Tell HN: Cloudflare Is Blocking Firefox Forks Waterfox Classic and Pale Moon
Ghacks' post [1] has a good summary of related links and an active discussion at comments section, though the "protection" got more strict in the meantime thus the mentioned workaround isn't effective anymore.
Some users have posted at Clodflare community forum to no avail and Cloudflare support is only available to paid customers. Visitors are told to contact respective web site owners and forum threads are locked quickly.
Let me be clear, this is not a case of a web site owner deciding to use a recent feature that's not supported by these browsers. That'd between visitors and owners of that web site, and completely understandable.
This is a serious issue. A 3rd party corporation is deliberately deciding which browsers are legitimate and which are not. They prevent users of these browsers from accessing millions of websites with a flip of a switch. There's no transparency and no accountability to their actions.
I hope this issue will be heard, fixed and never be repeated again.
[1] https://www.ghacks.net/2022/05/05/fix-pale-moon-browser-not-passing-cloudflares-checking-your-browser-verification/
Other links: https://github.com/WaterfoxCo/Waterfox-Classic/issues/107
52 comments
[ 5.3 ms ] story [ 110 ms ] threadWTF does that even mean?!?? What "integrity" is Cloudflare checking? Who are they to dictate what browsers are permitted to access websites or not? Half of the point of the Web is UserAgent independence and the idea that you don't need some "special" client to access resources. This seems to fly in the face of that? Am I missing something?
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
I don't use Cloudflare, so I'm not familiar with how that works. Thanks for the additional explanation.
"Who do the operators of this website think they are trying to control who can access the service?" doesn't seem very damning to me.
No. Although I wonder how many people have this turned on and who don't really understand the implications of same? Hmm...
By default I don't think it shows the interstitial "checking your browser" page. But if you pick the "I'm under attack" option, it dishes that page out freely. Popular services that experience a lot of abuse seem to stay with that option.
Though everything I've built in the gaming/gambling niche seems to attract abuse no matter how small the service is. It's pretty frustrating when your weekend project can't run on a $5 VPS because someone is keeping it offline for the lulz. I totally understand why people default to Cloudflare + "I'm under attack" mode, and I don't think it's Cloudflare's nor the website operator's fault. I think here it's useful to temper our ire with the reason people use DDoS protection.
Not they're also not the only game in town. You can use less crappy/evil providers instead.
Can't edit the previous comment now, but it should say "you don't need to stay in that mode".
Yeah, from subsequent posts (including by CF employees) it sounds like that is indeed that case. That's heartening to hear. It would have been rather disappointing to think that they are outright blocking "non mainstream" browsers or something.
If I'm a paying customer of Cloudflare, and I pay them to not only deliver my content to human users though Cloudflare's CDN but also ensure my content is not a target of DDOS, I expect and pay them to "dictate what browsers are permitted to access" my website.
I'd hate to have to pay up a hefty bill just because some random guy online whipped up a webscraping script to download huge volumes of data from my site.
But those two issues are orthogonal. Assuming a non-DDOS scenario, do you really want to keep users or specific browsers out just because of their choice of browser?
Anyway, the update from CF seems to clarify that they aren't just blindingly blocking specific User Agents for the most part, which strikes me as a Good Thing.
Yes, yes I want to prevent whole classes of user agents from downloading my content. I'm talking about user agents such as python scripts. Those clearly reflect traffic not from real users, and potentially malicious, and it makes absolutely no sense to fulfill the requests, let alone pay for it.
This seems a bit hysterical in the face of a bug.
Yes. Private monopolies/oligopolies are bad. They're literally a threat to civilization. We already realized that monarchies are bad because they centralize (judicial) power into unelected, opaque bodies controlled by a single person, and now we've done the same through the private sector.
This is not something to solve by begging Cloudflare to be reasonable. You need to lobby to break up oligopolies.
Perfect is the enemy of the good, especially in this case.
"Corporations are too powerful" is a much more popular position than "Cloudflare shouldn't block certain browser," which means that adding your voice -- by donating, voting selectively, and/or calling officials -- is a better bet than trying to get people to care about this.
shame doesn't have to be seen by everyone to work – just by those they rely on. In this case, technical people who are responsible for choosing to adopt cloudflare in companies come to regard it badly, and discourage its use in the future or switch to competitors. Cloudflare is now motivated to change.
I don't want any individual to have strong lobbying power.
Write a website that has strong cross browser compatibility.
Block all browsers but the one I test with.
This looks like a bug with our "Managed Challenge" security action that's causing the loop. This feature attempts to determine browser versus non-browser traffic and block non-browsers. The fact that the challenge is currently not working for Waterfox Classic and Pale Moon is not by intent, and we do not want to be in the business of saying one browser is more legitimate than another.
I see that the name of our Browser Integrity Check feature (which is not causing the block here) is drawing some attention. This is a feature that blocks malformed HTTP request headers, and user-agents commonly used by abusive bots (like user-agents with Java and Python in them). This is a pretty simple set of rules that also does not attempt to differentiate between browsers. Here's our KB article on the feature: https://support.cloudflare.com/hc/en-us/articles/200170086-U...
I'm sorry that this has caused a serious issue for quite a large number of users, and that we were not more reachable in our community forum. I'll provide a follow-up here when we have an update on the bug. Thank you again for taking the time to write this up!
no but really, this is a good post, doesn't mean there aren't consequences
I'm sorry if my post came off as accusing Cloudflare of malice, it was never my intention. I was rather worried about negligence on supporting these older codebases, and I'm relieved to hear Cloudflare is on top of this bug.
It's for accounting purposes only - making invoices. Probably for one month it's used for hour or two max.
To be honest i have friend of mine that have small furniture manufacturing. They have CNC machine with Windows98.
This is essentially what you do by necessity when attempting to block bots through browser checks, as bots are just unmanned browsers. This is bound to keep happening, especially with regards to more obscure browsers few people report on.
This is a bug, so:
"Never attribute to malice that which can be adequately explained by a bug".
https://community.cloudflare.com/t/locked-threads-without-a-...
Wondering how many millions of Dollars Cloudflare receives for supporting this https://www.cloudflare.com/integrations/google-cloud/#cdn-in...
and even more for advertising Google Chrome with monopolistic anti-competitive browser locks over this “integrity/security check”