Most active commenters
  • tibbar(3)
  • gloosx(3)

←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 22 comments | 05 Feb 25 19:08 UTC | HN request time: 1.541s | source | bottom

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

1. tibbar ◴[05 Feb 25 21:12 UTC] No.42955200[source]
This echoes the user agent checking that was prevalent in past times. Websites would limit features and sometimes refuse to render for the "wrong" browser, even if that browser had the ability to display the website just fine. So browsers started pretending to be other browsers in their user agents. Case in point - my Chrome browser, running on an M3 mac, has the following user agent:

"'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36'"

That means my browser is pretending to be Firefox AND Safari on an Intel chip.

I don't know what features Cloudflare uses to determine what browser you're on, or if perhaps it's sophisticated enough to get past the user agent spoofing, but it's all rather funny and reminiscent just the same.

replies(7): >>42955304 #>>42955320 #>>42956442 #>>42959877 #>>42961242 #>>42963248 #>>42965661 #
2. ZeWaka ◴[05 Feb 25 21:18 UTC] No.42955304[source]
> if perhaps it's sophisticated enough to get past the user agent spoofing

As a part of some browser fingerprinting I have access to at work, there's both commercial and free solutions to determine the actual browser being used.

It's quite easy even if you're just going off of the browser-exposed properties. You just check the values against a prepopulated table. You can see some of such values here: https://amiunique.org/fingerprint

Edit: To follow up, one of the leading fingerprinting libraries just ignores useragent and uses functionality testing as well: https://github.com/fingerprintjs/fingerprintjs/blob/master/s...

3. johnmaguire ◴[05 Feb 25 21:20 UTC] No.42955320[source]
As a counterpoint, I asked Claude to write a script to fetch Claude usage and expose it as a Prometheus metric. As no public API exists, Claude suggested I grab the request from the Network tab. I copied it as cURL, and attempted to run it, and was denied with a 403 from CF.

I forgot the script open, polling for about 20 minutes, and suddenly it started working.

So even sending all the same headers as Firefox, but with cURL, CF seemed to detect automated access, and then eventually allowed it through anyway after it saw I was only polling once a minute. I found this rather impressive. Are they using subtle timings? Does cURL have an easy-to-spot fingerprint outside of its headers?

Reminded me of this attack, where they can detect when a script is running under "curl | sh" and serve alternate code versus when it is read in the browser: https://news.ycombinator.com/item?id=17636032

replies(2): >>42955749 #>>42961243 #
4. schroeding ◴[05 Feb 25 21:51 UTC] No.42955749[source]
> Does cURL have an easy-to-spot fingerprint outside of its headers?

If it's a https URL: Yes, the TLS handshake. There are curl builds[1] which try (and succeed) to imitate the TLS handshake (and settings for HTTP/2) of a normal browser, though.

[1] https://github.com/lwthiker/curl-impersonate

replies(1): >>42956762 #
5. wongarsu ◴[05 Feb 25 22:45 UTC] No.42956442[source]
They are pretending to be an ancient Mozilla version from the time after Netscape but before Firefox, KHTML (which was forked to webkit), Firefox (Gecko engine), Chrome and Safari. The only piece of browser history it's missing is somehow pretending to be IE.
replies(2): >>42957582 #>>42959047 #
6. bennyg ◴[05 Feb 25 23:18 UTC] No.42956762{3}[source]
To echo further, they may be leaning on something like the [ja4 fingerprint](https://www.google.com/url?sa=t&source=web&rct=j&opi=8997844...) (which you'd need to rebuild curl to emulate that chromium version to try and trick).
replies(1): >>42959483 #
7. mh- ◴[06 Feb 25 00:52 UTC] No.42957582[source]
> The only piece of browser history it's missing is somehow pretending to be IE.

They're kinda covered because IE also sent Mozilla/5.0 (or 4.0, 2.0, [..]).

8. tibbar ◴[06 Feb 25 04:21 UTC] No.42959047[source]
Amusingly, I also just realized that even the operating system is spoofed here! I'm on macOS 14, yet the user agent claims "Mac OS X" 10.15. It's a pretty funny situation, and clearly for the sole benefit of very old websites and libraries performing dubious checks.
replies(1): >>42959773 #
9. ghxst ◴[06 Feb 25 05:54 UTC] No.42959483{4}[source]
Curl-impersonate does this https://github.com/lwthiker/curl-impersonate
10. zerocrates ◴[06 Feb 25 06:52 UTC] No.42959773{3}[source]
I don't know if they still do it, but the Apple Silicon Macs also lied about their architecture and said they're Intel. Truth is not the guiding principle of the User-Agent (or all the JS navigator properties, or anything else easy to use to check this kind of thing).
11. gloosx ◴[06 Feb 25 07:07 UTC] No.42959877[source]
I'm still using Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 on my desktop.

The internet is so much better like this! There is a 2010 lightweight mobile version of Google, and m.youtube with obviously cleaner and better UI and not a single ad (apparently it's not worth to show you ads if you still appear to be using iphone 6)

replies(3): >>42966197 #>>42967040 #>>42974990 #
12. christophilus ◴[06 Feb 25 11:09 UTC] No.42961242[source]
Slack was doing this with their huddle feature for the longest time (still were last I checked). Drives me crazy.
replies(1): >>42967409 #
13. areyourllySorry ◴[06 Feb 25 11:10 UTC] No.42961243[source]
it's possible there was an attack that stopped which led to more lenient antibot
14. Avamander ◴[06 Feb 25 15:26 UTC] No.42963248[source]
> I don't know what features Cloudflare uses to determine what browser you're on, or if perhaps it's sophisticated enough to get past the user agent spoofing, but it's all rather funny and reminiscent just the same.

Yes, it is, both your TLS and TCP stacks are unique enough that such spoofing can be detected. But there are a lot of other things that can be fingerprinted as well.

15. createaccount99 ◴[06 Feb 25 19:31 UTC] No.42965661[source]
> That means my browser is pretending to be Firefox AND Safari on an Intel chip.

That's not the case, that ua is Chrome on MacOS. The rest is backward compatibility garbage

replies(1): >>42987826 #
16. leafmeal ◴[06 Feb 25 20:31 UTC] No.42966197[source]
I tried this just for fun and youtube said to update my browser :(
replies(1): >>42969697 #
17. hexagonwin ◴[06 Feb 25 22:12 UTC] No.42967040[source]
This is iOS 6 and not iPhone 6, btw.
replies(1): >>42969719 #
18. 6031769 ◴[06 Feb 25 23:07 UTC] No.42967409[source]
Doesn't drive me crazy - gives me a "Get Out of Huddles Free" card.
19. gloosx ◴[07 Feb 25 05:21 UTC] No.42969697{3}[source]
When you click OK it lets you in regardless ;)
20. gloosx ◴[07 Feb 25 05:27 UTC] No.42969719{3}[source]
Whoa, really. So it is even back to 3GS/4 days then.
21. anticensor ◴[07 Feb 25 17:08 UTC] No.42974990[source]
> (apparently it's not worth to show you ads if you still appear to be using iphone 6)

Why not adwall the user instead, showing only ads until they upgrade the device or buy premium?

22. tibbar ◴[09 Feb 25 01:52 UTC] No.42987826[source]
This is the user agent on Chrome, but the reason for all the references to other browsers (and an old OS and architecture), the backward compatibility garbage, is to pretend to be those browsers for the sake of old websites that are doing string matching on the user agents.