that web site, and completely understandable.
This is a serious issue. A 3rd party corporation is deliberately deciding which browsers are legitimate and which are not. They prevent users of these browsers from accessing millions of websites with a flip of a switch. There's no transparency and no accountability to their actions.
I hope this issue will be heard, fixed and never be repeated again.
[1] https://www.ghacks.net/2022/05/05/fix-pale-moon-browser-not-passing-cloudflares-checking-your-browser-verification/
Other links: https://github.com/WaterfoxCo/Waterfox-Classic/issues/107
I'm a product manager at Cloudflare. Thanks very much for posting this here.
This looks like a bug with our "Managed Challenge" security action that's causing the loop. This feature attempts to determine browser versus non-browser traffic and block non-browsers. The fact that the challenge is currently not working for Waterfox Classic and Pale Moon is not by intent, and we do not want to be in the business of saying one browser is more legitimate than another.
I see that the name of our Browser Integrity Check feature (which is not causing the block here) is drawing some attention. This is a feature that blocks malformed HTTP request headers, and user-agents commonly used by abusive bots (like user-agents with Java and Python in them). This is a pretty simple set of rules that also does not attempt to differentiate between browsers. Here's our KB article on the feature: https://support.cloudflare.com/hc/en-us/articles/200170086-U...
I'm sorry that this has caused a serious issue for quite a large number of users, and that we were not more reachable in our community forum. I'll provide a follow-up here when we have an update on the bug. Thank you again for taking the time to write this up!
Thank you very much for your response.
I'm sorry if my post came off as accusing Cloudflare of malice, it was never my intention. I was rather worried about negligence on supporting these older codebases, and I'm relieved to hear Cloudflare is on top of this bug.
No apologies necessary! It did not, and I appreciate you bringing it up.
Same issue in FF v56, which is old, but from which WF and PM share code. Please, keep a method for old browsers to pass Managed Challenge.
Genuine question, why would you still use firefox v56 in 2022? isn't that a massive security issue?
7 replies →
I am using firefox 52 , I can't upgrade to newer browser without upgrading the OS and the computer system. I can't afford to upgrade my system. I am totally not a bot and have been trying to visit a site getting stuck in the "checking your browser" loop, any chance Cloudflare can accomodate this older browser.
Don't know what you and your team did but the problem is resolved for me , I am able to visit the site that I got stuck at "checking your browser" loop previously. I thank anyone still support older browsers.
> we do not want to be in the business of saying one browser is more legitimate than another
This is essentially what you do by necessity when attempting to block bots through browser checks, as bots are just unmanned browsers. This is bound to keep happening, especially with regards to more obscure browsers few people report on.
this is your community forum
no but really, this is a good post, doesn't mean there aren't consequences
We are beginning to roll out a fix now to a small portion of traffic. I will update when the fix is 100% applied for all Cloudflare traffic.
Thanks, I've tried 2 web sites with Waterfox Classic and they redirection works OK now (it wasn't earlier today)
This fix is now live to all Cloudflare locations.
> A 3rd party corporation is deliberately deciding which browsers are legitimate and which are not. They prevent users of these browsers from accessing millions of websites with a flip of a switch. There's no transparency and no accountability to their actions.
Yes. Private monopolies/oligopolies are bad. They're literally a threat to civilization. We already realized that monarchies are bad because they centralize (judicial) power into unelected, opaque bodies controlled by a single person, and now we've done the same through the private sector.
This is not something to solve by begging Cloudflare to be reasonable. You need to lobby to break up oligopolies.
Individuals don’t really have lobbying power. It’d be great if we could solve problems like this comprehensively with legislation, but in the meantime shaming a company into doing the right thing is perhaps all that a small but vocal group of people really can do right now.
Perfect is the enemy of the good, especially in this case.
How can you shame Cloudflare in this case? This is a very niche issue that non-technical people won't even care about. I don't even think people should be using Waterfox or Pale Moon -- it's the enormous power that Cloudflare holds that bothers me. And it's in their best interest (i.e. the interests of their owners) to do things like this.
"Corporations are too powerful" is a much more popular position than "Cloudflare shouldn't block certain browser," which means that adding your voice -- by donating, voting selectively, and/or calling officials -- is a better bet than trying to get people to care about this.
1 reply →
Get some people together and build something for people that don't want to use cloudfare for their hosting.
I don't want any individual to have strong lobbying power.
1 reply →
You want us to ask a government, an absolute monopoly sustain by force to break up Cloudflare in the name of opposing monopolies/oligopolies? Despite the fact that Cloudflare only has power to the extent individual website owners voluntarily choose to use them? That doesn't make any sense.
I've sent a note to the team internally asking them to address this.
Quite interesting that Cloudflare responded suddenly after a post in here was done. Coincidence or plans screwed up? A person called ArktiswolfRH wrote this in here:
https://community.cloudflare.com/t/locked-threads-without-a-...
Wondering how many millions of Dollars Cloudflare receives for supporting this https://www.cloudflare.com/integrations/google-cloud/#cdn-in...
and even more for advertising Google Chrome with monopolistic anti-competitive browser locks over this “integrity/security check”
Cloudflare's browser integrity check feature.
WTF does that even mean?!?? What "integrity" is Cloudflare checking? Who are they to dictate what browsers are permitted to access websites or not? Half of the point of the Web is UserAgent independence and the idea that you don't need some "special" client to access resources. This seems to fly in the face of that? Am I missing something?
> WTF does that even mean?!?? What "integrity" is Cloudflare checking? Who are they to dictate what browsers are permitted to access websites or not?
If I'm a paying customer of Cloudflare, and I pay them to not only deliver my content to human users though Cloudflare's CDN but also ensure my content is not a target of DDOS, I expect and pay them to "dictate what browsers are permitted to access" my website.
I'd hate to have to pay up a hefty bill just because some random guy online whipped up a webscraping script to download huge volumes of data from my site.
but also ensure my content is not a target of DDOS, I expect and pay them to "dictate what browsers are permitted to access" my website.
But those two issues are orthogonal. Assuming a non-DDOS scenario, do you really want to keep users or specific browsers out just because of their choice of browser?
Anyway, the update from CF seems to clarify that they aren't just blindingly blocking specific User Agents for the most part, which strikes me as a Good Thing.
2 replies →
Well, it's a feature that Cloudflare provides that website operators are using. So your issue seems like it should be with websites that use Cloudflare.
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
Well, it's a feature that Cloudflare provides that website operators are using. So your issue seems like it should be with websites that use Cloudflare.
I don't use Cloudflare, so I'm not familiar with how that works. Thanks for the additional explanation.
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
No. Although I wonder how many people have this turned on and who don't really understand the implications of same? Hmm...
4 replies →
I seriously doubt this is intentional. It sounds like a bug. I use FF with privacy protection set to strict and a couple ad/tracking blocking plugins (uBlock Origin, DDG). I run into similar redirect bugs fairly often but the same sites will work with everything disabled. I'm leaning towards Waterfox and Pale Moon are enabling some security/privacy features by default that vanilla FF doesn't causing a redirect doom loop. If I understand OP's post correctly it doesn't seem like these browsers are receiving a message saying they were blocked but getting stuck on the page.
It's unintentional that it messes up so badly that you realize how pervasive and perverse it is. But its actual mechanism of action is entirely intentional.
It sounds like a bug.
Yeah, from subsequent posts (including by CF employees) it sounds like that is indeed that case. That's heartening to hear. It would have been rather disappointing to think that they are outright blocking "non mainstream" browsers or something.
> This is a serious issue. A 3rd party corporation is deliberately deciding which browsers are legitimate and which are not.
This seems a bit hysterical in the face of a bug.
Yeah he really messed up by jumping to conclusions. Pretty akward with the confident wording
"Never attribute to malice that which can be adequately explained by stupidity."
This is a bug, so:
"Never attribute to malice that which can be adequately explained by a bug".
"To the person receiving the pointy end of the stick, malice and stupidity look identical."
This feels like the perfect place for the thinking guy meme...
Write a website that has strong cross browser compatibility.
Block all browsers but the one I test with.
I hope there is a way for Firefox forks to spoof cloudflare to make them think it is the original Firefox browser. It would be useful in case Cloudflare don't do anything to resolve this issue.
If you care about your users don't use cloudflaire.
As long as your users don't mind that your site isn't working due to a DDoS attack.