Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points by Hold-And-Modify ↗ HN
Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

553 comments

[ 3.2 ms ] story [ 515 ms ] thread
[flagged]
Not helpful to an otherwise worthwhile discussion.
The rest of this comment section is the same sentiment mixed in with trying to make excuses for Cloudflare. So... it is helpful. Stop allowing a private company to control and MITM the entire internet.
Same issue. I haven't been able to visit any websites powered by Cloudflare on my SeaMonkey browser recently.
I'm using chrome on linux and noticed that this year cloudflare is very agressive in showing the "Verify you are a human" box. Now a lot of sites that use cloudflare show it and once you solve the challenge it shows it again after 30 minutes!

What are you protecting cloudflare?

Also they show those captchas when going to robots.txt... unbelievable.

The captcha on robots is a misconfiguration in the website. CF has lots of issues, but this one is on their costumer. Also they detect Google and other bots, so those may be going through anyway.
(comment deleted)
Sure; but sensible defaults ought to be in place. There are certain "well known" urls that are intended for machine consuption. CF should permit (and perhaps rate limit?) those by default, unless the user overrides them.
Putting a CAPTCHA in front of robots.txt in particular is harmful. If a web crawler fetches robots.txt and receives an HTML response that isn’t a valid robots.txt file, then it will continue to crawl the website when the real robots.txt might’ve forbidden it from doing so.
I have Firefox and Brave set to always clear cookies and everything when I close the browser... it is a nightmare when I come back the amount of captchas everywhere....

It is either that or keep sending data back to the Meta and Co. overlords despite me not being a Facebook, Instagram, Whatsapp user...

You don't need to clear cookies to avoid sending that data back. Just use a browser that properly isolates third party/Facebook cookies.
You don't even need to use a different browser - Firefox has an official "Multi-account containers" extension that lets you assign certain sites to open in their own sandbox so you can have a sandbox for Google, another for Facebook, etc.
Great idea, I wasn’t even aware and got resigned to the idea tracing is inescapable, but I really need to take that back, even stop using a lot of hostile services. On smartphones it’s even worse.
So, what's a good strategy for managing containers? I've used this extension for years, and in the past I was a bit more conservative with my containers (personal, work, google, facebook, twitter, banking, etc.) and now I've gone a bit more ... "ham" as they say ... and I have 29. One example is travel, to keep fare searches from pervading news story ads. But I'm sure there's a way to strike a balance that I've just not yet found.
I wonder if browsers have a future.
Whoever configures the Cloudflare rules should be turning off the firewall for things like robots.txt and sitemap.xml. You can still use caching for those resources to prevent them becoming a front door to DDoS.
It seems like common cases like this should be handled correctly by default. These are cachable requests intended for robots. Sure, it would be nice if webmasters configure it but I suspect a tiny minority does.

For example even Cloudflare hasn't configure their official blog's RSS feed properly. My feed reader (running in a DigitalOcean datacenter) hasn't been able to access it since 2021 (403 every time even though backed off to checking weekly). This is a cachable endpoint with public data intended for robots. If they can't configure their own product correctly for their official blog how can they expect other sites to?

I agree, but I also somewhat understand. Some people will actually pay more per month for Cloudflare than their own hosting. The Cloudflare Pro plan is $20/month USD. Some sites wouldn't be able to handle the constant requests for robots.txt, just because bots don't necessarily respect cache headers (if they are even configured for robots.txt), and the sheer number of bots that look at robots.txt and will ignore a caching header are too numerous.

If you are writing some kind of malicious crawler that doesn't care about rate-limiting, and wants to scan as many sites as possible for the most vulnerable to get a list together to hack, you will scan robots.txt because that is the file that tells robots NOT to index these pages. I never use a robots.txt for some kind of security through obscurity. I've only ever bothered with robots.txt to make SEO easier when you can control a virtual subdirectory of a site, to block things like repeated content with alternative layouts (to avoid duplicate content issues), or to get a section of a website to drop out of SERPs for discontinued sections of a site.

> sheer number of bots that look at robots.txt and will ignore a caching header

This is not relevant because Cloudflare will cache it so it never hits your origin. Unless they are adding random URL parameters (which you can teach Cloudflare to ignore but I don't think that should be a default configuration).

The thing is, it won't do that by default. You have to enable caching currently, when creating a new account. I use a service that detects if a website is still running, and it does this by using a certain URL parameter to bypass the cache.

Again, I think you are correct with more sane defaults, but I don't know if you've ever dealt with a network admin or web administrator that hasn't dealt with server-side caching vs. browser caching, but it most definitely would end up with Cloudflare losing sales because people misunderstood how things work. Maybe I'm jaded, at 45, but I feel like most people don't even know to look at headers by default when they feel they hit a caching issue. I don't think it's based on age, I think it's based on being interested in the technology and wanting to learn all about it. Mostly developers that got into it for the love of technology, versus those that got into it because it was high paying and they understood Excel, or learned to build a simple website early in life, so everyone told them to get into software.

using palemoon, i don't even get a captcha that i could solve. just a spinning wheel, and the site reloads over and over. this makes it impossible to use e.g. anything hosted on sourceforge.net, as they're behind the clownflare "Great Firewall of the West" too.
See if changing user agent to Chrome/Firefox helps
I run a honeypot and I can say with reasonable confidence many (most?) bots and scrapers use a Chrome on Linux user-agent. It's a fairly good indication of malicious traffic. In fact I would say it probably outweighs legitimate traffic with that user agent.

It's also a pretty safe assumption that Cloudflare is not run by morons, and they have access to more data than we do, by virtue of being the strip club bouncer for half the Internet.

User-agent might be a useful signal but treating it as an absolute flag is sloppy. For one thing it's trivial for malicious actors to change their user-agent. Cloudflare could use many other signals to drastically cut down on false positives that block normal users, but it seems like they don't care enough to be bothered. If they cared more about technical and privacy-conscious users they would do better.
> For one thing it's trivial for malicious actors to change their user-agent.

Absolutely true. But the programmers of these bots are lazy and often don't. So if Cloudflare has access to other data that can positively identify bots, and there is a high correlation with a particular user agent, well then it's a good first-pass indication despite collateral damage from false positives.

I would hope Cloudflare would be way, way beyond a “first pass” at this stuff. That’s logic you use for a ten person startup, not the company who’s managed to capture the fucking internet under their network.
> So if Cloudflare has access to other data that can positively identify bots

They do not - not definitively [1]. This cat-and-mouse game is stochastic at higher levels, with bots doing their best to blend in with regular traffic, and the defense trying to pick up signals barely above the noise floor. There are diminishing returns to battling bots that are indistinguishable from regular users.

1. A few weeks ago, the HN frontpage had a browser-based project that claimed to be undetectable

> a browser-based project that claimed to be undetectable

For now

That's just part of the game. Sometimes you're ahead, sometimes you're behind, but there's never a decisive winner.
The programmers of these bots are not lazy - this space is a thriving industry with a bunch of commercial bots, the abiluty of whcih to evade cloudflare/etc is the literal metric that determines their commercial viability
My data says otherwise and you have provided nothing to back up your claim other than saying we have an industry full of dirty money paying programmers to write unethical code. I'm sure it inspires them to do their best work.

Half these imbeciles don't even change the user-agent from the scraper they downloaded off GitHub.

I employ lots of filtering so it's possible the data is skewed towards those that sneak through the sieve - but they've already been caught, so it's meaningless.

I mean, do we need to replace user agent with some kind of 'browser signing'?
If you're thinking of Google's WEI, I'm thankful that went down in flames:

"Google is adding code to Chrome that will send tamper-proof information about your operating system and other software, and share it with websites. Google says this will reduce ad fraud. In practice, it reduces your control over your own computer, and is likely to mean that some websites will block access for everyone who's not using an "approved" operating system and browser."

https://www.eff.org/deeplinks/2023/08/your-computer-should-s...

Sure, but does that means that we, Linux users, can't go on the web anymore ? It's way easier for spammers and bots to move to another user agent/system than for legitimate users. So whatever causes this is not a great solution to this problem. You can do better CF
I'm a Linux user as well but I'm not sure what Cloudflare is supposed to be doing here that makes everybody happy. Removing the most obvious signals of botting because there are some real users that look like that too may be better for that individual user but that doesn't make it a good answer for legitimate users as a whole. SPAM, DoS, phishing, credential stuffing, scraping, click fraud, API abuse, and more are problems which impact real users just as extra checks and false positive blocks do.

If you really do have a better way to make all legitimate users of sites happy with bot protections then by all means there is a massive market for this. Unfortunately you're probably more like me, stuck between a rock and a hard place of being in a situation where we have no good solution and just annoyance with the way things are.

What CF does when bots use "Chrome on Windows" browser agent string?
The method is the same, it just looks different when n=1. I.e. the method is "wait until you see something particularly anomalous occuring, probe, see if the reaction is human like". The more times you say "well you can't count that as anomalous, an actual person can look like that too and a bot could try to fake that!" the less effective it becomes at blocking bots.

This approach clearly blocks bots so it's not enough to say "just don't ever do things which have false positives" and it's a bit silly to say "just don't ever do the things which have false positives, but for my specific false positives only - leave the other methods please!"

Many / most bots use Chrome on Linux user agent, so you think it's OK to block Chrome on Linux user agents. That's very broken thinking.

So it's OK for them to do shitty things without explaining themselves because they "have access to more data than we do"? Big companies can be mysterious and non-transparent because they're big?

What a take!

Can't the user agent be spoofed anyway?
I think they also fingerprint the browser. So changing user agent alone won't help.
Cloudflare has been even worse for me on Linux + Firefox. On a number of sites I get the "Verify" challenge and after solving it immediately get a message saying "You have been blocked" every time. Clearing cookies, disabling UBO, and other changes make no difference. Reporting the issue to them does nothing.

This hostility to normal browsing behavior makes me extremely reluctant to ever use Cloudflare on any projects.

Check that you are allowing webworker scripts, that did the trick for me. I still have issues on slower computers (Raspberry pies and the like) as they seem to be to slow to do whatever Cloudflare wants as a verification in the allotted time, however.
Yeah, same here. I've avoided it for a most of my customers for that very reason already
Yeah, Lego and Etsy are two sites I can now only visit with safari. It sucks. Firefox on the same machine it claims I'm a bot or a crawler. (not even on linux, on a mac)
At least you can get past the challenge. For me, every-single-time it is an endless loop of "select all bikes/cars/trains". I've given up even trying to solve the challenge anymore and just close the page when it shows up.
that's not Cloudflare, they stopped doing pictures years ago. You can tell because Cloudflare always puths their brand name on their page.

Cloudflare just blocks you without recourse nowdays.

> Cloudflare just blocks you without recourse nowdays.

looks like someone is due for a class action

It is Cloudflare, I see it too. It's a Cloudflare page, with all branding, the spinning circle, then a captcha pops up on the same Cloudflare-branded page.
Interesting! Do you have have a URL I could look at?
I'm a Cloudflare customer, even their own dashboard does not work with linux+slightly older firefox. I mean one click and it is ooops, please report the error to dev null
Sounds like my experience browsing internet while connected to the VPN provided by my employer: tons of captcha and everything is defaulted to German (IP is from Frankfurt).
I run a few Linux desktop VMs and Cloudflare's Turnstile verification (their auto/non-input based verification) fails for the couple sites I've tried that use it for logins, on latest Chromium and Firefox browsers. Doesn't matter that I'm even connecting from the same IP.

I'd presumed it was just the VM they're heuristically detecting but sounds like some are experiencing issues on Linux in general.

Does it still apply if you change the UA to something more common (Chrome on Windows or something)?
Fwiw, I was getting cloudflare blocked for a long time on Firefox+Linux and the only thing that fixed it was completely disabling the UA adjuster browser extension I had installed.
The problem is that you are not performing "normal browsing behavior". The vast majority of the population (at least ~70% don't use ad-blockers) have no extensions and change no settings, so they are 100% fingerprintable every time, which lets them through immediately.
linux + firefox. not sure what happened to me yesterday but the challange/response thing was borked and when i finally got through it all, it said i was a robot anyway. this was while trying to sign up for a skype acct, could have been a ms issue though and not necessarily cloudflare. i think the solution is to just not use obstructive software. thanks to this issue i discovered jitsi and that seems more than enough for my purposes.
I don't bother with sites that have cloudflare turnstyle. Web developers supposedly know the importance of page load time, but even worse than a slow loading page is waiting for cloudflare's gatekeeper before I can even see the page.
That's not turnstile, that's a Managed Challenge.

Turnstile is the in-page captcha option, which you're right, does affect page load. But they force a defer on the loading of that JS as best they can.

Also, turnstile is a Proof of Work check, and is meant to slow down & verify would-be attack vectors. Turnstile should only be used on things like Login, email change, "place order", etc.

Managed challenges actually come from the same "challenges" platform, which includes Turnstile; the only difference being that Turnstile is something that you can embed yourself on a webpage, and managed challenge is Cloudflare serving the same "challenge" on an interstitial web page.

Also, Turnstile is definitely not a simple proof of work check, and performs browser fingerprinting and checks for web APIs. You can easily check this by changing your browser's user-agent at the header level and leave it as-is at the header level; this puts Turnstile into an infinite loop.

They usually protect the whole DNS record so it makes sense it would cover robots.txt as well, even if it's a bit silly.
They run their own DNS infra so that when you set the SOA for your zone to their servers they can decide what to resolve to. If you have protection set on a specific record then it resolves to a fleet of nginx servers with a bunch of special sauce that does the reverse proxying that allows for WAF, caching, anti-DDoS, etc. It's entirely feasible for them to exempt specific requests like this one since they aren't "protect[ing] the whole DNS" so much as using it to facilitate control of the entire HTTP request/response.
> What are you protecting cloudflare?

A cheeky response is "their profit margins", but I don't think that quite right considering that their earnings per share is $-0.28.

I've not looked into Cloudflare much, I've never needed their services, so I'm not totally sure on what all their revenue streams are. I have heard that small websites are not paying much if anything at all [1]. With that preface out of the way–I think that we see challenges on sites that perhaps don't need them as a form of advertising, to ensure that their name is ever-present. Maybe they don't need this form of advertising, or maybe they do.

[1] https://www.cloudflare.com/en-gb/plans/

If you log in to the CF dashboard every 3 months or so you will see pretty clearly they are slowly trying to be a cloud provider like Azure or AWS. Every time I log in there is a who new slew of services that have equivalent on the other cloud providers. They are using the CDN portion of the business as a loss leader.
Excuse my ignorance, but what exactly are these stupid checkboxes supposed to accomplish? Surely they do not represent a serious obstacle.
The best part is when you get the "box" on a XHR request. Of course no site handles that properly, and just breaks. Happens regularly on ChatGPT.
I usually notice an increase in those when connecting to sites over vpn and especially tor. could that be it?
Cloudflare is security theatre.

I scrape hundreds of cloudflare protected sites every 15 minutes, without ever having any issues, using a simple headless browser and mobile connection, meanwhile real users get interstitial pages.

It's almost like Cloudflare is deliberately showing the challenge to real users just to show that they exist and are doing "something".

We're on Chrome on Linux, mostly we don't see those.
Just wanted to mention that the time between challenges is set by the site, not CF. Perhaps if you mention it, the site(s) will update the setting?
Same. I'm consistently getting a captcha and some nonsense about a Ray ID multiple times a day.
It's not just Linux, I'm using Chrome on my macOS Catalina MBP and I can't even get past the "Verify you are a human" box. It just shows another captcha, and another, and yet another... No amount of clearing cookies/disabling adblockers/connecting from a different WiFi does it. And that's on most random sites (like ones from HN links), I also don't recall ever doing anything "suspicious" (web scraping etc.) on that device/IP.

Somehow, Safari passes it the first time. WTF?

I use w3m which makes me about as popular as a fart in a spacesuit. No Cloudflare things for me.
I use Librewolf and Zen Browser

If I am met with the dreaded cloudflare "Verify you are a human" box, which is very rare for me, I dont bother and just close the tab.

To have cloudflare work on Librewolf I had to enable web workers.

Why does it need web workers, when it worked fined without them on Waterfox Classic firefox 56 fork that hasn't been updated in water?

How many of you all are running bare metal hooked right up to the internet? Is DDoS or any of that actually a super common problem?

I know it happens, but also I've run plenty of servers hooked directly to the internet (with standard *nix security precautions and hosting provider DDoS protection) and haven't had it actually be an issue.

So why run absolutely everything through Cloudflare?

Most exploits target the software, not the hardware. CF is a good reverse proxy.
They make it easy to delegate a DNS zone to them and use their API to create records (eg: install external-dns on kubernetes and key it create records automatically for ingresses)
It is common once your website hits a certain threshold in popularity.

If you are just a small startup or a blog, you'll probably never see an attack.

Even if you don't host anything offensive you can be targeted by competitors, blackmailed for money, or just randomly selected by a hacker to test the power of their botnet.

Web scraping without any kind of sleeping in between requests (usually firing many threads at once), as well as heavy exploit scanning is a near constant for most websites. With AI technology, it's only getting worse, as vendors attempt to bring in content from all over the web without regard for resource usage. Depending on the industry, DDoS can be very common from competitors that aren't afraid to rent out botnets to boost their business and tear down those they compete against.
It’s free unless you’re rolling in traffic, it’s extremely easy to setup, and CF can handle pretty much all of your infra with tools way better than AWS.

Also you can buy a cheaper ipv6 only VPS and run it thru free CF proxy to allow ipv4 traffic to your site

Easy to set up, easy to screw up user experience. Easy-peasy.
> How many of you all are running bare metal hooked right up to the internet?

I do. Many people I know do. In my risk model, DDoS is something purely theoretical. Yes it can happen, but you have to seriously upset someone for it to maybe happen.

From my experience, if you tick off the wrong person, the threshold for them starting a DDoS is surprisingly low.

A while ago, my company was hiring and conducting interviews, and after one candidate was rejected, one of our sites got hit by a DDoS. I wasn't in the room when people were dealing with it, but in the post-incident review, they said "we're 99% sure we know exactly who this came from".

What the hell is wrong with people? Honestly the lack of substantive human interaction in a lot of folks' lives, except via the Internet, is a real problem.

Take that story for instance. Here's how that goes in the physical world, just to show how unbelievably ridiculous it is.

So you didn't get the job? What's your next step?

I'll stop by their office and keep people from entering the front doors by running around in front of them. That'll show those bastards.

(comment deleted)
Small/medium SaaS. Had ~8 hours of 100k reqs/sec last year when we usually see 100-150 reqs/sec. Moved everything behind a Cloudflare Enterprise setup and ditched AWS Client Access VPN (OpenVPN) for Cloudflare WARP

I've only been here 1.5 years but sounds like we usually see 1 decent sized DDoS a year plus a handful of other "DoS" usually AI crawler extensions or 3rd parties calling too aggressively

There are some extensions/products that create a "personal AI knowledge base" and they'll use the customers login credentials and scrape every link once an hour. Some links are really really resource intensive data or report requests that are very rare in real usage

Did you put rate limiting rules on your webserver?

Why was that not enough to mitigate the DDoS?

Not the same poster, but the first "D" in "DDoS" is why rate-limiting doesn't work - attackers these days usually have a _huge_ (tens of thousands) pool of residential ip4 addresses to work with.
They were talking about logged in accounts, so you would group by accounts for the rate limiting and not by ip addresses.
They were unauthenticated requests making GETs to the login page
Is ten of thousands a big number again?
Depends. Ten thousand what?

I work on a "pretty large" site (was on the alexa top 10k sites, back when that was a thing), and we see about 1500 requests per second. That's well over 10k concurrent users.

Adding 10k requests per second would almost certainly require a human to respond in some fashion.

Each IP making one request per second is low enough that if we banned IPs which exceeded it, we'd be blocking home users who opened a couple of tabs at once. However, since eg universities / hospitals / big corporations typically use a single egress IP for an entire facility, we actually need the thresholds to be more like 100 requests per second to avoid blocking real users.

10k IP addresses making 100 requests per second (1 million req/s) would overwhelm all but the highest-scale systems.

(comment deleted)
That might have been good for preventing someone from spamming your HotScripts guestbook in 2005, but not much else.
We had rate limiting with Istio/Envoy but Envoy was using 4-8x normal memory processing that much traffic and crashing.

The attacker was using residential proxies and making about 8 requests before cycling to a new IP.

Challenges work much better since they use cookies or other metadata to establish a client is trusted then let requests pass. This stops bad clients at the first request but you need something more sophisticated than a webserver with basic rate limiting.

> The attacker was using residential proxies and making about 8 requests before cycling to a new IP.

So how is Cloudflare supposed to distinguish legitimate new visitors from new attack IPs if you can't?

Because it matches my experience as a cloudflare user perfectly if the answer were "they can't"

Captcha/challenges and tracking users/IP rep across the web

They also do IP and request risk scores using massive piles of data they've collected

Yes, [D]DoS is a problem. Its not uncommon for a single person with residential fiber to have more bandwidth than your small site hosted on a 1u box or VPS. Either your bandwidth is rate limited and they can denial of service your site or your bandwidth is greater but they can still cause you to go over your allocation and cause massive charges.

In the past you could ban IPs but that's not very useful anymore.

The distributed attacks tend to be AI companies that assume every site has infinite bandwidth and their crawlers tend to run out of different regions.

Even if you aren't dealing with attacks or outages, Cloudflare's caching features can save you a ton of money.

If you haven't used Cloudflare, most sites only need their free tier offering.

It's hard to say no to a free service that provides feature you need.

Source: I went over a decade hosting a site without a CDN before it became too difficult to deal with. Basically I spent 3 days straight banning ips at the hosting company level, tuning various rate limiting web server modules and even scaling the hardware to double the capacity. None of it could keep the site online 100% of the time. Within 30 mins of trying Cloudflare it was working perfectly.

> It's hard to say no to a free service that provides feature you need.

Very true! Though you still see people who are surprised to learn that CF DDOS protection acts as a MITM proxy and can read your traffic plaintext. This is of course by design, to inspect the traffic. But admittedly, CF is not very clear about this in the Admin Panel or docs.

Places one might expect to learn this, but won't:

- https://developers.cloudflare.com/dns/manage-dns-records/ref...

- https://developers.cloudflare.com/fundamentals/concepts/how-...

- https://imgur.com/a/zGegZ00

How would you do DDoS protection without having something in path?
I hoped it was apparent from my comment that "this is of course by design, to inspect the traffic" meant I understood they are doing it to detect DDoS traffic and separate it from legitimate traffic. But many Cloudflare users are not so technical. I would simply advocate for being more upfront about this behavior.

That said, their Magic Transit and Spectrum offerings (paid) provide L3/L4 DDoS protection without payload inspection.

Honestly, I was confused because both pages you link are full of the word proxy, have links to deeper discussions of what a proxy does (including explicit mentions of decryption/re-encryption), and are literally developer docs. Additionally Cloudflare's blog explaining these things in depth are high in search results, and also make the front page here on the regular.

I incorrectly interpreted your comment as one of the multitude of comments claiming nefarious reasons for proxying without any thought for how an alternative would work.

Magic Transit is interesting - hard to imagine how it would scale down to a small site though, they apparently advertise whole prefixes over BGP, and most sites don't even have a dedicated IP, let alone a whole /24 to throw around.

I understand your sentiment, as I reacted similarly the first time someone brought this to my attention. However, after logging into my Cloudflare account, viewing the DNS record page, and attempting to find any mention of SSL decryption, and then clicking on related docs pages (and links from them!) I was still unable to find this information.

You're right that Cloudflare has written many high-quality blog posts on the workings of the Internet, and the inner workings at Cloudflare. Amusingly, they even at times criticize HTTPS interception (not their use of it) and offer a tool to detect: https://blog.cloudflare.com/monsters-in-the-middleboxes/

I still believe that this information should be displayed to the relevant user configuring the service.

There are many types of proxies, and MITM decryption is not an inherent part of a proxy. The linked page from the Admin Panel is https://developers.cloudflare.com/dns/manage-dns-records/ref... and links to pages like "How Cloudflare works" (https://developers.cloudflare.com/fundamentals/concepts/how-...) which still do not mention HTTPS interception. It sounds like you found a link I didn't. In the past someone argued that I should've looked here: https://developers.cloudflare.com/data-localization/faq/#are...

But if you look closer, those are docs for the Data Localization Suite, an Enterprise-only paid addon.

cloudflare is primarily a caching proxy. in order to perform any caching, they would have to have the unencrypted objects. check, mate.

It is sad that in this day and age, when you buy a car you need to sign a legal exclaimer that you understand it requires gasoline to run.

Cloudflare's CDN capabilities are separate from DDOS protection and indeed many requests cannot be cached due to the resources being sensitive (i.e. authenticated requests.)

Again, there are many forms of proxies and DDOS protection that do not rely on TLS interception, just as there are cars that do not rely on gasoline. Cloudflare has many less technical home users who use their service to avoid sharing their IP online, avoid DDOS, or access home resources. I do not think the average Internet user is familiar with these concepts. There are many examples of surprised users on subreddits like /r/homelab.

how would they know what to cache? the response headers from the server are encrypted. there is maybe the high end l3 protection available if you have the resources. the free tier has caching bundled.

Also, how would their certificates work if they don’t see content?

> how would they know what to cache?

That's a weird question to ask to someone that went out of their way to describe a non-caching situation.

> Also, how would their certificates work if they don’t see content?

Can you be more specific? I'm not sure which feature you're asking about or how it uses certificates.

But the answer is likely "that feature isn't necessary to provide DDOS protection".

Sorry, they did not go much out of their way, to simply claim “solutions exist”. Sure, you could invent other ways of protecting your traffic but what CF offers in the free tier always includes SSL termination with their own certificates (if you enable ssl), and always includes caching.
> invent other ways

Just turning off some features gets them just about there. It wouldn't take rearchitecting things. Those features being bundled by default means very little for the difficulty.

So you too, are saying “its possible” as proof of your argument.

Which itself shifted from complaining that you aren’t warned that coffee is hot, to - after implicitly agreeing that it should be obvious it’s hot - complaining that it they didn’t have to make it as hot.

Great! Offer an alternative! Everyone would be more than happy.

Not that it's "possible", that it requires them to add nothing new.

That is a much much easier to reach bar.

It's like if a restaurant sells cheeseburgers, and I want a hamburger. "How do they figure out ~~what~to~cache~~ the cheese to ketchup ratio without adding cheese?" They can just skip that part. I'm not asking for sushi and supporting that by saying "sushi is possible".

So you agree that your argument has shifted from complaining about inadequate disclosure that coffee contains caffeine, to complaints about lack of decaf offerings.

It would also be trivial for google and facebook to turn off all ads and logging of your activity. They would need to do strictly less than they do now. It would benefit all users too!

In CF case they would have to build a completely different infrastructure to detect bots using different technology to what they have now, including different ways around false positives for legitimate users. While perhaps nothing new in the sense that you claim “this is possible”, i see no one else offering this mythical “possible” product.

I would be the first in line to your offering of free cheeseless hamburgers. Where do i sign up?

> So you agree that your argument has shifted from complaining about inadequate disclosure that coffee contains caffeine, to complaints about lack of decaf offerings.

My argument has never shifted.

But the reason the argument shifted was because someone specifically asked about how you'd do DDoS protection without those downsides.

And you continued asking how it could be done.

> It would also be trivial for google and facebook to turn off all ads and logging of your activity. They would need to do strictly less than they do now. It would benefit all users too!

Isn't cloudflare supposedly not tracking private information in the websites they proxy...? If you think they make money off it, that's pretty bad...

> In CF case they would have to build a completely different infrastructure to detect bots using different technology to what they have now, including different ways around false positives for legitimate users.

I disagree.

> I would be the first in line to your offering of free cheeseless hamburgers. Where do i sign up?

First you need to put me into a situation where my business can compete with cloudflare while doing exactly the same things they do. Then I will be happy to comply with that request.

The hard part of this situation is not the effect of that tiny change on profitability, it's getting into a position where I can make that change.

> Isn't cloudflare supposedly not tracking private information in the websites they proxy...?

They are at the very least tracking the users and using that tracking as part of the heuristics they use in their product.

Whether they sell the data for marketing, i don’t know, hopefully not but conceivably, yes.

To which, > I disagree.

Yes, we’ve established that you disagree and explicitly claim “it’s possible to offer ddos protection without mitm”

and now further that “dropping the extra feature of caching” would not adversely affect their technology or their business”

Great, claims though entirely unsupported and in the latter case obviously false if you know anything about how it works.

In particular, they would need to sponsor the free accounts via much poorer economies of scale due to not being able to cache anything, and would not help at all with a “legitimate ddos” such as being on the front page here

> They are at the very least tracking the users and using that tracking as part of the heuristics they use in their product.

They can do that without seeing the proxied contents. So your analogy to asking facebook or google to stop ads and tracking is completely broken.

> and now further that “dropping the extra feature of caching” would not adversely affect their technology or their business”

Yes. (Well, it was stated much earlier but I guess you didn't notice until now?) You're the one saying it would be a problem, do you have anything to back that up?

> in the latter case obviously false if you know anything about how it works.

Caching costs a bunch of resources and still uses lots of bandwidth, what's so obvious about it? And cloudflare users can already cache-bust at will, so it's not exactly something they're worried about.

https://developers.cloudflare.com/cache/how-to/cache-rules/s...

> would not help at all with a “legitimate ddos” such as being on the front page here

Which is not the scenario people were worrying about.

And an average web server can handle that.

many ways but they are not plug and play so they would lose a few clients... but that is irrelevant as snooping trafic is their real businnes model.
What are those many ways? Help me understand - I've been doing this shit a long time and I can't think of many ways to provide what Cloudflare does in a way that is cheap, easy, and scalable without working at the HTTP layer. So please help me learn something new, what are those ways?
offer a l2 load balancer that act as a queue. if the site decides its a dos/bad request it sends either a dowgraded response the load balancer can read or a side channel comms. then the load balancer drop everything from that ip or other identifiable patterns based only on l2 info.

there are many others. just buy a book for industries that value privacy or pay someone.

> not uncommon for a single person with residential fiber to have more bandwidth than your small site hosted on a 1u box or VPS.

Then self host from your connection at home, don't pay for the VPS :). That's what I've been doing for over a decade now and still never saw a (D)DoS attack

50 mbps has been enough to host various websites, including one site that allows several gigabytes of file upload unauthenticated for most of the time that I self host. Must say that 100 mbps is nicer though, even if not strictly necessary. Well, more is always nicer but returns really diminish after 100 (in 2025, for my use case). Probably it's different if you host videos, a Tor relay, etc. I'm just talking normal websites

> 50 mbps has been enough to host various websites,

Bandwidth hasn't been a limiting factor for years for me.

But generating dynamic pages can bring just enough load for it to get painful. Just this week I had to blacklist Meta's ridiculously overactive bot sending me more requests per second than all my real users do in an hour. Meta and ClaudeBot have been causing intermittent overloads for weeks now.

They now get 403s because I'm done trying to slow them down.

I've been running jakstys.lt (and subdomains like git.jakstys.lt) from my closet, a simple residential connection with a small monthly price for a static IP.

The only time I had a problem was when gitea started caching git bundles of my Linux kernel mirror, which bots kept downloading (things like a full targz of every commit since 2005). Server promptly went out of disk space. I fixed gitea settings to not cache those. That was it.

Not ever ddos. Or I (and uptimerobot) did not notice it. :)

Most (D)DOS attacks are just either UDP floods or SYN floods that iptables will handle without any problem. Sometimes what people think are DDOS is just their application DDOSing themself because they are doing recursive calls to some back-end micro-service.

If it was actually a traffic based DDOS someone still needs to pay for that bandwidth which would be too expansive for most companies anyway - even if it kept your site running.

But you can sell a lot of services to incompetent people.

You need an answer to someone buying $10 of booter time and sending a volumetric attack your way. If any of the traffic is even reaching your server, you've already lost, so iptables isn't going to help you because your link is saturated.

Cloudflare offers protection for free.

What's the iptables invocation that will let my 10Gbps connection drop a a 100Gbps syn flood while also serving good traffic?
The point with a syn flood is to try to saturate the OS limit for open sockets. From an attackers perspective the whole point of a syn flood is to do a DOS without needing much bandwidth.

My experience form 15 years working in the hosting industry is that volumetric attacks are extremely rare but customers that turn to Cloudflare as a solution are more often than not DDOS-ing them self because of bad configured systems, but their junior developers lack any networking troubleshooting skills.

DDoS is a problem, but for most ordinary problems it's not as bad as people make it out to be. Even something very simple like fail2ban will go a long way.
I run a Mediawiki instance for an online community on a fairly cheap box (not a ton of traffic) but had a few instances of AI bots like Amazon's crawling a lot of expensive API pages thousands of times an hour (despite robots.txt preventing those). Turned on Cloudflare's bot blocking and 50% of total traffic instantly went away. Even now, blocked bot requests make up 25% of total requests to the site. Without blocking I would have needed to upgrade quite a bit or play a tiring game of whack a mole blocking any new IP ranges for the dozens of bots.
How do you feel, knowing that some portion of the 25% “detected bot traffic” are actually people in this comment thread?
AI bots are a huge issue for a lot of sites. Just putting intentional DDoS attacks aside, AI scrapers can frequently tip over a site because many of them don't know how to back off. Google is an exception really, their experience with creating GoogleBot as ensured that they are never a problem.

Many of the AI scrapers don't identify themselves, they live on AWS, Azure, Alibaba Cloud, and Tencent Cloud, so you can't really block them and rate limiting also have limited effect as they just jump to new IPs. As a site owner, you can't really contact AWS and ask them to terminate their customers service in order for you to recover.

You don't need buttflare's mistery juice to rate-limit or block bad users.
The biggest problems I see with DDoS is metered traffic and availability. The largest Cloud providers all meter their traffic.

The availability part on the other hand is maybe something that's not so business critical for many but for targeted long-term attacks it probably is.

So I think for some websites, especially smaller ones it's totally feasible to not use Cloudflare but involves planning the hosting really carefully.

I also rely on hosting provider DDoS protection and don't use very intrusive protection like Cloudflare.

Only issues I had to deal with are when someone finds some slow endpoint, and manages to overload the server with it, and my go to approach is to optimize it to max <10-20ms response time, while blocking the source of traffic if it keeps being too annoying after optimization.

And this happened like 2-3 times over 20 years of hosting the eshop.

Much better than exposing users to CF or likes of it.

I've been hosting web sites on my own bare metal in colo for more than 25 years. In all that time I've dealt with one DDoS that was big enough to bring everything down, and that was because of a specific person being pissed at another specific person. The attacker did jail time for DDoS activities.

Every other attempt at DDoS has been ineffective, has been form abuse and credential stuffing, has been generally amateurish enough to not take anything down.

I host (web, email, shells) lots of people including kids (young adults) who're learning about the Internet, about security, et cetera, who do dumb things like talk shit on irc. You'd think I'd've had more DDoS attacks than that rather famous one.

So when people assert with confidence that the Internet would fall over if companies like Cloudflare weren't there to "protect" them, I have to wonder how Cloudflare marketed so well that these people believe this BS with no experience. Sure, it could be something else, like someone running Wordpress with a default admin URL left open who makes a huge deal about how they're getting "hacked", but that wouldn't explain all the Cloudflare apologists.

Cloudflare wants to be a monopoly. They've shown they have no care in the world for marginalized people, whether they're people who don't live in a western country or people who simply prefer to not run mainstream OSes and browsers. They protect scammers because they make money from scammers. So why would people want to use them? That's a very good question.

I'm sorry but lumping in people who prefer to use a weird browser with "marginalised people" does not help your credibility.
What bit do you mean specifically? As a fellow web hoster, who also hosted kids before (from a game making forum), I can fully corroborate what they're saying
Clearly you didn't even read his post (or mine) if you're asking. I'm obviously referring to

> Cloudflare wants to be a monopoly. They've shown they have no care in the world for marginalized people, whether they're people who don't live in a western country or people who simply prefer to not run mainstream OSes and browsers.

You're focusing on the wrong kind of pedantry.

"Marginalized" has a specific connotation, sure, but people can be marginalized for reasons other than, or in addition to, those that fit the connotation.

Same basic experience. The colo ISP soaks up most actual DDoS. We had a couple mid-sized ones when we were hosting irc.binrev.net from salty b& users. No real effect other than the colo did let us know it was happening and that it was "not a significant amount of DDoS by our standards."
I would feel pretty safe running my own hand-written services against the raw Internet, but if I was to host Wordpress or other large/complicated/legacy codebases I'd start to get worried. Also the CDN aspect is useful - having lived in Australia you like connections that don't have to traverse continents for every request.
Check your logs, you might be surprised.
Other comments say that DDoS are common, not my experience though. I run a couple of API/SAAS sites and DDoSes are rare. Sites are in Canada and Brazil if that matters, although I won't disclose what data-centers. Most strange thing is that no one demanded any ransom during those DDoS attacks ever. Just some flooding for 1-2 days. Most of the times I did't even care - servers are on 10G ports and I pay 95% percentile for the traffic with a cap on final bill. Sites are geo-fenced by nftables rules, only countries of interest are allowed.
I run my "server" [1] straight to my home internet, and maybe I should count my blessings but I haven't had any issues with DDoS in the years I've done this.

I have relatively fast internet, so maybe it's fast enough to absorb a lot of the problems, but I've had good enough luck with some basic Nginx settings and fail2ban.

[1] a small little mini gaming PC running NixOS.

A lot of people are failing to conceive the danger that poses to the open web the fact that a lot of traffic runs through/to a few bunch of providers (namely, CloudFlare, AWS, Azure, Google Cloud, and "smaller" ones like Fastly or Akamai) who can take this kind of measures without (many) website owners knowing or giving a crap about.

Google itself tried to push crap like Web Environment Integrity (WEI) so websites could verify "authentic" browsers. We got them to stop it (for now) but there was already code in the Chromium sources. What makes CloudFlare MITMing and blocking/punishing genuine users from visiting websites?

Why are we trusting CloudFlare to be a "good citizen" and not block unfairly/annoy certain people for whatever reason? Or even worse, serve modified content instead of what the actual origin is serving? I mean in the cases where CloudFlare re-encrypts the data, instead of only being a DNS provider. How can we trust that not third party has infiltrated their systems and compromised them? Except "just trust me bro", of course

I don't think people aren't aware that it's bad. They just don't care enough. And they think "I could keep all this money safely in my mattress or I could put it into one of those three big banks!" ... Or something like that.
I can easily conceive the danger. But I can directly observe the danger that's causing traffic to be so centralized - if you don't have one of those providers on your side, any adversary with a couple hundred dollars to burn can take down your website on demand. That seems like a bigger practical problem for the open web, and I don't know what the alternative solution would be. How can I know, without incurring any nontrivial computation cost, that a weird-looking request coming from a weird browser I don't recognize is not a botnet trying to DDOS me?
how do you know a normal-looking request coming from google chrome is not a botnet trying to ddos you?
You deploy complex proprietary heuristics to identify whether incoming requests look more like an attack or more like something a user would legitimately send. If you find a new heuristic and try to deploy it, you'll immediately notice if it throws a bunch of false positives for Chrome, but you might not notice so quickly for Pale Moon or other non-mainstream browsers.

(And if I were doing this on my own, rather than trusting Cloudflare to do it, I would almost surely decide that I don't care enough about Pale Moon users to fix an otherwise good rule that's blocking them as a side effect.)

Exactly. If you're going to bemoan centralization, which is fine, you also need to address the reason why we're going in that direction. And that's probably going to involve rethinking the naive foundational aspects of the internet.
> Or even worse, serve modified content instead of what the actual origin is serving?

I witnessed this! Last time I checked, in the default config, the connection between cloudflare and the origin server does not do strict TLS cert validation. Which for an active-MITM attacker is as good as no TLS cert validation at all.

A few years ago an Indian ISP decided that https://overthewire.org should be banned for hosting "hacking" content (iirc). For many Indian users, the page showed a "content blocked" page. But the error page had a padlock icon in the URL bar and a valid TLS cert - said ISP was injecting it between Cloudflare and the origin server using a self-signed cert, and Cloudflare was re-encrypting it with a legit cert. In this case it was very conspicuous, but if the tampering was less obvious there'd be no way for an end-user to detect the MITM.

I don't have any evidence on-hand, but iirc there were people reporting this issue on Twitter - somewhere between 2019 and 2021, maybe.

Cloudflare recently started detecting whether strict TLS cert validation works with the origin server, and if it does, it enables strict validation automatically.
Maybe it's the customers I deal with, or my own ignorance, but what alternatives are there to a service like Cloudflare? It is very easy to setup, and my clients don't want to pay a lot of money for hosting. With Cloudflare, I can turn on DDoS and bot protection to prevent heavy resource usage, as well as turn on caching to keep resource usage down. I built a plugin for the CMS I use (Umbraco - runs on .NET) to clear the cache for specific pages, or all pages (such as when a change is made to a global element like the header). I am able to run a website on Azure with less than the minimum recommended memory and CPU for Umbraco, due to lots of performance analyzing and enhancements over the years, but also because I have Cloudflare in front of the website.

If there were an alternative that would provide the same benefits at roughly the same cost, I would definitely be willing to take a look, even if it meant I needed to spend some time learning a different way to configure the service from the way I configure Cloudflare.

(comment deleted)
What's the cost of annoying people trying to browse to your sites, some to the point where they'll just not bother?
This is rather blunt, but if it is between 98% (CF-protected) versus near-0% (heavily-DDoSed site), then you hopefully you now see the dilemma that other people faced.
There's absolutely no data to back up the suggestion that sites regularly suffer from DDoS.

It's like talking about getting murdered - it happens, and there are statistics, but if you're literally expecting everyone to change their whole lives based on the fact that some people are murdered, with zero consideration for the where, why and how, you're doing it wrong.

> There's absolutely no data to back up the suggestion that sites regularly suffer from DDoS.

For a random site from the internet, sure, because a random blog is probably too small to be noticed.

Forums, even relatively niche ones, unfortunately do suffer DDoS from their disgruntled users. (Or competitors of the same fandom. Or from the disgruntled part of a rivaling fandom.)

> It's like talking about getting murdered - it happens, and there are statistics, but if you're literally expecting everyone to change their whole lives based on the fact that some people are murdered, with zero consideration for the where, why and how, you're doing it wrong.

All analogies fail somewhere, but this is probably one of those which easily falls apart. Injuries are probably better. In a random population, there are a relatively small proportion of injuries, but some jobs (like construction) tend to have a significantly higher number of injuries compared to a mean person, in the same manner that a DDoS on a random website is unlikely but certain types of websites are DDoS magnets.

For companies that are just built around a marketing funnel to provide enough info to get you to fill out their contact form to sell you something, my guess is that Cloudflare is well worth the cost over increased hosting fees. I know it's not the answer anyone wants to hear, but I don't deal with too many companies selling anything more than around 5 or 6 figures, with products that you don't necessarily need very often.

I would like to know if there are alternatives somewhere close to the same cost, where I don't need to use Cloudflare. I don't enjoy annoying customers, or even dealing with sales and marketing, but I have built lots of software where I get to control the technology, and can get a new website up and running in 3 hours, with a ton of built-in functionality. I've spent about 12 years reducing the amount of memory the Umbraco CMS uses, compared to normal installs, and I love that aspect of my career. If I could get my clients to pay more and not use Cloudflare, I would happily go that route, believe me!

Of course we're trusting CloudFlare to be a good citizen. If they were not, they would be banned - unless they sold their business to a sovereign wealth fund.
I don't get if this is sarcasm (perhaps a reference to TikTok?), but in my case (european) it's a foreign third-party for me
Most of the sites mentioned in the forum work for me with PaleMoon.

I do get a "your browser is unsupported" message from the forums.

Since 2024 to now I've had to constantly verify that I'm human just to visit certain sites due to Cloudflare. Now it's even worse since (sometimes) cdnjs.cloudflare.com loads infinitely unless I turn on my VPN. Infuriating that I have to use a service known for potential spam, to get another service that blocks spam to bloody work.
Chromium on linux is also frequently blocked by cloudflare. I can't use tools such as HIBP.
Same here. I just gave up on most of these websites. When I absolutely need to use a website such as for flights, I have a clean chrome browser I spin up.
Yeah and Firefox on Linux too. I do have the user agent set to one from Edge because otherwise Microsoft blocks many features in Office 365. Once it thinks it's Edge it suddenly does work just fine. But it doesn't completely fix all the cloudflare blocks and captchas.
+1 for Firefox on Linux. Several other services (like Instagram) now also accuse me of being a bot every time I legitimately log in with Firefox on Linux.
Yeah with Instagram I wouldn't be surprised if they just do this to annoy to into using their app. Where they can force timed ads (you have to watch an ad now for a few seconds before it continues).

I noticed another platform (wallapop, a kind of ebay/craigslist here in Spain) that does the same. It never works well in a browser, even in chrome. I think they're just trying to bully their users to their app, which has 30+ trackers in it.

Things like "using Linux" or "having an adblocker at all" get you sent to captcha hell. Anything where you're in the minority of traffic. It's not going to change; why would it?
I have multiple blockers (Ublock Origin, Privacy Badger, Facebook Container) in Firefox and have not experienced this issue.
For what it's worth, this has been my experience as well. I've seen maybe a handful of full-page Cloudflare walls over the past year, and none have gotten me stuck in any kind of loop
I have been using Fedora + Firefox for years. I sometimes get a captcha from Cloudflare, but not frequently. Works just fine.

I have not tried less mainstream browsers, just FF and Chrome.

Things are going to chance. Unfortunately, things are only getting worse.

CAPTCHAs are barely sufficient against bots these days. I expect the first sites to start implementing Apple/Cloudflare's remote attestation as a CAPTCHA replacement any day now, and after that it's going to get harder and harder to use the web without Official(tm) Software(tm).

Using Linux isn't what's getting you blocked. I use Linux, and I'm not getting blocked. These blocks are the results of a whole range of data points, including things like IP addresses.

For me, captcha hell is very random, and when it happens, it's things like "pick all squares with stairs" where I have to decide if that little corner of a stairway counts (and it never seems to) or "pick all squares with motorcycles" where the camera seemed to have a vision problem.

What usually works for me is to close the browser, reload, and try again.

I'm still in the habit of granting Cloudflare a presumption of good faith. Developers frequently make assumptions about things like browsers that can cause problems like this. Something somewhere gets over-optimized, or someone somewhere does some 80/20 calculation, or something gets copy-pasted or (these days) produced by an LLM. There are plenty of reasons why this might be entirely unintentional, or that the severity of the impacts of a change were underestimated.

I agree that this exposes the risk of relying overmuch on handful of large, opaque, unaccountable companies. And as long as Cloudflare's customers are web operators (rather than users), there isn't a lot of incentive for them to be concerned about the user if their customers aren't.

One idea might be to approach web site operators who use Cloudflare and whose sites trigger these captchas more than you'd like. Explain the situation to the web site operator. If the web site operator cares enough about you, they might complain to Cloudflare. And if not, well, you have your answer.

How many times do they have to do the same thing before we modify our presumtion?
I just went to a site that I think uses cloudflare via seamonkey. I was able to get to the site. This is on OpenBSD.

But if someone has a site that is failing, feel free to post it and I will give it a try.

I tested palemoon on Win with one of my Cloudflare sites and didn't see any problem either.

It's probably dependent on the security settings the site owner has choosen. I'm guessing bot fight mode might cause the issue.

Cloudflare is slowly but surely turning the web into a walled garden.
Pretty soon the internet will just be a vestigial thing that people use to connect to the cloudflare.
Slowly? Have you not watched the pot boil around you for the past decade? There are zero good search engines. Everything returns propaganda.

This is all as it was intended.

> There are zero good search engines. Everything returns propaganda.

Kagi exists and has been production quality and better than Google for over two years already. (At this point I think it is even better than old google.)

since the invention of llms it's not that much of a deal that search engines are useless
On one hand, this is a scummy move from CloudFlare. All this has ever done is make browsers spoof their UAs. Mozilla/4.0 anyone?

On the other, Pale Moon is an ancient (pre-quantum) volunteer-supported fork of Firefox, with boatloads of known and unfixed security bugs - some fixes might be getting merged from upstream, but for real, the codebases diverged almost a decade ago. You might as well be using IE 11.

I'm not sure why people are mad at Cloudflare. They are not obligated to support browsers outside the general marketshare nor should you expect to.

Cloudflare not supporting Pale Moon has no impact on the rest of us. Matter of fact today is the first time I'm hearing of this browser I will never end up using.

This is not about supporting or not, this is outright blocking/gatekeeping; you can just let pass, but they chose to block. It's completely different from e.g. no longer releasing builds for PPC Macs.
> known and unfixed security bugs

Which are..?

at this point, im honestly surprised that all non-mainstream browsers dont emulate the same user-agent and ssl fingerprint order of a mainstream browser - or add a flag to change behavior per "tab" (or if cli per some call or other scope) - coupled with a javascript-operating-system which also aligns with those
In concept that's a good idea, but the fingerprinting potential is VAST: user-agent, TLS, JavaScript quirks, CSS, Canvas, proprietary features like Chrome's Topics, maybe WebGL, WebUSB, etc. In practice it's very hard to do.
This echoes the user agent checking that was prevalent in past times. Websites would limit features and sometimes refuse to render for the "wrong" browser, even if that browser had the ability to display the website just fine. So browsers started pretending to be other browsers in their user agents. Case in point - my Chrome browser, running on an M3 mac, has the following user agent:

"'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36'"

That means my browser is pretending to be Firefox AND Safari on an Intel chip.

I don't know what features Cloudflare uses to determine what browser you're on, or if perhaps it's sophisticated enough to get past the user agent spoofing, but it's all rather funny and reminiscent just the same.

> if perhaps it's sophisticated enough to get past the user agent spoofing

As a part of some browser fingerprinting I have access to at work, there's both commercial and free solutions to determine the actual browser being used.

It's quite easy even if you're just going off of the browser-exposed properties. You just check the values against a prepopulated table. You can see some of such values here: https://amiunique.org/fingerprint

Edit: To follow up, one of the leading fingerprinting libraries just ignores useragent and uses functionality testing as well: https://github.com/fingerprintjs/fingerprintjs/blob/master/s...

As a counterpoint, I asked Claude to write a script to fetch Claude usage and expose it as a Prometheus metric. As no public API exists, Claude suggested I grab the request from the Network tab. I copied it as cURL, and attempted to run it, and was denied with a 403 from CF.

I forgot the script open, polling for about 20 minutes, and suddenly it started working.

So even sending all the same headers as Firefox, but with cURL, CF seemed to detect automated access, and then eventually allowed it through anyway after it saw I was only polling once a minute. I found this rather impressive. Are they using subtle timings? Does cURL have an easy-to-spot fingerprint outside of its headers?

Reminded me of this attack, where they can detect when a script is running under "curl | sh" and serve alternate code versus when it is read in the browser: https://news.ycombinator.com/item?id=17636032

> Does cURL have an easy-to-spot fingerprint outside of its headers?

If it's a https URL: Yes, the TLS handshake. There are curl builds[1] which try (and succeed) to imitate the TLS handshake (and settings for HTTP/2) of a normal browser, though.

[1] https://github.com/lwthiker/curl-impersonate

it's possible there was an attack that stopped which led to more lenient antibot
They are pretending to be an ancient Mozilla version from the time after Netscape but before Firefox, KHTML (which was forked to webkit), Firefox (Gecko engine), Chrome and Safari. The only piece of browser history it's missing is somehow pretending to be IE.
> The only piece of browser history it's missing is somehow pretending to be IE.

They're kinda covered because IE also sent Mozilla/5.0 (or 4.0, 2.0, [..]).

Amusingly, I also just realized that even the operating system is spoofed here! I'm on macOS 14, yet the user agent claims "Mac OS X" 10.15. It's a pretty funny situation, and clearly for the sole benefit of very old websites and libraries performing dubious checks.
I don't know if they still do it, but the Apple Silicon Macs also lied about their architecture and said they're Intel. Truth is not the guiding principle of the User-Agent (or all the JS navigator properties, or anything else easy to use to check this kind of thing).
I'm still using Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 on my desktop.

The internet is so much better like this! There is a 2010 lightweight mobile version of Google, and m.youtube with obviously cleaner and better UI and not a single ad (apparently it's not worth to show you ads if you still appear to be using iphone 6)

I tried this just for fun and youtube said to update my browser :(
When you click OK it lets you in regardless ;)
This is iOS 6 and not iPhone 6, btw.
Whoa, really. So it is even back to 3GS/4 days then.
> (apparently it's not worth to show you ads if you still appear to be using iphone 6)

Why not adwall the user instead, showing only ads until they upgrade the device or buy premium?

Slack was doing this with their huddle feature for the longest time (still were last I checked). Drives me crazy.
Doesn't drive me crazy - gives me a "Get Out of Huddles Free" card.
> I don't know what features Cloudflare uses to determine what browser you're on, or if perhaps it's sophisticated enough to get past the user agent spoofing, but it's all rather funny and reminiscent just the same.

Yes, it is, both your TLS and TCP stacks are unique enough that such spoofing can be detected. But there are a lot of other things that can be fingerprinted as well.

> That means my browser is pretending to be Firefox AND Safari on an Intel chip.

That's not the case, that ua is Chrome on MacOS. The rest is backward compatibility garbage

This is the user agent on Chrome, but the reason for all the references to other browsers (and an old OS and architecture), the backward compatibility garbage, is to pretend to be those browsers for the sake of old websites that are doing string matching on the user agents.
is spoofing not a simple solution to this?
Unfortunately not. Cloudflare verification goes deeper into browser 'mechanics' than that. Not to mention it could flag you as malicious if you dare attempt bypassing it.
Do these browsers employ any additional tracking protections? "Browser integrity checks" are browser-specific and they might rely on the "entropy" those tracking vectors provide.
So this would only be "bad" move by cloudflare if you could get around it by recompiling the browser with spoofed UA/strings. Otherwise they'd have to support every possible engine which is infeasible. That saying, the "open web" is indeed dead.
> Otherwise they'd have to support every possible engine which is infeasible.

If I understand correctly, this is why I've said on previous Cloudflare threads that they've managed to design a game they can never win. They project a certain omniscience, but then all this sh*t happens. We need to persuade them to stop playing.

Cloudflare is actually pretty upfront about which browsers they support. You can find the whole list right in their developer docs. This isn't some secret they're trying to hide from website owners or users - it's right here https://developers.cloudflare.com/waf/reference/cloudflare-c... - My guess is that there is no response because not one of the browsers you listed is supported.

Think about it this way: when a framework (many modern websites) or CAPTCHA/Challenge doesn't support an older or less common browser, it's not because someone's sitting there trying to keep people out. It's more likely they are trying to balance the maintenance costs and the hassle involved in allowing or working with whatever other many platforms there are (browsers in this case). At what point is a browser relevant? 1 user? 2 users? 100? Can you blame a company that accommodates for probably >99% of the traffic they usually see? I don't think so, but that's just me.

At the end, site owners can always look at their specific situation and decide how they want to handle it - stick with the default security settings or open things up through firewall rules. It's really up to them to figure out what works best for their users.

Not exactly. They say:

"Challenges are not supported by Microsoft Internet Explorer."

Nowhere is it mentioned that internet access will be denied to visitors not using "major" browsers, as defined by Cloudflare presumably. That wouldn't sound too legal, honestly.

Below that: "Visitors must enable JavaScript and cookies on their browser to be able to pass any type of challenge."

These conditions are met.

> * If your visitors are using an up-to-date version of a major browser * > * they will receive the challenge correctly. *

I'm unsure what part of this isn't clear, major browsers, as long as they are up to date, are supported and should always pass challenges. Palemoon isn't a major browser, neither are the other browsers mentioned on the thread.

> * Nowhere is it mentioned that internet access will be denied to visitors not using "major" browsers *

Challenge pages is what your browser is struggling to pass, you aren't seeing a block page or a straight up denying of the connection, instead, the challenge isn't passing because whatever update CF has done, has clearly broken the compatibility with Palemoon, I seriously doubt this was on purpose. Regarding those annoying challenge pages, these aren't meant to be used 24/7 as they are genuinely annoying, if you are seeing challenge pages more often than you are on chrome, its likely that the site owner is actively is flagging your session to be challenged, they can undo this by adjusting their firewall rules.

If a site owner decides to enable challenge pages for every visitor, you should shift the blame on the site owners lack of interest in properly tunning their firewall.

So.. no new browsers should ever be created? Or only created by people with enough money to get CloudFlare onboard from the start? Nothing new will ever become major if they're denied access to half the web.
You can create a new browser, there are plenty of modern new browsers that aren't considered major and work just fine because they run on top of recent releases of chromium.

There are actually hundreds of smaller chromium forks that add small features, such as built-in adblock and have no issues with neither Cloudflare nor other captchas.

I think it's pretty clear this is about browser engines. If your view holds then Servo (currently #3 story in front page) will never make it.
Fair enough, but... if Cloudflare's challenge bugs out who is going to fix it? Aren't they responsible for their own critical tools?

Because in the end, the result is connection denial. I don't want to connect to Cloudflare, I want to connect to the website.

I read that part. They still do not indicate what may happen, or what is their responsibility -if any- for visitors with non-major browsers.

Not claiming this is "on purpose" or a conspiracy, but if these legitimate protests keep getting ignored then yes, it becomes discrimination. If they can't be bothered, they should clearly state that their tool is only compatible with X browsers. Who is to blame for "an incorrectly received challenge"? The website? The user who chooses a secure, but "wrong" browser not on their whitelist?

Cloudflare is there for security, not "major browser approval pass". They have the resources to increase response times, provide better support and deal with these incompatibility issues. But do they want to? Until now, they did.

I think the issue is that Cloudflare tends to be a toggle-and-forget, it's very easy to use and it works for most people.

The problem with this setup, is that it sacrifices on both security (because it needs to keep false positives at a minimum, even if that means allowing some known bots) and user experience (because situations like the one you have will occur from time to time). When you enable a challenge page on CF, it will work as-is and you have no ruling over it, the most you can do is skip the page for the browsers having false positives.

If CF gave site owners a clearer view of what they are blocking and let them choose which rules to enforce (within the challenge page), it would be much easier to simply say that the customer running CF doesn't want you visiting their page/doesn't care about few false positives.

They do not support major browsers. They support "major browsers in default configuration without any extensions" (which is of course ridiculous proposition), forcing people to either abandon any privacy/security preserving measures they use, or to abandon the websites covered by CF.

I use uptodate Firefox, and was blocked from using company gitlab for months on end simply because I disabled some useless new web API in about:config way before CF started silently requiring it without any feature testing or meningful error message for the user. Just a redirect loop. Gitlab support forum was completely useless for this, just blaming the user.

So we dropped gitlab at the company and went with basic git over https hosting + cgit, rather than pay some company that will happily block us via some user hostile intermediary without any resolution. I figured out what was "wrong" (lack of feature testing for web API features CF uses, and lack of meaningful error message feedback to the user) after the move.

Although I sometimes have problems with Cloudflare, it does not seem to affect GitHub nor Gitlab for me, although they have other problems, which I have been able to work around.

Some things that I had found helpful when working with Gitlab is to add ".patch" on the end of commit URLs, and changing "blob" to "raw" in file URLs. (This works on GitHub as well.) It is also possible to use API, and sometimes the data can be found within the HTML the server sends to you without needing any additional requests (this seems to work on GitHub more reliably than on Gitlab though).

You could also clone the repository into your own computer in order to see the files (and then use the git command line to send any changes you make to the server), but that does not include issue tracker etc, and you might not want all of the files anyways, if the repository has a lot of files.

I think they protect only the login page.
So you're saying that which browsers are supported on the Internet should be determined by a single, for-profit company? That's a very interesting and shorthsighted take.

I love how so many of these apologists talk about stuff like "maintenance costs", as though it's impossible to write code that's clean and works consistently across platforms / browsers. "Oh, no! Who'll think of the profits?!?"

If you had any technical knowledge, you'd know that "maintenance costs" are only a thing when you code shittily or intentionally target specific cases. A well written, cross-browser, cross-platform CAPTCHA shouldn't have so many browser specific edge cases that it needs constant "maintenance".

In other words, imagine you're arguing that a web page with a picture doesn't load on a browser because nobody bothered to test with that browser. Now imagine you're making the case for that browser being so obscure that nobody would expend the time and money. Instead, why aren't you pondering why any web site with a picture wouldn't be general enough to just work? What does that say about your agenda, and about the fact that you want to make excuses for this huge, striving-to-be-a-monopoly, for-profit company?

I think it's pretty clear you have never worked on fraud protections or bot detections, otherwise you'd understand the struggles of supporting many environments with a single solution, you already have an opinion on this and by the way your messages are typed, it doesn't seem like any rational will change your ideas.

This is the internet and everybody is a field expert the moment they want to win an argument, best of luck with that.

Indeed. Software can be written like math. 1 + 1 = 2, holds true for now and for all time, past and present.
Forgot to clarify: this is not about an increased amount of captchas, or an annoyance issue.

The Cloudflare tool does not complete its verifications, resulting in an endless "Verifying..." loop and thus none of the websites in question can be accessed. All you get to see is Cloudflare.

I ran into exactly this the other day trying to browse a website from a browser app on an android-powered TV. Just couldn't get to the website.
I was on Brave in iOS. I had to turn off Brave Shield.
Companies like Google and Cloudflare make great tools. They give them away for free. They have different reasons for this, but these tools provide a lot of value to a lot of people. I’m sure that in the abstract their devs mean well and take pride in making the internet more robust, as they should.

Is it worth giving the internet to them? Is something so fundamentally wrong with the architecture of the internet that we need megacorps to patch the holes?

Whether something is "wrong" is often more a matter of opinion than a matter of fact for something as large and complex as the internet. The root of problems like this on the internet is connections don't have an innate user identity associated at the lower layers. By the time you get to an identity for a user session you've already driven past many attack points. There isn't really a "happy" way to remove that from the equation, at least for most people.
Cloudflare's proxy model solved immediate security and reliability problems but created a lasting tension between service stability and user choice. Like old telecom networks that restricted equipment, Cloudflare's approach favors their paying customers' needs over end-user freedom, particularly in browser choice. While this ensures predictable revenue and service quality, it echoes historical patterns where infrastructure standardization both enables and constrains.
Welcome to the modern world. Any deviation from the average will get you flagged as a suspicious deviant. It's not just browsers. It's everything.