←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 7 comments | 05 Feb 25 19:08 UTC | HN request time: 0.629s | source | bottom

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

1. jeroenhd ◴[05 Feb 25 22:18 UTC] No.42956104[source]
I just downloaded Palemoon to check and it seems the CAPTCHA straight up crashes. Once it crashes, reloading the page no longer shows the CAPTCHA so it did pass something at least. I tried another Cloudflare turnstile but the entire browser crashed on a segfault, and ever since the CAPTCHAs don't seem to come up again.

ChatGPT.com is normally quite useful for generating Cloudflare prompts, but that page doesn't seem to work in Palemoon regardless of prompts. What version browser engine does it use these days? Is it still based on Firefox?

For reference I grabbed the latest main branch of Ladybird and ran that, but Cloudflare isn't showing me any prompts for that either.

replies(4): >>42956203 #>>42959178 #>>42959627 #>>42961908 #
2. Hold-And-Modify ◴[05 Feb 25 22:26 UTC] No.42956203[source]
This crash is an even newer Cloudflare issue (as of yesterday, I believe). It is not related to the one discussed here, and will be solved in the next browser update:

https://forum.palemoon.org/viewtopic.php?f=3&t=32064

3. willywanker ◴[06 Feb 25 04:46 UTC] No.42959178[source]
It uses a hard fork of Firefox's Gecko engine called Goanna, and is independently developed other than a few security patches from upstream. It has considerably diverged from contemporary Firefox so is not comparable.
replies(1): >>42964144 #
4. YoshiRulz ◴[06 Feb 25 06:24 UTC] No.42959627[source]
I believe the problem in Ladybird's case is missing JS APIs https://github.com/LadybirdBrowser/ladybird/issues/226
5. dvtkrlbs ◴[06 Feb 25 13:01 UTC] No.42961908[source]
Kinda funny and ironic thing is their forum just don't allow me to see the contents of their website from my hetzner box that I use as an exit node. More ironically if this site was using cloudflare I could at least solve a challenge and browse the forum instead of getting hit with a giant 403
6. ec109685 ◴[06 Feb 25 16:45 UTC] No.42964144[source]
Seems seriously risky to be running a browser without access to mainstream security patches.

Perhaps it’s secure enough for now due to its obscurity.

replies(1): >>42970307 #
7. mimasama ◴[07 Feb 25 07:24 UTC] No.42970307{3}[source]
> without access to mainstream security patches

They do have access to them. The lead developer and project owner has sec bug access in bugzilla.

But vulnerabilities in newer Mozilla have over time become less and less relevant in Pale Moon's codebase, which led to the latter dropping the tracking of how many Mozilla security patches have been applied in the release notes (starting with 33.0.1).