←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 3 comments | 05 Feb 25 19:08 UTC | HN request time: 0s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context
ai-christianson ◴[05 Feb 25 20:07 UTC] No.42954365[source]
How many of you all are running bare metal hooked right up to the internet? Is DDoS or any of that actually a super common problem?

I know it happens, but also I've run plenty of servers hooked directly to the internet (with standard *nix security precautions and hosting provider DDoS protection) and haven't had it actually be an issue.

So why run absolutely everything through Cloudflare?

replies(20): >>42954540 #>>42954566 #>>42954576 #>>42954719 #>>42954753 #>>42954770 #>>42954846 #>>42954917 #>>42954977 #>>42955107 #>>42955135 #>>42955479 #>>42956166 #>>42956201 #>>42956652 #>>42957837 #>>42958038 #>>42958248 #>>42963387 #>>42964892 #
Puts ◴[05 Feb 25 21:07 UTC] No.42955135[source]
Most (D)DOS attacks are just either UDP floods or SYN floods that iptables will handle without any problem. Sometimes what people think are DDOS is just their application DDOSing themself because they are doing recursive calls to some back-end micro-service.

If it was actually a traffic based DDOS someone still needs to pay for that bandwidth which would be too expansive for most companies anyway - even if it kept your site running.

But you can sell a lot of services to incompetent people.

replies(2): >>42955503 #>>42956007 #
1. sophacles ◴[05 Feb 25 22:10 UTC] No.42956007[source]
What's the iptables invocation that will let my 10Gbps connection drop a a 100Gbps syn flood while also serving good traffic?
replies(2): >>42958858 #>>42964522 #
2. truetraveller ◴[06 Feb 25 03:50 UTC] No.42958858[source]
xdp
3. Puts ◴[06 Feb 25 17:29 UTC] No.42964522[source]
The point with a syn flood is to try to saturate the OS limit for open sockets. From an attackers perspective the whole point of a syn flood is to do a DOS without needing much bandwidth.

My experience form 15 years working in the hosting industry is that volumetric attacks are extremely rare but customers that turn to Cloudflare as a solution are more often than not DDOS-ing them self because of bad configured systems, but their junior developers lack any networking troubleshooting skills.