←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 4 comments | 05 Feb 25 19:08 UTC | HN request time: 0.983s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context
windsignaling ◴[05 Feb 25 21:30 UTC] No.42955454[source]
As a website owner and VPN user I see both sides of this.

On one hand, I get the annoying "Verify" box every time I use ChatGPT (and now due its popularity, DeepSeek as well).

On the other hand, without Cloudflare I'd be seeing thousands of junk requests and hacking attempts everyday, people attempting credit card fraud, etc.

I honestly don't know what the solution is.

replies(15): >>42955722 #>>42955733 #>>42956022 #>>42956059 #>>42956088 #>>42956502 #>>42957016 #>>42957235 #>>42959074 #>>42959436 #>>42959515 #>>42959590 #>>42963545 #>>42963562 #>>42966987 #
kobalsky ◴[05 Feb 25 23:43 UTC] No.42957016[source]
> people attempting credit card fraud

this is wrong.

if someone can use your site they can use stolen cards, and bots doing this will not be stopped by them.

cloudflare only raises the cost of doing it, it may make scrapping a million of product pages unprofitable but that doesn't apply to cc fraud yet.

replies(3): >>42957627 #>>42957679 #>>42957739 #
1. bragr ◴[06 Feb 25 01:14 UTC] No.42957739[source]
>that doesn't apply to cc fraud yet

It stops "card testing" where someone has bought or stolen a large number of cards and need verify which are still good. The usual technique is to cycle through all the cards on a smaller site selling something cheap (a $3 ebook for example). The problem is that the high volume of fraud in a short time span will often get the merchant account or payment gateway account shut down, cutting off legitimate sales.

As a consumer, you should also be suspicious of a mysterious low value charge on your card because it could be the prelude to much larger charges.

replies(1): >>42959369 #
2. Aachen ◴[06 Feb 25 05:23 UTC] No.42959369[source]
Someone who steals money from thousands of individuals for a living won't hesitate to use a botnet either. Cloudflare isn't a payment provider (*shudders* yet), they can't verify transactions, they can only guess at who's "honest". I'm at the losing end of this guess so often as someone who frequently visits friends and family in the neighbouring country they come from, and someone who doesn't have tracking cookies anymore that were set only a few minutes ago, who uses a "non-standard" browser (Mozilla's Firefox), I don't feel like Cloudflare does a very good job at detecting when I'm trying to honestly use the site. At the same time, doing security testing as my job: the customer having Cloudflare enabled usually doesn't matter for us being able to reach and exploit vulnerable pages, it just decides to block you randomly the same way that it does in private time when I'm not trying to break anything. It doesn't properly do the job and it blocks legitimate people based on a gut feeling, and you have no recourse, you can suck it up. Whatcha gonna do, take Cloudflare to court for blocking your access to your bank? Under what law is that illegal? There is nothing you can do; your bank's customer support isn't going to disable Cloudflare for you.

Anyway, no, this guessing game isn't the solution to stolen bank details, the solution is for the payment provider to authenticate the account holder beyond merely entering a public number, especially if they suddenly see a flood of transactions from this one merchant as you describe. They can decide to ask for a second factor: send the person an SMS/email, ask to generate an authenticator code, whatever it is they've got on file beyond your card/account number. Anything else is just guesswork

replies(2): >>42959614 #>>42970748 #
3. lmz ◴[06 Feb 25 06:22 UTC] No.42959614[source]
It depends what they're selling. If they're selling something people want - the only answer is enforcing things like 3DS. If they are e.g. a charity receiving donations via card - they may still use it for card testing. Making card testing unprofitable is the point.
4. doctor_radium ◴[07 Feb 25 09:04 UTC] No.42970748[source]
> Whatcha gonna do, take Cloudflare to court for blocking your access to your bank? Under what law is that illegal?

In the USA, I think it would be worth trying to sue Cloudflare for either "free speech" or "public nuisance" violations. Gonna reach out to the ACLU and EFF in the coming days.