Comment by ranger_danger
16 hours ago
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
Why not just change your user agent string?
Because the site can compare the user agent with navigator.platform, which your browser fills with great care.
1 reply →
It probably fingerprints the browser via TLS fingerprinting.
That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.
Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
Yes, I have even seen mobile android games that include notices about a BrightData SDK or HolaVPN etc. where their idle bandwidth is resold.
Does the app function as a proxy? I always assumed that wasn’t possible.
1 reply →
Honest question: Is there anything scary about this apart from lowering your ISP's reputation score?
Yes. What if your connection is used for illegal activity?
It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha
This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.
I have not been able to visit AliExpress for months now. Just an endless reCAPTCHA loop.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
> I just take my business elsewhere...
Mars? /i
Wouldn't a 1£ Linux VM as Wireguard access point suffice?
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
whenever I can't access a website for various stupid blocks
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
You sir seem to have solved a problem many people here have.
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
2 replies →
the fact that this works, as well as cloudflare having a literal web scraping tool available as another product honestly makes my blood boil.