Comment by mindcrime
4 years ago
Cloudflare's browser integrity check feature.
WTF does that even mean?!?? What "integrity" is Cloudflare checking? Who are they to dictate what browsers are permitted to access websites or not? Half of the point of the Web is UserAgent independence and the idea that you don't need some "special" client to access resources. This seems to fly in the face of that? Am I missing something?
> WTF does that even mean?!?? What "integrity" is Cloudflare checking? Who are they to dictate what browsers are permitted to access websites or not?
If I'm a paying customer of Cloudflare, and I pay them to not only deliver my content to human users though Cloudflare's CDN but also ensure my content is not a target of DDOS, I expect and pay them to "dictate what browsers are permitted to access" my website.
I'd hate to have to pay up a hefty bill just because some random guy online whipped up a webscraping script to download huge volumes of data from my site.
but also ensure my content is not a target of DDOS, I expect and pay them to "dictate what browsers are permitted to access" my website.
But those two issues are orthogonal. Assuming a non-DDOS scenario, do you really want to keep users or specific browsers out just because of their choice of browser?
Anyway, the update from CF seems to clarify that they aren't just blindingly blocking specific User Agents for the most part, which strikes me as a Good Thing.
> But those two issues are orthogonal. Assuming a non-DDOS scenario, do you really want to keep users or specific browsers out just because of their choice of browser?
Yes, yes I want to prevent whole classes of user agents from downloading my content. I'm talking about user agents such as python scripts. Those clearly reflect traffic not from real users, and potentially malicious, and it makes absolutely no sense to fulfill the requests, let alone pay for it.
1 reply →
Well, it's a feature that Cloudflare provides that website operators are using. So your issue seems like it should be with websites that use Cloudflare.
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
Well, it's a feature that Cloudflare provides that website operators are using. So your issue seems like it should be with websites that use Cloudflare.
I don't use Cloudflare, so I'm not familiar with how that works. Thanks for the additional explanation.
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
No. Although I wonder how many people have this turned on and who don't really understand the implications of same? Hmm...
Cloudflare UI lets you pick between levels of protection.
By default I don't think it shows the interstitial "checking your browser" page. But if you pick the "I'm under attack" option, it dishes that page out freely. Popular services that experience a lot of abuse seem to stay with that option.
Though everything I've built in the gaming/gambling niche seems to attract abuse no matter how small the service is. It's pretty frustrating when your weekend project can't run on a $5 VPS because someone is keeping it offline for the lulz. I totally understand why people default to Cloudflare + "I'm under attack" mode, and I don't think it's Cloudflare's nor the website operator's fault. I think here it's useful to temper our ire with the reason people use DDoS protection.
3 replies →
I seriously doubt this is intentional. It sounds like a bug. I use FF with privacy protection set to strict and a couple ad/tracking blocking plugins (uBlock Origin, DDG). I run into similar redirect bugs fairly often but the same sites will work with everything disabled. I'm leaning towards Waterfox and Pale Moon are enabling some security/privacy features by default that vanilla FF doesn't causing a redirect doom loop. If I understand OP's post correctly it doesn't seem like these browsers are receiving a message saying they were blocked but getting stuck on the page.
It's unintentional that it messes up so badly that you realize how pervasive and perverse it is. But its actual mechanism of action is entirely intentional.
It sounds like a bug.
Yeah, from subsequent posts (including by CF employees) it sounds like that is indeed that case. That's heartening to hear. It would have been rather disappointing to think that they are outright blocking "non mainstream" browsers or something.