Comment by nikkwong
1 year ago
Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.
Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.
Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.
> I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures.
The problem is that all these Cloudflare forensics-based throttling and blocking efforts don't hurt sales figures.
The number of legitimate users running Arc is a rounding error. Arc browser users often come to Cloudflare without third-party tracking and without cookies, which is weird and therefore suspicious - you look an awful lot like a freshly instantiated headless browser, in contrast to the vast majority of legitimate users who are carrying around a ton of tracking data. And by blocking cookies and ads, you wouldn't even be attributable in most of the stats if they did let you in.
It would be like kicking anyone wearing dark sunglasses out of a physical store: sure, burglars are likely to want to hide their eyes. Retail shrink is something like 1.5% of inventory, while blind users are <0.5% of the population. It would violate the ADA (and basic ethics) to prohibit out all blind shoppers, so in the real world we've decided that it's not legal to discriminate on this basis even if it would be a net positive for your financials.
The web is a nearly unregulated open ocean, Cloudflare can effectively block anyone for any reason and they don't have much incentive to show compassion to legitimate users that end up as bycatch in their trawl nets.
Something tells me that if you asked the store owner that the poster tried to give money to, they'd be furious at cloudflare for stopping the transaction.
Yeah maybe if you somehow managed to email them without their email provider stopping that email from reaching them…
What about all false positives in aggregate?
The problem is site owners do not know - it just adds to the number of blocked threats in cloudflare's reassuring emails.
It is difficult to gauge the size of the Cloudflare effect.. if the usage statistics the site owner is collecting.. are also not collected for those undesirables.
The number of legitimate users on "not chrome, edge, safari, or firefox" is about 10% of the browser market. I don't know about you, but if I'm running a shop, and the whole point of my website is to make sales, but my front door is preventing 10% of those sales? That door is getting replaced.
You don't think the people actually running the shops, whose income depends on the shop, have thought of that and thus there exists a downside that more than offsets the upside?
2 replies →
Then you get burglars in your shop instead of legitimate customers.
User Agents look the way they do because this is a recurring issue.
A browser without network effects gets blocked, they look for a way to bypass the blocking, then they become mainstream and now the de-facto UA is larger than before.
1 reply →
If you were running a shop, you would realize that nearly 100% of the fraud is "not chrome, edge, safari, or firefox"
It's unfortunate yes but that's what drives the threat signatures
1 reply →
Why would you assume that the 10% of non standard browsers are going to buy anything?
Demographic is important here. If I was running a shop that sold software for Linux users, sure. If I'm running a store that sells pretty much anything else? I'm not caring.
2 replies →
>That door is getting replaced.
Sure. If there was another place to buy a better door at. But if that door manufacturer's the only one that makes doors, if the door installer and door technicians all tell you that they can't or won't make another door for you, then you just deal. Maybe crank up the prices a bit to try to mitigate your 10% shortfalls.
The place where a business looks at that problem and sees money being left on the table that it can't live without and that it has no other way of making up for... that is a very narrow stretch, and only very marginal businesses live there.
I wonder if cloudflare blocks like these affect screen reader users, in which case they may violate the ADA.
And if they did violate the ADA, do you seriously expect this administration's anti-DEI Department of Justice to pursue legal action?
25 replies →
In my experience, screen reader users stick to the mainstream browsers to preserve compatibility. https://webaim.org/projects/screenreadersurvey10/
Vendors who block iCloud Relay are the worst. I'm sure they don't even know they're doing it. But some significant percentage of Apple users -- and you'd have to think it's only gonna grow -- comes from those IP address ranges.
Bad business, guys. You gotta find another way. Blocking IP addresses is o-ver.
> Bad business, guys. You gotta find another way. Blocking IP addresses is o-ver.
no, it's still the front line. And likely always will be. It's the only client identifier bots can't lie about. (or nearly the only)
At $OLDJOB, ASN reputation was the single best predictor of traffic hostility. We were usually smart enough to know which we can, or can't block outright. But it's an insane take to say network based blocking is over... especially on a thread about some vendor blocking benign users because of the user-agent.
I don't use iCloud Relay but it seems Apple's ASN would be 'reputable'.
4 replies →
Blocking based on ASN has never and should never be the frontline. It's the illusion of increased security with little actual impact. The bad guys are everywhere and if blocking an ASN has an improvement on your actual breaches then your security is total crap and always will be until you start doing the right things.
This would be weird, esp. given that Cloudflare is one of the vendors who act as exit nodes for iCloud Relay.
I believe your parent comment means when the target website blocks, not Cloudflare.
YouTube is a perfect example. Using iCloud Private Relay can now frequently label you as a bot, which stops you from watching videos until you login.
5 replies →
I don't think that's weird. That's what I would want from an honest vendor who is involved in both services - block anonymization/obfuscation users if I'm paying you to block them. Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.
What I'd worry about is Cloudflare using their knowledge of their VPN clients to allow services behind their attack protection to treat those clients better, because maybe they're leaking client info to the protected services.
Not that I think Cloudflare/Apple/etc. are supremely noble/honest/moral, or that it's good that semi-anonymous connections are treated so badly by default; this juxtaposition just doesn't seem like a problem to me.
EDIT: OK, I back off of this position somewhat. Apple's marketing of iCloud Relay might allow users to believe it's more prestigious and reputable than a VPN/Tor. They do have fine print explaining that you might be treated badly by the remote services, but it's, you know, fine print, and Apple knows that they have a reputation for class and legitimacy.
1 reply →
I’ve noticed wifi at coffee shops, etc have started blocking it too.
I need to disable it for one of my internal networks (because I have DNS overrides that go to 192.168.0.x), or I’d wish they’d just make it mandatory for iPhones and put and end to such shenanigans.
Apple could make it a bit more configurable for power users, and then flip the “always on” nuclear option switch.
Either that, or they could add a “workaround oppressive regimes” toggle that’d probably be disabled in China, but hey, I’m in the US, so whatever.
Edit: I also agree that blocking / geolocating IP addresses is a big anti-pattern these days. Many ISPs use CGNAT. For instance, all starlink traffic from the south half of the west coast appears to come from LA.
As a result, some apps have started hell-banning my phone every time I drive to work because they see me teleport hundreds of miles in 10 minutes every morning. (And both of my two IPs probably have 100’s of concurrent users at any given time. I’m sure some of them are doing something naughty).
Wait, this comment made me aware of the existence of iCloud Relay. Apple built their own Tor only for Apple users? Why would they do that? Why not use Tor???
You can use iCloud Relay without even noticing that you are using it, this is not true with Tor as you'll spend most of your time waiting for reconnecting circuits.
1 reply →
Because it is 1. Not Tor and 2. Fast
It’s more like a VPN instead of Tor
3 replies →
If you use a weird proxy you're gonna get blocked. Facts of life.
Well its primarily because the security vendors for say WAFs and other tools list these IPs in the "Anonymizers" or "VPN" category and most typically these are blocked as seldom do you see legitimate traffic originating to your store front or accounts pages from these. Another vendor we use lists these under "hacking tools" So your option as a security professional is to express to your risk management team we allow "hacking tools" or lose iCloud Relay customers. Which way do you think they steer? In alternative cases a site may use a vendor for their cart/checkout page and don't even have control over these blocks as they are also blocking "hacking tools" or "anonymizers" from hitting their checkout pages.
> So your option as a security professional is to express to your risk management team we allow "hacking tools" or lose iCloud Relay customers
a professional would explain how the vendor is being lazy and making a mistake there because they don't understand your business.
depending on the flavor of security professional (hacker) they might also subtly suggest that this vendor is dumb and should be embarrassed they've made this mistake, thus creating the implication that if you still want to block these users you would also have to be an idiot
under so circumstance is what I ever allow anyone to get the mistaken impression that some vendor understands my job better than I do. As a "security professional" it's literally your job to identify hostile traffic, better than a vendor could.
Oh I think we all know that the Endgame is only allowing the approved webbrowser from the approved hardware. And getting on those lists will be made very expensive indeed...
Wait till you see how M365 does management around iCloud relay makes it real fun troubleshooting suspicious login parameters...
To access any site protected by cloudflare captcha i have to change browsers from firefox to chrome. and i have basically default suite of addons (ublock is the only one affecting the pages themselves).
VPN doesn't matter, i probably share IP with someone "flagged" via ISP.
Every site, that is except their cloudlfare dashboard.
I have come across several websites on which Cloudflare blocks my devices, whatever I use. No Captcha, just blocked. I tried a stock iPhone (Safari, no blockers, no VPN, no iCloud relay, both on wifi or 4G), and a Windows PC with Firefox, Chrome, or Edge, no luck. That includes a website of a local business so that can't be the country either.
I have no idea why.
Maybe you have anti-fingerprinting protection on? I've heard it can cause issues.
No, only thing i have is dns-over-https.
But i should turn that on.
> Of course, I didn't, and decided to buy the product elsewhere
Consider messaging the owner to tell them you were trying to buy a product on their site and the site wouldn't let you. There's a chance that they'll care and be able to do something about it. But no chance if they don't know about the problem!
I think this is on Cloudflare. Perhaps there is a demand for such a service, but it is another to implement it. And this is very bad for a free and therefore safe net.
I don't even know which attack vectors an integrity check for a browser could help against. Against infected clients? It is in any way evidently not effective.
There is some political-philosophical irony that the Chinese prefer their government to do the blocking and take away their freedom, while the US prefers their monopolistic capitalistic corporate world to do it. A rose by any other name. Chose your friends carefully.
To trivialize totalitarian regimes that carry out terror against their own citizens, that can outright kill you and whole your family, by comparing them to capitalistic corporate world where, in the worst case, you can simply choose another, less fancy option, is the height of madness.
4 replies →
> using Arc on a M1 MBP; normal browsing habits.
Well i've certainly never heard of this browser before and it still seems pretty young. I'd guess it's the same issue.
Arc is almost 3 (4?) years old and was the darling child of dev influencers for the better part of 2 years. It's not a niche browser, especially amongst devs that are likely to work at Cloudflare.
It's definitely a niche browser. I think I heard of it once on HN over the past few years, and I'd be surprised if there was actually more than a few thousands of people using it.
8 replies →
It is a niche browser with no hype going for it.
I'm still not sure how some random browser should result in a block by the provider. I don't think there's any security risk for the provider of the site by using an outdated browser. Blocking malicious IPs yes/maybe, blocking suspicious acitivity maybe. But because you have browser X - please not.
This is going to lead two a two-class internet where new technologies will not emerge and big players will win because the gate the high is so absurdly high and random that people stop to invent.
I presume this was not intentional.
1 reply →
It's a chromium derivative.
I think it's also EOL/not getting updates now?
I mean I never used it, their only selling point seem to have been hype.
Definitely not EOL; https://resources.arc.net/hc/en-us/articles/20498293324823-A...
1 reply →
Cloudflare doesn't report this to the site admins so they're just sitting there losing sales and thinking Cloudflare is doing a good job.
Same thing with Captchas. If I'm placing a food order or something and I'm presented with a Captcha 9 times out of 10 I just say "screw it."
Try clearing your cookies and disabling all extensions, if that still results in a block you can try a mobile hotspot. You're either failing some server side check (IP, TCP fingerprint, JA3 etc.) or a client side check of your browser integrity (generally this is tampered with by privacy focused extensions, anti-fingerprint settings etc.). It's not a "fix" but can at least give you an indication of why it is happening.
That's quite a lot to ask. Not OP, but I'm not doing all that just because sometime else misconfigured their anti-DDoS, unless I really need to.
My intention was to explain how to identify what could be causing the issue, not to give any indication that I think this is acceptable. Unfortunately like you point out, sometimes you _really_ do have to deal with a website behind an over sensitive WAF, in which case the steps I provided can be helpful.
1 reply →
I believe their point was that they have no desire to fix the issue if they can just look elsewhere, making it detrimental to the vendor more so than the end-user.
That's totally understandable and I don't blame them. However since they did state they hoped it would be resolved I thought they (or anyone in a similar situation) might at least want to know how to diagnose any potential cause that you have some control over.
I think it's unfair this comment has been flagged or downvoted or whatever. It's pragmatic information!
The mobile hotspot thing... I have to do that to do anything involving Okta.
For some frustrating reason my IPv4 address, which I pay extra to my ISP to have, has been blocklisted by Okta. A login flow failure in one of the apps work uses triggered my address getting banned indefinitely is my best guess. My works Okta admins don't really understand how to unblock me on their Okta tenancy, and Okta support just directs me back to my local admins (even though it's any okta-using org I'm banned from logging into).
I get that misuse/abuse detection has to do its thing but it's so frustrating when there's basically zero way of a legitimate user from an IP of undoing a ban. My only recourse is to do all my using of okta from another IP.... If I was a legit spammer I wouldn't think twice about switching to another IP from my big pool, probably.
Thank you, I'm a bit surprised people took issue with my comment but I suppose I could have worded it better.
As for your case, I wonder if Okta is relying on an external service like IPQS to get a score, that could explain why they don't really have any control over it.
1 reply →
You should really take the few minutes to email them and let them know that's happening. It's not their fault Cloudflare is awful.
if the purpose of cloudflare is to block bots and allow humans in, then they fail miserably at their job. what they're doing instead can be summarized in one word: DISCRIMINATION. welcome to the age of internet apartheid.
They are so successful in blocking noob scrapers that an entire industry is blooming around professional web scraping services.
Were you on a VPN?
Some vendors are just weird... I'm always getting blocked by Etsy with Firefox after the first navigation on their site. It shows me a puzzle to solve and then, after solving the puzzle correctly (read "Success"), redirects me to "You have been blocked". It works with Chrome-based browsers though, but that doesn't make me want to use the website at all.
No VPN, just good privacy settings in my case.
While looking at a flight price on sas.dk I had to disable Firefox's built-in enhanced tracking protection.
It seems excessive to not allow at least a single query in this situation.
I had the same with a newspaper which I subscribe to. They shouldn't be tracking me, and don't show adverts to subscribers. In this case I wrote to their support person, who told me not to block the tracking.
Do you have the "resist fingerprinting" setting enabled in Firefox? (You can check in about:config)
5 replies →
> just good privacy settings in my case.
You are blocking the trackers and damaging the revenue model.
Nope, no VPN, making it all the stranger.
[dead]