Tell HN: Impassable Cloudflare challenges are ruining my browsing experience

523 points by blakeashleyjr ↗ HN
I travel often. Sometimes I use a VPN, sometimes I don't. I use a heavily customized Firefox config on Linux.

Cloudflare challenges have made large portions of the web unusable for me.

Some recent examples

  - The "unsubscribe" button in Indeed's job notification emails leads me to an impassable Cloudflare challenge. The "Contact Us" page is also behind an impassable Cloudflare challenge.
  - While migrating a non-profit off of A2 Hosting, their login forces me to re-enter credentials after failing a challenge, looping endlessly.
  - On a particularly ironic note, I tried to complain on the Cloudflare Forums—met with another impassable challenge.
When reachable, customer support always says "try a mobile data connection", "switch to Chrome", or some other variant of "too bad, so sad".

Is anyone else dealing with this mess?

311 comments

[ 4.7 ms ] story [ 295 ms ] thread
You're collateral damage in the web's war against bots :(

Unfortunately, I think the Cloudflare challenges are designed to filter out users similar to your profile... once you stray far enough from the norm, it just looks like a bot / suspicious traffic to them. Statistically there's not enough users like you (privacy-conscious Linux users on nonstandard browsers) for them to really care enough to do anything about it. Site owners don't care either since you're usually like 1-2% of users at most, and typically also the same ones who block ads, etc., so they don't mind blocking you... it's sad, but I don't think there is really anything you can do about it except conform. It's an ongoing arms race and you're caught in the middle.

While you hit the nail on the head, I am still surprised that so many tools targeted at people like me (web hosting, developer tools, etc.) are protected that way.
Its not only about protection, most web developers would use Cloudflare since its a free CDN and would increase the app load time considerably.
increase -> decrease
Except for those encountering that dreaded captcha.
You can separately configure (to a large degree) the caching vs protection features, though.
Because if such hosting and developer tools are not protected against bots, the tools end up used for phishing, spamming, etc.
They are not targeting people like you. Bots are the target. If you look like a bot, how are they going to distinguish?
> If you look like a bot, how are they going to distinguish?

Some non-existant system of attesting that I'm person X (possibly through an e-ID card) who has issued a client certificate Y (cert chain, using my e-ID cert to sign) to be used with my device Z (presumably with a device fingerprint or IP range attached to the cert). Of course, this would mean no privacy, but that's not that different from being signed in through Google as an identity provider, we'd just shift the mechanism to be universal (like client certs already are). One of the options that would take more coordination than will probably happen (though very similar to some e-signature solutions in EU, which we already use) but I could see using something like that for a variety of professional/service sites, since signing in with the e-ID card directly is already a thing on some sites here (government sites, banking sites, utilities sites).

Okay. Do that globally. And solve the ddos problem as you’re on it. If you add transparent tls termination, edge, caching, dns… maybe I’ll have a look!

I had a guy like that working with me. Blocked every possible tracker, disabled javascript, used some niche browser, proton mail, and then complains that google doesn’t allow him to sign in. I get it, privacy and what not. But the guy was an outlier.

Some random blogs, product pages aren’t gov, most likely have no way to opt-in for gov eID (maybe they aren’t based in the EU), and they only care that their service is available fast globally and that they get ddos protection for free (plus some other convenience features).

> Do that globally.

We already do a simpler version of that with TLS and HTTPS, there are globally trusted root certs that ship with most OSes and browsers. It's just that we haven't extended the same approach to client certs and identity verification, instead having a bunch of walled gardens and governments running legacy methods of figuring out who someone is, as opposed to various eID mechanisms.

If I trust news.ycombinator.com because I trust ISRG Root X1, I might similarly trust John Doe's iPhone because I trust the government of France's CA, as a hypothetical, as long as the certification chain is valid there.

It's a problem that's technically solvable (say, in 20-50 years), but won't get done because good luck getting a bunch of governments to collaborate on that across the world. It's actually a surprise that we have TLS in the first place.

We cannot get them to agree on cookie banners and you’re talking about something much more complicated.

Hey, by the way, would you trust some Chinese or Russian root certificate?

The question is irrelevant, frankly. Consider this: you’re living in Germany today. You trust the German government. They handle all your logins using that eID. What if in February AfD comes to power? Do you still trust the German government? Governments are formed by people. Different people have different interests.

> We cannot get them to agree on cookie banners and you’re talking about something much more complicated.

Another good example of something that’s technically feasible and not that complex, but was made infeasible due to either ignorance or malice, with all of the dark UI patterns and scummy behaviour.

> Hey, by the way, would you trust some Chinese or Russian root certificate?

Most people already do: https://chromium.googlesource.com/chromium/src/+/main/net/da...

For example:

  CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
  CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.,C=CN
  CN=UCA Global G2 Root,O=UniTrust,C=CN
  CN=UCA Extended Validation Root,O=UniTrust,C=CN
  CN=vTrus ECC Root CA,O=iTrusChina Co.,Ltd.,C=CN
  CN=vTrus Root CA,O=iTrusChina Co.,Ltd.,C=CN
If there’d be an issue of not wanting to support a certain country, then removing such a group of CAs from a store would be trivial for a particular service, same as with the above.

Plus, the opposite is also viable, if for example the Russian govt. wanted to allow anyone to verify whether particular requests come from their citizens, they might also run their own CA akin to https://www.bleepingcomputer.com/news/security/russia-create... except that the attack vector would change from MitM to fake identities being issued by them as needed (but since the server is the one doing the verification, it might as well drop the CA when desired).

> What if in February AfD comes to power?

Revoking the eID and anything dependent on it would be akin to your passport being taken away.

Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.

Fundamentally, that’s no different from the reality that we already face - my regular eID could also be taken away if my own government felt like it, same as with my bank account and other assets.

Client certs themselves are nothing new, same for PKI. It’s a cool technology that could but presently cannot solve the problem of client identity globally, because we just can’t have nice things and order.

> Revoking the eID and anything dependent on it would be akin to your passport being taken away.

Is it? If my eID is used for logging in to my bank and said eID is revoked, I can no longer log in to my bank account. That’s completely different than a locked up passport.

> Essentially the modern day digital equivalent of getting your Google account banned by some bot, if you use that account for auth in a bunch of places.

Use a custom domain, don’t make your kingdom dependent on the gmail.com address.

I don’t know, for me the perfect amount of government oversight is “as little as possible”. There’s zero need for the government to mediate between me and my bank, or some random service provider on the internet.

What you’re describing sounds like a fun technical challenge assuming a perfect world. For example: who decides which countries’ certificates should be revoked? Who decides who is the rogue one? Even that is stretching it too far. Can I simply download a browser without some selected certificates? If the technology is so great, why isn’t it widely adopted today

Those are all rhetorical questions. You don’t have explain PKI to me.

> Is it?

Pretty much the same failure mode, just with different immediacy. No more travel, no more ability to start using new banking services, no more proving identity for becoming employed, pretty much anything that needs you to provide valid governmental ID (ID card or passport) and doesn't accept alternatives.

On the opposite end of that, both those services might accept something like a driver's license and the banking service might allow you to log in with their app, or a similar identity provider as a backup.

> There’s zero need for the government to mediate between me and my bank, or some random service provider on the internet.

Who else should we depend upon for verifying the identity of someone? Because currently it's a hodgepodge, especially when some places treat the equivalent of an SSN as a secret or have other half baked mechanisms, whereas in actuality it's a problem that's been solved far better, the same way how e-signatures work here when a single competent authority implements them well (certs on the e-ID card, you choose what to sign, but there's both data integrity and non-repudiation, a service that everyone integrates with and it is basically treated as a commonplace utility).

> What you’re describing sounds like a fun technical challenge assuming a perfect world. ...

Yeah, that's about it. Have a good one!

> If I trust news.ycombinator.com because I trust ISRG Root X1, I might similarly trust John Doe's iPhone because I trust the government of France's CA, as a hypothetical, as long as the certification chain is valid there.

There are a whole ton of privacy problems with this. I am happy to demonstrate anonymously that I am not a bot, but a random blogger does not need to know that I am John Doe, a citizen of France with national ID number 12345678.

Between what you described and having to run a vaguely standard browser config, I'll take the latter, thanks.
Ok, what does the venn diagram of:

1) People who anonymize their IP, use Linux, a browser with noscript, etc

2) People who are OK with having a government issued digital id and having to use it to access the internet

...look like, in your opinion?

Well, proof of having an ID can be done anonymously. Cloudflare even worked on a system for that kind of thing.
A non-citizen living in Germany without the German eID because they’re not a citizen. Their country of origin doesn’t have any of that. I guess they don’t exist in that setup? Seems like a steep hill to climb on to solve some random login with captcha problem.

Binding login interaction to some government issued id…who’s entitled here.

Sounds like throwing a baby out with the bathwater.

Then have them go through the captcha process that already exists
Yeah, this is at least being discussed now for eID. Getting it to a point where it is actually usable for everyone and trusted by everyone will not be easy though. But even in the best case, this would cover maybe 5-10% of internet users in 5 years. What do you do with the other 90% ?
(comment deleted)
Their problem. They are not entitled to make it other people's problem.
If I have a process that works for 95% of the people, why should I care about outliers who use Linux behind a VPN on a heavily customized version of Firefox?
Because they are standards compliant and you aren't, and you are legally required to provide an unsubscribe service or whatever without undue barriers around it.
For unsubscribe - yes.

Everything else - no.

But if I am using standards and they have an ad blocker that blocks some of the functioning of my site, am I also required to test my site against that?

> Everything else - no.

I'd include _everything_ important in the "yes" category. If I cannot access the customer panel to update settings or notify them of a bug that is affecting me because I'm using Firefox ("works for 95% of users"), they're just not keeping up their end of the contract.

Remember, 95% excludes everything but chromium/webkit-engines.

Every SaaS company I’ve worked for has had a compatibility matrix where we say what we support. If we lost customers who were running a highly customized Firefox on Linux, so be it.

Every company decides which customers are worth going after.

Yes, sure, but 5% includes stock firefox, zero modifications, zero plugins.

Might still be a business decision, but it's like saying "we'll drop any emails that indicate a mail client other than apple mail/gmail/outlook".

While not that strict, see how far you get hosting your own email as far as not being rejected or automatically classified as spam
And I'd include that as well: if your server rejects emails because of your spam-decisions, you can't claim "we've never received that email". Either you don't use email for any legally-binding communication ever, or spam-filtering is a you-problem, not an everyone-else-problem.

It's not surprising that the strongest protections always happen on the unsubscribe links, but not on the subscribe-links. That just needs to be fined out of existence, just like "you can order with one click, but you need 50 clicks and a three-hour-conversation to cancel".

I don’t understand the “automatic” here-yes, reputation takes time to build, but if you run your own mail server with SPF/DKIM/DMARC set up correctly why is the default posture “block it” before there’s any reputation?

Just like other cases, I won’t accept that it’s “just lazy” on the part of big tech companies. They clearly know how to adjust their internal view/reputation of a domain once it starts being used for “misbehaviour” and spam such that they start blocking it.

Thus they could clearly start by not doing so-and, maybe, they’re “really touchy” about domains with no initial “internal score” such that if a new domain pops up and starts spamming people they catch it fast. Its not necessary to break open Internet protocols, though, unless they want the breakage.

If that 5% is 90% of cost to provide the service, forget it. Nobody is going to do a Herculean task to support a niche user.
> and you are legally required

Where. It’s global internet we communicate via.

It'll be interesting to see what happens if someone takes that argument to court.

One side of the argument is that Cloudflare places an undue burden. The other side of the argument is that without the CF protections, the service provider doesn't even have reason to believe the request is coming from a human being the law protects.

Maybe you should try to care about something other than just your bottom line. I'm sorry if this sounds mean, but this attitude just turns the web into a giant monoculture because you can't be bothered to care. It actually ends up hurting everybody in the long run. Look how long we were trapped with IE6. Amazing how people forget history so quickly.
Everyone has limited resources. As a for profit company, the focus has to be on your bottom line. How many resources should a company use for some obscure corner case when the user can make changes?

Of course accessibility is important - ie screen reader compatibility.

A typical testing matrix in the US would be

- Safari for iOS

- Chrome for desktop and Android

- maybe Safari for desktop or you just tell Mac users to use Chrome

- Firefox if you have the time. But if not, no big deal.

We are definitely not going to test for a highly customized Firefox on Linux running over a VPN.

There’s no test to be done there. Just respect web standards and do geoblock if you want to.

The issues I have are website pretending to be apps and apps that are SPAs for no reasons.

> Maybe you should try to care about something other than just your bottom line.

You can do so when your bottom line is healthy. Otherwise you go out of business. That’s business 101.

By that logic, why care about accomodating anyone with a disability? Your site works for 95% of people, why care about those who need to use screen readers?

And before you say "that's their choice," you're the one who is breaking the functionality. Nothing about using a VPN or linux or Firefox creates any problem for TCP/IP or https.

One because it’s the law and two because the disabled can’t just make a choice and install Chrome.

However, while the site creator does have to meet the disabled halfway, the disabled person is responsible for having whatever type of equipment they need to make it work - ie screenreaders

If your website is full of divs generated by JS that are full of aria tags that make no sense, those tools don't have a chance. Most websites act this way as well. Even Facebook used to lock people out of their messages if you couldn't use a mouse, at least in the last time I checked (infinite feed + no way to skip feed via tab -> can't reach right panel).

Just do your job right. Not saying you should test some unique Firefox config but at least the default version is to be tested.

Hell, I've seen people here indicating that they just tell desktop Mac users to "install Chrome". Such carelessness is bad for business. Web development sure could raise its bar.

If you’re selling a SaaS app, you care more about the customer than you do about the user. The customer is the IT department.

For the longest, Amazon Connect’s - AWS hosted call center software - call flow builder only worked with Chrome.

Even for B2C users, using Chrome is not a deal breaker. If they are okay with using shitty Electron apps, they will be okay with using Chrome for Mac.

They solved their problem. No matter how upset you are about it, the rest of the matter is your problem.
Though in this case it is legally their problem as unsubscribe links are protected by law in the US.
I'm convinced that's mostly incompetence on the side of the companies that implement that protection.

"We have a problem with bots" - "Just create a firewall rule, whatever"

What other way would you suggest to protect a free service from bots? Cloudflare is often the easiest to implement and has a generous limit on their free plan.
Oh, they absolutely are, I don't disagree -- I use them too.

But the immediate response to bots shouldn't be "make everyone go through a captcha". There's lots of nuance that you can tune to deal with your particular situation, but the first thing I'd do is block known bots or ASNs, set up a limit to trigger (bots usually don't make 1 document request a minute), set up higher limits for users who (seem to) have a valid cookie indicating that they are logged in, set up different thresholds for certain countries that are more risky etc etc.

What you need to protect your service depends on your situation, it's not a one-size-fits-all solution. E.g. I find that I have no automated contact form spam once I add a simple JS to add some data that isn't standard, but I'm sure that wouldn't hold up if there was enough incentive to try to get past it.

But the OP mentioned not just free services, but e.g. webhosting logins. That's just sad, as is Cloudflare's community being behind an aggressive captcha. I'm a user, I'm logged in, I've posted before, I'm in good standing, yet when I go there, I need to solve a captcha. When I then go there again an hour later, guess what, another captcha.

Either there's another reason I'm not seeing or it's just lazyness as in "we need to have a forum but we really don't want to spend any resources on it, just put up an aggressive captcha that'll filter out most bots and everyone but the determined users".

Fwiw, Cloudflare does do a multivariate confidence check which is why it has multiple tiers: no captcha, a one-click captcha, the annoying puzzle captcha once, the annoying puzzle captcha six times in a row.

> I'm a user, I'm logged in, I've posted before, I'm in good standing, yet when I go there, I need to solve a captcha.

Though consider the fact that taking over someone's account shouldn't give you (a spammer) unlimited access either. The spambots you see on Twitter are mostly cred-stuffed accounts. It's a hard problem. Existing accounts are more dangerous than fresh accounts.

Imo, "write your own password" should be a thing of the past. Services should just auto-gen a password or there should be a way to require the OS (like a password manager) to generate one to avoid cred-stuffing. We're letting down the average person by making them come up with unique passwords for every service instead of just helping them. Though I'm way off topic.

> Though consider the fact that taking over someone's account shouldn't give you (a spammer) unlimited access either.

But it's not unlimited access -- it's _read_ access at that point. This is just when trying to access the forums at all, not when trying to post a message. And if they were worried about evildoers scraping all the data from their forums, they could rate-limit and then require captchas (their WAF settings make that trivial). But they don't, or the rate limiting is so generous that I've never hit it, and their forums are not that active, so I don't think that's the reason.

Adding more protection to an endpoint where users send posts makes some sense, but for reading? On their dashboard you need to solve the captcha on the login-form. On the forums, you cannot even get to the login (which works via the dashboard, where you'll solve a captcha again) until you've solved the captcha.

I use and like CF's products a lot (I'm a paying customer, I'm not even looking for free support on the forums, but their docs are lacking a lot of information that I'm interested in), so I don't believe in "we're incompetent", keeping the resource-investment low by filtering out bots and a chunk of users makes a lot more sense.

> Fwiw, Cloudflare does do a multivariate confidence check which is why it has multiple tiers: no captcha, a one-click captcha, the annoying puzzle captcha once, the annoying puzzle captcha six times in a row.

That's not correct, Cloudflare challenge pages / Turnstile will never show you a puzzle.

Most developers I've met were actually similarly lazy... we just use Chrome on Mac, and don't really want to deal with VPNs unless our employers force us to. The last few Firefox holdouts also switched after running into various WebGL/Canvas/etc issues. The same attitude that leads us to focus on "happy path" users and ignore edge cases often also causes us to sheeple into that same basic dev group. Long gone are the days where most devs custom build Linux boxen from scratch and compile custom kernels to our liking...

Anyway, I know the "Cloudflare's monopoly gating is killing web openness!" meme is common online, especially on HN, but in real life I've never actually heard anyone else complain about it (either a fellow dev or a customer or a manager). Instead, it's been universal praise for the actual issues Cloudflare exists to solve (CDN, bot protection, serverless, etc)... they are a godsend for small businesses that otherwise get immediately flooded by spam requests, especially from China, Russia, and India.

And if you think Cloudflare is bad, it was even worse before they became dominant, with terrible services like Incapsula/Imperva charging way more but providing both worse bot protection AND more false positives, or the really hard early reCAPTCHAs (that Cloudflare was largely able to replace, for users who DO fit within the "norm"). That, or you'd have to fight every random sysadmin with their own lazy rules, like firewall rules that blacklisted entire regional ISPs and took weeks or months to resolve, if they ever even checked their emails.

As inconvenient as Cloudflare is for users who take privacy seriously and try to be less trackable, for the other 90% of us who don't care as much and easily fit into their "norm" model, it's much nicer than what came before. Site downtime and slowness are also much less common now, in no small part because of their easy CDN and caching.

From the implementation side, I've set up a few Cloudflare accounts in my career, but do take the time to try to configure it to balance security vs accessibility for any given target audience. Sometimes we'd block entire countries, other times we'd minimize security to ensure maximum reach, but usually we'd customize rulesets in the middle for any given company & audience. I never got a complaint about it (our emails were still available and not blocked).

This was always a direct response to some business need, usually spambots or DDoS attempts that fail2ban etc. couldn't catch well enough. For the business, it was usually a "shit, our website is down again, what is it this time", and the choice between "for free or $20 we can get it back up again and not have this issue anymore" or "we can spend thousands of dollars and weeks of labor building our own security solution" is pretty easy. "What about that one guy who is proxied behind TOR and three VPNs with a random user agent using a text-only browser he wrote himself?" never really factors into that process =/ There's just not enough users like that out in the wild vs the very real constant threat of bots and malware.

It's a shitty situation that the web is like this today, and I wish it weren't the case, but it really is an arms race, and these imperfect weapons are just what most of us have access to...

> spam requests, especially from China, Russia, and India.

On my small website, bot traffic is almost entirely from DigitalOcean VPSs.

That is not an excuse to give in to the cloudflare's agenda of centralizing everything. Bad things have happened, is happening and will continue to happen if one entity has this much control over the internet traffic
>developer chrome, Mac

Maybe in your country, but tons of countries outside of the US (first world) avoid Macs like the plague and just use Linux/Windows as building machines.

But you are right on Google/Cloudflare, they are the poison of the web.

I honestly don't see what's so hard about a bot simulating "the norm" within the margin of error. This cat-and-mouse game is just like a GAN, the end result is indistinguishable even by a bot.
Bot authors are lazy and won't until they have to.. once you do, you can then pretend they aren't bots and include them in the engagement numbers you feed prospective shareholders.
Agreed. From my past experiences though, a very good chunk of them will give up once there is a resistance. Basically, you want your bot protection to just be a little better than your competitor. Then the bot author will target them instead, because of the path of least resistance.
Outrun the friend not the bear? Hehe
It depends on the defences. It starts trivial - just make a http request. Then there's http version, user agent header, other headers, header ordering, cookies, TLS ciphers, session resolution, timing, behaviour for page resources, ... and so many other things. It takes time, even if you order headless chrome.
The sad part is that it's trivial to get around CF's bot protection if you're writing a bot (just use curl-impersonate and buy residential IPs), but it's pretty much impossible to bypass as a human if their magical black box doesn't like your browser and/or IP address.
How does it get around captchas?
You pay contract workers in a third world country a tiny amount of money per day, to spend all day clicking boxes.
If they don't think you're suspicious they don't make you do the captchas, and as others have mentioned you can always outsource it to captcha farms. There are also AI models which do a fairly decent amount, and since most captchas let you repeat attempts with new patterns you can have a pretty high error rate to get past them. Then there's the ADA, which requires accessibility- many captchas have an audio component as a backup and those are easy to interpret by models.
Cloudflare turnstile isn't even a captcha. The user just has to tick a box. Behind the scenes there's a javascript challenge to make sure you're vaguely a browser and not some script a bazillion requests per minute.
It's also used for proof of work as many scrapers are using thousands of IPs but only a few CPUs
curl-impersonate doesn't solve CAPTCHAs, but the goal is to look enough like a human that Cloudflare doesn't present a CAPTCHA in the first place.
> it's pretty much impossible to bypass as a human if their magical black box doesn't like your browser and/or IP address

There are residential-IP-backed VPN services that you can use just like commercial VPN services — but they're mostly built on the backs of botnets, so it's ethically questionable to use them.

You could also use Tailscale back to your own IP if the goal is not having to trust public WiFi.
FWIW, StarVPN claims to have "ethically sourced" IPs. That is, not from botnets. Their pricing is quite a bit higher than many (cheapest plan is $20/month), but could be worth trying.

https://www.starvpn.com/

The "residential VPN" providers setup fake ISPs or buy AT&T/Verizon business circuits with large blocks of IPs and sell them as residential.

They are easily detected if you are buying IP intelligence from one of the higher quality providers: https://app.spur.us/context?q=STARVPN_PROXY

That's helpful to know. I wasn't aware of this.
To note, IP is only a part of it, and the full extent of what's baked into a CF score will never be explicited (for obvious reasons).

CloudFront being way past the simple blocking of IP addresses, I wouldn't be surprised if a mismatch between your IP block and your language/cookies would be enough to lower your score.

Surprisingly, it still works as intended. Yes, it won't keep professionals and dedicated bot-fabricators out, but that's like 5% of the botters out there; the rest are the bot equivalent of script kiddies who can't be bothered, and it filters them great. Meanwhile, the script kiddies have a process that still works on non-CF sites, so they don't need to improve their process.
This is great for bypassing the server side bot detection but not the client side one, where it will attempt to verify the integrity of your browser environment.
Well yeah, if you’re a legitimate user, CF will block you.

It’s only easy to bypass if you’re scraping or doing nefarious stuff.

It's the same for spam email, yet most spam gets caught in spamassassin rules that were written 20 years ago and haven't seen much improvement since then. Most bad guys just don't bother to do anything above the bare minimum. For example, I see lots of email getting caught in a rule that checks for incorrectly formatted pseudo-Outlook mailer header, which is trivial to circumvent if you pay any attention to it (the difference is in excessive whitespace, or a slightly incorrect "Outlook" version, or something like that).
see also: The surprising effectiveness of simply asking the spam server to try again(sometimes called graylisting). It shouldn't work at all, but proves to filter an awful lot of the worst mail noise.

http://man.openbsd.org/spamd

We bypassed it by switching to starlink. Now my IP address is a too-big-to-fail CGNAT.

The old IP address was a mom-and-pop CGNAT.

Thanks CF, for protecting us from capitalism, I guess?

That's same for almost all surveillance/tracking tech. It's always trivial for criminals/abusers to bypass. The surveillance is just about controlling the sheep.
it is discrimination
Only if enough are discriminated against that it affects the bottom line.
I don't buy this because using Chrome is what most bots probably do right? Headless chrome is easy.
> Site owners don't care either since you're usually like 1-2% of users at most, and typically also the same ones who block ads, etc., so they don't mind blocking you

I do believe that it is true that many site owners wouldn't care. But I suspect that in the vast majority of cases they don't actually know. Cloudflare probably shows them a nice dashboard about all of these blocked "threats" and they don't know better than to question it.

I'd expect this to increase with the proliferation of AI Crawlers and scraping becoming easier with AI.
Can't you have a normal firefox profile for such cases? Do you have any javascript filters? I bet the issue must be related to configs messing with the JS runtime.
The issue is scummy companies like cloudflare which are causing these issues. If your software is blocking legitimate users then your software is shit at its job. It's not the users fault.
>The issue is scummy companies like cloudflare which are causing these issues. If your software is blocking legitimate users then your software is shit at its job. It's not the users fault.

But if you're going out of your way to look suspicious (ie. "I use a heavily customized Firefox config on Linux"), surely you'd agree at some point it goes from "your software is shit at its job" to "it's your fault for looking suspicious"? If you walk into bank wearing a balaclava and get stopped by security, it's not really "security is shit at its job".

[flagged]
>Everyone should only be allowed to use windows and a chrome browser variant with no ad blocking. Cloudflare 100% should be allowed to arbitrarily block anyone not using this set up because they are suspicious.

Seems like a slippery slope argument, but isn't reflective of reality. They still allow Tor browser to pass, of all things.

It wasn't meant to be taken seriously, I was using it to show the ridiculousness of blaming a user for the shortcomings of cloudflare.

But if you like: the arbitrarily blocked user if not at fault, cloudflare is at fault.

(comment deleted)
>I was using it to show the ridiculousness of blaming a user for the shortcomings of cloudflare.

That doesn't advance the conversation, or show that cloudflare should be always as fault, as you seem to imply. Even if people are pro privacy/freedom, I think most wouldn't give the individual (as opposed to the security provider) unlimited leeway, as seen in the bank example.

[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
You broke the site guidelines repeatedly and badly in this thread, crossing into swipes and personal attacks. We have to ban accounts that post like this. Fortunately I don't see other cases of this in a quick runthrough of the account's posting history, so this should be easy to fix. If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
Does "But if you're going out of your way to look suspicious" advance the conversation?
It advances the conversation because it refutes the argument that "It's not the users fault" brought up a few comments ago, by using the balaclavas in bank analogy.
It refutes nothing, it attempts to place the blame for cloudflare incompetence at the feet of a user who has done nothing wrong.
Replied in the other comment. In short: if someone wears a balaclava to a bank, would you say that person also "has done nothing wrong"?
In short, just answering this question (which as stated in the other comment is not the issue), yes that person has t done anything wrong. There is no offence for wearing hats in banks.
>There is no offence for wearing hats in banks.

But banks aren't mandated to admit you either. Just because it's legal, doesn't mean a private establishment has to let you in. When it comes to denying entry, banks are relatively tame. Some establishments go beyond that, by denying entry unless you wear formal clothing, or presenting proof of identity.

Mobile operating systems with remote attestation (that's both Android and iOS) aren't far off from that with regard to native apps. It doesn't affect the web yet, but Google did propose adding an attestation mechanism to Chrome.
I vaguely remember this from this last year though I can't remember all the details. That's a scary slippery slope.

Of course it'll be presented as a security feature, because users are dumb, whilst also allowing vendors to lock you into their ecosystem; similar to how passkeys are currently being push by these same companies.

Agreed, but I think the point was that the user has a workaround. Use a standard browser for the like five minutes it might take to unsubscribe from these mailing lists, a one-time operation per business, done.

If on the other hand unsubscribing from mailing lists is not the true use case and we are actually being asked to help a bot bypass safeguards… then Cloudflare is doing a great job here.

What I don't understand is why you have to protect areas that require login so harshly?

If I can log in, especially with 2-factor, you can safely assume I am not a bot, or you have a larger problem.

If I have entered bad credentials 5+ times, okay, you can start backing me off or challenging me.

What am I missing? Fail2ban has been around a long time.

40% of the internet’s traffic now is bots, with about half of those being malicious. Fail2ban is decent for a very small DDoS, but useless for one with any substance, and also useless against bots scraping data or probing for weaknesses.

Also remember, especially on AWS, bandwidth is expensive. A CDN cache + blocking bots = big savings.

Problem is that a significant chunk of the technology industry still relies on "engagement" as its business model. The objective of slapping an overzealous bot protection system isn't to protect high-risk endpoints like logins/etc, it's to ensure a human is "engaging" and human time is being wasted by making even legitimate automated usage impossible.

From their perspective, the blocking of power users with unusual setups is actually a happy coincidence, as those are unlikely to "engage" with the product in the desired way (they run ad & spyware blockers, don't fall for dark patterns, and are more likely to fight back if they get defrauded by the corporation).

> What am I missing? Fail2ban has been around a long time.

Modern threat actors can spread requests out over large pools of source IPs. Rate limiting login attempts by IP isn't an effective means of preventing credential stuffing attacks.

I'm really afraid of what kind of internet we'll have when these kinds of un-diagnosable un-appealable false-positives are not just transient blips, but become metadata companies use to blindly and permanently kill off accounts on other services.

I think it may have been what happened my since-2010 Reddit account was mysteriously killed a couple years ago, and literally the only cause I can think of is that I might've used the wrong public wifi for an evening.

I'm experiencing the same issue which is definitely exacerbated by straying from a 'default' configuration e.g. using a custom browser screen reader, browsing from Brazil, using a VPN, using Firefox. I think eventually I'll be completely locked out of the 'mainstream' web
> The "unsubscribe" button in Indeed's job notification emails leads me to an impassable Cloudflare challenge.

That's a CAN-SPAM act violation.

FTC: "Tell recipients how to opt out of receiving future marketing email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting marketing email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all marketing messages from you. Make sure your spam filter doesn’t block these opt-out requests."[1]

Experian was recently fined for making it hard to opt out of their marketing emails.

The actual regulation text:

§ 316.5 Prohibition on charging a fee or imposing other requirements on recipients who wish to opt out.

Neither a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient's electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to:

(a) Use a return electronic mail address or other Internet-based mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to receive future commercial electronic mail messages from a sender; or

(b) Have such a request honored as required by 15 U.S.C. 7704(a)(3)(B) and (a)(4).

That seems to cover it. File a CAN-SPAM act complaint (spam@uce.gov). Send a copy to the legal department of the sender.

[1] https://www.ftc.gov/business-guidance/resources/can-spam-act...

"Visiting a single Internet Web page" is considerably more involved than that. In practice, it means making a request to the DNS servers and running Javascript that's injected by the CDN/proxy which "verifies" (runs some heuristics) that you're allowed to load that page.

It's like a restaurant that complies with a local food access requirement to be open at a certain time... but only by having a drive-through that requires you to not just be a human being, but also to drive a car to get to the restaurant.

I would suspect that OP is choosing the webpage out of convenience but that there is a List-Unsubscribe: header hiding in the raw version of the email, cheerfully nuking the FTC complaint. Now, demonstrating that the List-Unsubscribe worked is left as an exercise to the reader, but let's be honest, it's the same with the web page variant with bonus points for those pages usually ending it "yeah, we'll get around to it is 364 business days" or some shit
Thanks for that note. I receive „spam“ by a US based Car Rentel/Leasing Company, cause they prevent me from unsubscribing because i am in European IP-Range (geo-blocking). Especially „nice“ cause they send me contract specific details of one of their customers, who misspelled his email address.
I'm in a similar boat. A UK bank thinks I'm one of their customers (someone with a similar name). The reply address is no-reply@ and I'm not about to call a foreign bank.
Quick note that if you use a proper email hosting service, or host yourself, you can add a sender block rule to eliminate this nuisance.
Are there email services which don't allow you to block addresses or keywords?
I had the same happen with a AU insurance company that also made it hard to reach them.

I sent an email to their regulator that this company keeps sending me confidential information about one of their clients. It took one day until I received an email from the company informing me that they've corrected the mistake and I shall no longer receive any emails, and it worked, I haven't received a single one since.

Maybe I’m lazy but why do above four posters do so much effort?

I just mark as spam and or block the sender

same. although, if it's a reservation you're being sent, you can cancel it to let the person know they're using the wrong email (plausible deniability because you don't recognize it, yet are getting a reservation)
How would the person know their reservation is cancelled?
they'd show up for the reservation they made and find that it doesn't exist!
If I made a mistake while entering data, I'd be happy if someone told me they receive emails from me that they probably shouldn't be getting, so I do the same when it's not obvious spam/scam.
Getting a U.K. bank account without having a U.K. mailing address isn't the easiest thing in the world to do. Maybe someone would be interested in acquiring it from you.
From: no-reply@ and simlar fake senders should just result in immediate rejection of the mail at submission time.

Tempted to set that up on my server.

I received spam for quite a while from Robinhood, back when they suggested they were going to enter the UK market and to sign up for more details.

They didn't but I still recieved spam which I couldn't opt out of because they wanted me to log into my account, even for support, which obviously didn't exist.

At least back then we had Twitter and messaging them publicly got a customer service response.

Is this Hertz? Somehow Hertz in Mexico decided to add my email address to their mailing list, and I tried to complain to every level of Hertz to get them to stop. Their hosters didn't care, their upstream didn't care.

I decided to download larger files from their web site a few tens of millions of times, which I think cost them a few hundred dollars. Unethical? Perhaps, but I'm not the kind of person who just accepts that companies are too large to have humans that can communicate and that I should just accept their harassment.

It worked, though. I finally got a response from Hertz saying they were going to "get to the bottom of it", and I finally stopped getting their spam.

When you say "it worked" referring to you downloading big files to generate cost for Hertz, it mean you told them you were doing this and would stop if they remove you from the mailing list?
I know that feeling all too well. There's an Australian guy with a very similar email address that keeps entering it incorrectly, and I end up with the promo emails for these accounts. And because some of them are geolocked to Australian IPs, it's impossible to unsubscribe via the links in the footer.
I get emails all the time for some person in the US who must misspell his own email address. So far I’ve cancelled his haircut and car garage booking.
Unfortunately the government seems to have given up on enforcing the CAN-SPAM act. If they actually enforced it spam companies like Salesforce would face massive fines.
You can press charges yourself and get lawyer fees for your efforts. Probably not worth it, but you don't need the government to do this.
Yeah, the same way I don't need to pay taxes...
Individuals cannot "press charges", nor can the police. Only a state/federal government attorney can file charges against someone.

A person or police officer might recommend some action to a DA, but it's completely up to their discretion what to do with that information.

Don't worry, the next administration is likely to eliminate any rules like that.
Inane low effort comment.

CAN-SPAM was introduced by Republicans and signed into law by Bush btw.

It feels weird that a completely US based Recruit acquisition shows such a typical Recruit behavior...
Makes me wonder. If it's illegal to deploy bot protection on unsubscribe links, and there are massive lists of leaked email addresses available, surely someone has tried to mass-unsubscribe tons of email addresses from tons of mailing lists?
More likely: someone tried to automate unsubscribing one e-mail address from massive list of mailing lists.
Unsubscribe links can include additional authentication information, as long as it is all included with the link in the mail.

If you don't do that, bot protection isn't going to stop a dedicated troll.

If it is triggered by the customizations you did in Firefox, then running a fresh Firefox in a container might help:

    docker run -it --rm -e DISPLAY --net=host -v $XAUTHORITY:/root/.Xauthority -v /tmp/.X11-unix:/tmp/.X11-unix debian:12-slim
Then inside the container, run:

    apt update
    apt install firefox-esr
    firefox
what is the advantage here over just running 'firefox -ProfileManager' and making a clean profile?
All host info not accessible via X11 protocol is hidden, for example font list, is replaced with generic one.

For even more protection, run VNC server with common resolution in the container and connect to it using VNC viewer. In this case firefox provides a super generic profile (latest debian with mesa GPU), making this browser very hard to distinguish from others. This has some downsides however: First, you cannot resize window. Second, a lot of actual bots use same config, so it might be blocked.

Isn't it suspicious bot-like behavior to only have the bare minimum fonts installed? :-)
To be fair, Firefox out of the box prevents against font fingerprinting more than Chrome, it's considerably easier to get Firefox to run in a docker container and pass all the client side challenges than Chrome in my experience, you still have a valid point though.
mullvad browser is pretty much this, but without messing around with containers. One fingerprint for all users, with the same font list, resolution, canvas behavior, etc.

https://mullvad.net/browser

looking at https://mullvad.net/en/browser/hard-facts , Mullvad browser is much more extreme: many APIs blocked, always incognito mode... I would not be surprised if this blocks some sites.

the container approach on the other hand is bog-standard firefox.

OP mentioned that they run a heavily modified browser, I think it means compiled with changes - docker means stock Firefox
The suggestion you should have to bend over backwards for shitty software like cloudflare is bad enough; but if you were going to surely creating a new browser profile is far easily than spinning up a debain docker image, updating it and the installing Firefox and the running it?
> - The "unsubscribe" button in Indeed's job notification emails leads me to an impassable Cloudflare challenge.

Maybe indeed could be held liable here? From the can spam act (if you're from the US):

> You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.

https://www.ftc.gov/business-guidance/resources/can-spam-act...

this nevertheless happens all the time. i have an old linkedin account i haven't logged into in years and can't be bothered to dig up the credentials so one of my e-mails gets stupid "network updates". one must log in to disable these and navigate to some obscure settings page in one of the most heinously overcrowded UIs on the web.

so i just flagged it all as spam and hoped it hurts their deliverability a little.

Honestly I click an unsubscribe link but if it requires me to complete a survey or fill out a form, I just nix the tab and spam filter the email. I'm nobody's fucking admin assistant and my time is valuable: you know my fucking email and could easily add it to the think, or at the most, ask me to type it into a box if you MUST. Anything more than that, if I have to manually opt out of "types" of messages or whatever, nah. Fuck you.

I didn't ask for your fucking emails and I sure as shit am not going to do the homework you're assigning me to make them stop.

Yep, I just spam filter the E-mails now. If that act adds 0.0001% to that sender having future E-mail deliverability problems, then all the better. If it's commercial or political and I didn't explicitly ask for the sender to E-mail, then it's spam.
It does! Reporting as spam will cause them to have issues if enough people do it.
If the survey has text fields and I have enough spite left in me I fill them with "[object Object]" in the hopes it makes someones day more miserable than mine.
I have experience bypassing these.

The primary cause of this is most likely any kind of 'optimizations' you have in your browser (or missing fingerprints).

If you want to 'bypass' these I recommend removing any use of Proxy[1] (via extensions). You should also look into disabling any kind of forced backgrounding. Make sure service workers are working.

1: They catch Proxy usage by using exceptions and analyzing the stacktrace. I assume you know what a javascript proxy is, but incase you don't: It's something that allows you to override any kind of object function such as navigator.hardwareConcurrecy.

> They catch Proxy usage by using exceptions and analyzing the stacktrace

That is really clever, I am guessing this is why various browser automation companies are using custom forks of Chromium.

I ran into this, or something similar recently when our main connection went down (solar powered) and we switched to Starlink. Due to Starlink NAT issues I had tunneled our traffic to to a box colocated in a data center. This broke a number of web sites in weird ways. Became so annoying that I ended up bringing up a tunnel to our office in town to get back to the regular IP we used. Weird problems went away.
> Cloudflare challenges have made large portions of the web unusable for me.

I guess the best web experience is when one filters Cloudfare, Google and Microsoft at the firewall.

I deal with this fairly commonly, presumably because I use linux, and we all know only botnets use linux. Occasionally with cloudflare I'll just get summary rejection and supposed blocking of my IP, but either it's summary rejection or a pass without challenge.

Recently I had to deal with this for alibaba just to look at something, which I usually just use torbrowser with, and finally gave up as I couldn't pass the challenge. I suppose I shouldn't be surprised at that though, they trust me as much as I trust them.

The worst is usually adobe and cookielaw with all their related tracking crap, where I can't even get the captcha to render as it's so many layers buried in scripting I can't enable enough sites between ublock, noscript, privacy badger, and firefox strict modes. I treat adobe like malware, but unfortunately things like albertsons.com for groceries and other mega companies love to use it, and their sites literally do not work without allowing their heavy scripting/tracking.

There are other usually smaller captcha players that I haven't been human enough to pass with, I forget the names of the stupid to shame, but a few when I see them I recognize to just close the window and forget about whatever it was I was looking for there (like twitter/x).

Hooray commerce!

>...when I see them I recognize to just close the window and forget about whatever it was I was looking for there

This is the way.

My main desktop for the past year has been Steamdeck with linux. And don't get any excess Cloudflare challenges.
Nice idea! How's that working out for you? Stock OS? Bazzite?
Stock. Browser (Chrome/Firefox) doesn't have hw acceleration for video decode. But other than that it's fine. Fast and silent. VS Code and Jetbrains tools work fine.
I visited albertsons.com out of curiosity, but I was instantly banned. Even using an unmodified Chromium browser, I couldn't access the site. It's ridiculous what's happening on the internet today.

The error: ``` Access denied Error 16 www.albertsons.com 2025-01-03 09:30:00 UTC What happened? This request was blocked by our security service Your IP: xxx Proxy IP: xxx (ID xxx) Incident ID: XXX Powered by Imperva ```

Their Imperva WAF usually challenges me repeatedly during use trying to buy groceries from my pc, and most of the time I get tired of having to disable every security extension I use with Firefox to use Albertsons because of their shitty website. Never outright block though.

Might be worth checking some enterprise threat lists for whatever IP's your popping up on (ie Imperva and Cloudflare), or something uniquely fingerprints you from your browser. I use multiple extensions to block whatever they each can, and even I'm not treated that badly as you for wherever you are coming online from.

Here's Fortinet's you can check your IP against, they all tend to roughly use the same lists eventually: https://www.fortiguard.com/iprep

Immediate bans might be related to the country you're in. This is a US retailer, and there is zero reason for someone outside of the US to visit that site. Blocking foreign visitors allows them to ignore GDPR, for example.
In this case, they may display a message like: 'This page is intended for USA visitors only. Our services do not operate outside the USA.', but no, they say you are banned because just...
It seems that if you use Firefox with an adblocker then cloudflare spam is all you see. Though I have experienced this in plain Firefox too.

Cloudflare are a scummy company trying to force you to use one browser and view all ads.

It can't be just that. I use Firefox on Linux with ublock origin, strict tracking protection, and clear cookies on exit, and I've never ever seen a cloudflare challenge. Not even on sites with that "verifying your browser" page enabled.
Maybe you're right, I see it all the time. Assume cloudflare do other dumb stuff too then like up ranges and just being generally crap at their jobs.
>I use a heavily customized Firefox config on Linux.

This is probably the cause, especially if you're doing stuff like spoofing user agent. It's not cloudflare "cracking down on privacy" or whatever either. Unmodified tor browser passes turnstile challenges just fine.

It's up to users to choose their user agent.
And it's up to site owners and website security vendors to choose which user agents to admit.
My local TV station's website refuses to allow my to view their page and instead presents an a modal that cannot be blocked accusing me of using an ad blocker. The funny thing is that only happens on a mobile device using the default browser with no extensions. When I visit the same site on my laptop with uBO, the site is viewable with no blocking modals.

Sometimes you miss what you were aiming for I guess

What do you mean impassable challenge...? Why isn't it passable? Are you a robot?
[flagged]
Sadly, we probably all are LLMs/bots on the internet at this point, just talking to one another. The real humans have all become fed up and are now mostly off fishing by a lake.
The challenge is a small javascript program that checks the execution environment is consistent with a real browser. For instance, if your user agent says it's chrome, but it's missing features that'd normally be supported by chrome, it'll fail you. The OP mentioned "heavily customized Firefox config", so he might be doing stuff like this that makes his browser look suspicious.
From website perspective, yes. GP is likely using extreme ad-blocking and/or coming from regions where tons of bots and/or unwanted traffic are also from. In those cases, some/many human users could be misidentified as bots with little incentives to website admins to rectify.

And it's discriminatory, yes.

CrimeFlare is not interested in these problems for the users. If you have access to the hosting side, you can adjust the bot score for specific connections/clients. But consumers don't matter to CF so apart from jumping through their hoops, there's nothing better you can do.

Unless you accept the racket of course, start paying them and proxy your traffic through the CF workers https://github.com/pellaeon/cloudflare-worker-proxy and magically most barriers will disappear.

>Unless you accept the racket of course, start paying them and proxy your traffic through the CF workers https://github.com/pellaeon/cloudflare-worker-proxy and magically most barriers will disappear.

Source this actually works? ie. that using cloudflare workers allows you to bypass cloudflare protection?

https://jychp.medium.com/how-to-bypass-cloudflare-bot-protec... and many other posts. Haven't looked into this in a while, so can't tell you exactly how effective it is today. (Definitely corrects the high bot score of your IP though)
Sounds like all it does is make your IP reputation slightly better than tor, which is a pretty low bar to cross. You'd likely get the same effect from using any other VPN service, so it's not exactly evidence that cloudflare is running a "racket" with its worker product. The linked blog post even touts the fact it's free as an advantage. Rackets typically aren't free.
You also change the headers / TLS signature, because it's their worker doing the connection. That covers quite a lot already.

The racket is not in the workers themselves, but rather cloudflare both protecting from internet abuse and protecting sites which sell the abuse services. (For example hosting WebStresser) I meant that by giving them more traffic and accepting that as a workaround, we'd be saying "I'm ok with that".

>You also change the headers / TLS signature, because it's their worker doing the connection.

pip install curl_cffi

Even easier than spending 15 minutes setting up cloudflare workers.

>The racket is not in the workers themselves, but rather cloudflare both protecting from internet abuse and protecting sites which sell the abuse services. (For example hosting WebStresser) I meant that by giving them more traffic and accepting that as a workaround, we'd be saying "I'm ok with that".

Do you think it's a "racket" for gun shops to sell guns for home defense, but also to sell guns to criminals?

> Even easier than spending 15 minutes setting up cloudflare workers.

You need both in practice. Changing the TLS details won't save you from coming out of the same CGNat as the rest of your city for example.

> for gun shops to sell guns for home defense, but also to sell guns to criminals?

If they know they're selling to criminals who are likely to attack their customers, then of course yes. In practice the overlap is not as trivial so I don't think it really transfers that well. So really "mu, the analogy is not close enough".

(comment deleted)
I can't use any of the kerbalspaceprogram.com domains because of improper discrimination against IPv6 clients triggered by CloudFlare.

    Error 1015 Ray ID: .... • xxxx-xx-xx xx:xx:xx UTC
    You are being rate limited
    What happened?
    The owner of this website (wiki.kerbalspaceprogram.com) has banned you temporarily from accessing this website.
This sort of monoculture creates an Orwellian SPoF.
Cloudflare owns kerbalspaceprogram?
No, wiki.kerbalspaceprogram.com is a customer of Cloudflare, but the outcome is the same.
I don't think it's an IPv6 problem. IPv6 clients are more static than IPv4, which is usually shared amongst many clients (at home) or at the network level (CGNAT).

It could be the address is being reused - is it home, cloud or corporate? Have you tried different browsers? Incognito mode?

I have an IPv6 block at home and have no problem accessing that site.

That isn't "triggered by Cloudflare". The operator of the web site has deliberately configured it to block your IP range, and Cloudflare is obeying those instructions.
I've honestly only experienced the opposite; their captcha is reasonably easy to bypass, and I've successfully automated access to a few sites "protected" by the Cloudflare captcha (behind a VPN, no less).

> I use a heavily customized Firefox config on Linux.

If you really care about privacy, you should blend in to look like everyone else. Avoiding being tracked raises alarm bells. You have to let them track something; but no one ever said it had to be you.

I found a GitHub captcha to be unsolvable. That captcha properly stressed me out.
Yes, I run into it from time to time. I just move on. If someone is going to make their website inaccessible to me, I'm not going to bend over backwards to try to work around that.

Incidentally, since I configured DNS over HTTPS in Firefox, using Cloudflare's DNS, it seems I see this much less often.

Same here, but Cloudflare's captchas in particular are actually the easiest to pass in my experience. Google's ones are the killers. But yeah everything has a captcha if you're using a VPN or Firefox.
I had similar issues as an (also heavily customized) Firefox user, but was able to fix it by installing Cloudflare's Privacy Pass browser extension.

It seems ironic that as a human I can't seem to reliably prove I am a human with a realistic amount of effort via these systems, but having installed a specific automated browser extension does?

I am not a fan of Cloudflare and don't like the idea of running their software on my computer, but it seemed like the only options to continue using the internet at all.

I didn't know that extension existed, so after failing to fix it by reinstalling Firefox and removing extensions, I just gave up and installed Chrome.