Most active commenters
  • pc86(6)
  • ghxst(5)
  • dragontamer(5)
  • littlestymaar(4)
  • InsideOutSanta(3)
  • gosub100(3)
  • TRiG_Ireland(3)

←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 131 comments | 05 Feb 25 19:08 UTC | HN request time: 0.88s | source | bottom

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

1. nikkwong ◴[06 Feb 25 05:13 UTC] No.42959315[source]
Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.

Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.

Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.

replies(13): >>42959473 #>>42959512 #>>42960071 #>>42960395 #>>42960397 #>>42961792 #>>42961906 #>>42964337 #>>42964617 #>>42965068 #>>42965688 #>>42965889 #>>42970070 #
2. ghxst ◴[06 Feb 25 05:52 UTC] No.42959473[source]
Try clearing your cookies and disabling all extensions, if that still results in a block you can try a mobile hotspot. You're either failing some server side check (IP, TCP fingerprint, JA3 etc.) or a client side check of your browser integrity (generally this is tampered with by privacy focused extensions, anti-fingerprint settings etc.). It's not a "fix" but can at least give you an indication of why it is happening.
replies(3): >>42959789 #>>42959948 #>>42960346 #
3. kcrwfrd_ ◴[06 Feb 25 06:00 UTC] No.42959512[source]
Were you on a VPN?
replies(2): >>42959541 #>>42959944 #
4. nikkwong ◴[06 Feb 25 06:03 UTC] No.42959541[source]
Nope, no VPN, making it all the stranger.
5. underdeserver ◴[06 Feb 25 06:54 UTC] No.42959789[source]
That's quite a lot to ask. Not OP, but I'm not doing all that just because sometime else misconfigured their anti-DDoS, unless I really need to.
replies(1): >>42960127 #
6. whilenot-dev ◴[06 Feb 25 07:19 UTC] No.42959944[source]
Some vendors are just weird... I'm always getting blocked by Etsy with Firefox after the first navigation on their site. It shows me a puzzle to solve and then, after solving the puzzle correctly (read "Success"), redirects me to "You have been blocked". It works with Chrome-based browsers though, but that doesn't make me want to use the website at all.

No VPN, just good privacy settings in my case.

replies(3): >>42960184 #>>42960194 #>>42966387 #
7. RestartKernel ◴[06 Feb 25 07:20 UTC] No.42959948[source]
I believe their point was that they have no desire to fix the issue if they can just look elsewhere, making it detrimental to the vendor more so than the end-user.
replies(1): >>42960163 #
8. taurknaut ◴[06 Feb 25 07:43 UTC] No.42960071[source]
> using Arc on a M1 MBP; normal browsing habits.

Well i've certainly never heard of this browser before and it still seems pretty young. I'd guess it's the same issue.

replies(4): >>42960105 #>>42960119 #>>42960456 #>>42961276 #
9. yurishimo ◴[06 Feb 25 07:51 UTC] No.42960105[source]
Arc is almost 3 (4?) years old and was the darling child of dev influencers for the better part of 2 years. It's not a niche browser, especially amongst devs that are likely to work at Cloudflare.
replies(2): >>42960283 #>>42965256 #
10. Elfener ◴[06 Feb 25 07:54 UTC] No.42960119[source]
I think it's also EOL/not getting updates now?

I mean I never used it, their only selling point seem to have been hype.

replies(1): >>42960404 #
11. ghxst ◴[06 Feb 25 07:55 UTC] No.42960127{3}[source]
My intention was to explain how to identify what could be causing the issue, not to give any indication that I think this is acceptable. Unfortunately like you point out, sometimes you _really_ do have to deal with a website behind an over sensitive WAF, in which case the steps I provided can be helpful.
replies(1): >>42960318 #
12. ghxst ◴[06 Feb 25 08:02 UTC] No.42960163{3}[source]
That's totally understandable and I don't blame them. However since they did state they hoped it would be resolved I thought they (or anyone in a similar situation) might at least want to know how to diagnose any potential cause that you have some control over.
13. ghxst ◴[06 Feb 25 08:06 UTC] No.42960184{3}[source]
Do you have the "resist fingerprinting" setting enabled in Firefox? (You can check in about:config)
replies(1): >>42960230 #
14. Symbiote ◴[06 Feb 25 08:08 UTC] No.42960194{3}[source]
While looking at a flight price on sas.dk I had to disable Firefox's built-in enhanced tracking protection.

It seems excessive to not allow at least a single query in this situation.

I had the same with a newspaper which I subscribe to. They shouldn't be tracking me, and don't show adverts to subscribers. In this case I wrote to their support person, who told me not to block the tracking.

15. whilenot-dev ◴[06 Feb 25 08:16 UTC] No.42960230{4}[source]
"privacy.resistFingerprinting" is "true", yes, and it'll stay that way. Why let me solve a puzzle just to block me afterwards anyway?
replies(4): >>42960368 #>>42963023 #>>42964290 #>>42965454 #
16. littlestymaar ◴[06 Feb 25 08:25 UTC] No.42960283{3}[source]
It's definitely a niche browser. I think I heard of it once on HN over the past few years, and I'd be surprised if there was actually more than a few thousands of people using it.
replies(2): >>42960423 #>>42960454 #
17. Moru ◴[06 Feb 25 08:33 UTC] No.42960318{4}[source]
My problem is that I help a lot of people set up their computers because they want to get rid of ads and tracking. They don't know how to fix this. Or more likely don't even realise there is a problem and will just close it down and continue with their day. So I guess it's not my problem but it is someones problem.
18. erinaceousjones ◴[06 Feb 25 08:37 UTC] No.42960346[source]
I think it's unfair this comment has been flagged or downvoted or whatever. It's pragmatic information!

The mobile hotspot thing... I have to do that to do anything involving Okta.

For some frustrating reason my IPv4 address, which I pay extra to my ISP to have, has been blocklisted by Okta. A login flow failure in one of the apps work uses triggered my address getting banned indefinitely is my best guess. My works Okta admins don't really understand how to unblock me on their Okta tenancy, and Okta support just directs me back to my local admins (even though it's any okta-using org I'm banned from logging into).

I get that misuse/abuse detection has to do its thing but it's so frustrating when there's basically zero way of a legitimate user from an IP of undoing a ban. My only recourse is to do all my using of okta from another IP.... If I was a legit spammer I wouldn't think twice about switching to another IP from my big pool, probably.

replies(1): >>42960548 #
19. Lanolderen ◴[06 Feb 25 08:41 UTC] No.42960368{5}[source]
To let you know who wears the pants in the relationship :)
20. Xelbair ◴[06 Feb 25 08:45 UTC] No.42960395[source]
To access any site protected by cloudflare captcha i have to change browsers from firefox to chrome. and i have basically default suite of addons (ublock is the only one affecting the pages themselves).

VPN doesn't matter, i probably share IP with someone "flagged" via ISP.

Every site, that is except their cloudlfare dashboard.

replies(2): >>42961212 #>>42961502 #
21. jen729w ◴[06 Feb 25 08:46 UTC] No.42960397[source]
Vendors who block iCloud Relay are the worst. I'm sure they don't even know they're doing it. But some significant percentage of Apple users -- and you'd have to think it's only gonna grow -- comes from those IP address ranges.

Bad business, guys. You gotta find another way. Blocking IP addresses is o-ver.

replies(6): >>42960506 #>>42962582 #>>42962962 #>>42963465 #>>42963466 #>>42963720 #
22. lijok ◴[06 Feb 25 08:47 UTC] No.42960404{3}[source]
Definitely not EOL; https://resources.arc.net/hc/en-us/articles/20498293324823-A...
replies(1): >>42961407 #
23. InsideOutSanta ◴[06 Feb 25 08:50 UTC] No.42960423{4}[source]
Its subreddit has 52k members. There are probably hundreds of thousands of users. Still a niche browser, but it's pretty commonly used on Macs.
replies(1): >>42970428 #
24. oneeyedpigeon ◴[06 Feb 25 08:53 UTC] No.42960454{4}[source]
I would be surprised if it were that low; the arcbrowser sub Reddit has 50 thousand members. Still, regardless of the actual figure, I think there's a broader point which avoids the need to agree on an absolute threshold: should cloudflare block access to websites using a blacklist or should it grant access using a whitelist? Especially since it's trivial to spoof your user agent.
replies(1): >>42960962 #
25. chrisandchris ◴[06 Feb 25 08:53 UTC] No.42960456[source]
I'm still not sure how some random browser should result in a block by the provider. I don't think there's any security risk for the provider of the site by using an outdated browser. Blocking malicious IPs yes/maybe, blocking suspicious acitivity maybe. But because you have browser X - please not.

This is going to lead two a two-class internet where new technologies will not emerge and big players will win because the gate the high is so absurdly high and random that people stop to invent.

replies(1): >>42961108 #
26. cprecioso ◴[06 Feb 25 09:03 UTC] No.42960506[source]
This would be weird, esp. given that Cloudflare is one of the vendors who act as exit nodes for iCloud Relay.
replies(2): >>42960816 #>>42962833 #
27. ghxst ◴[06 Feb 25 09:12 UTC] No.42960548{3}[source]
Thank you, I'm a bit surprised people took issue with my comment but I suppose I could have worded it better.

As for your case, I wonder if Okta is relying on an external service like IPQS to get a score, that could explain why they don't really have any control over it.

replies(1): >>43025574 #
28. latexr ◴[06 Feb 25 09:56 UTC] No.42960816{3}[source]
I believe your parent comment means when the target website blocks, not Cloudflare.

YouTube is a perfect example. Using iCloud Private Relay can now frequently label you as a bot, which stops you from watching videos until you login.

replies(2): >>42961119 #>>42961696 #
29. littlestymaar ◴[06 Feb 25 10:25 UTC] No.42960962{5}[source]
I'm not defending Cloudflare on any way, blocking niche browsers is sad. I'm just saying that it doesn't make sense to say it's not a niche browser.
replies(1): >>42961218 #
30. taurknaut ◴[06 Feb 25 10:49 UTC] No.42961108{3}[source]
I presume this was not intentional.
replies(1): >>42963008 #
31. lloeki ◴[06 Feb 25 10:50 UTC] No.42961119{4}[source]
Happened to me.

Interestingly enough I checked on another non-Private Relay device (it worked), disabled Private Relay, refreshed the page, which still blocked me, and it resulted in the ban instantly extending to my other non-Private Relay devices.

I presume some fingerprinting/evercookie was in place which led to a flagging/ban extension to my home IP.

32. benhurmarcel ◴[06 Feb 25 11:03 UTC] No.42961212[source]
I have come across several websites on which Cloudflare blocks my devices, whatever I use. No Captcha, just blocked. I tried a stock iPhone (Safari, no blockers, no VPN, no iCloud relay, both on wifi or 4G), and a Windows PC with Firefox, Chrome, or Edge, no luck. That includes a website of a local business so that can't be the country either.

I have no idea why.

33. oneeyedpigeon ◴[06 Feb 25 11:05 UTC] No.42961218{6}[source]
That's fair. I'm sure it's not as well-used/known as Chrome, Firefox, Edge, or Safari. Probably not even Opera, although I'd be interested to see their respective "new users" numbers. I think it's in the same ballpark as Brave — definitely known, just not one of the big 5.
34. tyzoid ◴[06 Feb 25 11:16 UTC] No.42961276[source]
It's a chromium derivative.
35. swiftcoder ◴[06 Feb 25 11:36 UTC] No.42961407{4}[source]
I assume they are talking about the company moving on to develop a new browser: https://www.theverge.com/2024/10/24/24279020/browser-company...
36. KomoD ◴[06 Feb 25 11:51 UTC] No.42961502[source]
Maybe you have anti-fingerprinting protection on? I've heard it can cause issues.
replies(1): >>42971553 #
37. tessela ◴[06 Feb 25 12:25 UTC] No.42961696{4}[source]
It happens to me a lot, I just created a small automation to use https://cobalt.tools to download the content. Their loss, not mine.
replies(3): >>42961813 #>>42962483 #>>42963798 #
38. raxxorraxor ◴[06 Feb 25 12:38 UTC] No.42961792[source]
I think this is on Cloudflare. Perhaps there is a demand for such a service, but it is another to implement it. And this is very bad for a free and therefore safe net.

I don't even know which attack vectors an integrity check for a browser could help against. Against infected clients? It is in any way evidently not effective.

replies(1): >>42962264 #
39. egberts1 ◴[06 Feb 25 12:44 UTC] No.42961813{5}[source]
Nice tool.
40. wvh ◴[06 Feb 25 13:50 UTC] No.42962264[source]
There is some political-philosophical irony that the Chinese prefer their government to do the blocking and take away their freedom, while the US prefers their monopolistic capitalistic corporate world to do it. A rose by any other name. Chose your friends carefully.
replies(1): >>42963941 #
41. latexr ◴[06 Feb 25 14:12 UTC] No.42962483{5}[source]
I do something similar. Over 90% of my YouTube consumption is with Alfred workflows which use mpv and yt-dlp under the hood. I just press a keyboard shortcut and the frontmost tab closes in the browser and starts playing in mpv.

The remaining percentage is still annoying, as it happens from the phone.

42. rthomas6 ◴[06 Feb 25 14:25 UTC] No.42962582[source]
Wait, this comment made me aware of the existence of iCloud Relay. Apple built their own Tor only for Apple users? Why would they do that? Why not use Tor???
replies(3): >>42962630 #>>42962848 #>>42963304 #
43. guipsp ◴[06 Feb 25 14:30 UTC] No.42962630{3}[source]
Because it is 1. Not Tor and 2. Fast
44. jrootabega ◴[06 Feb 25 14:45 UTC] No.42962833{3}[source]
I don't think that's weird. That's what I would want from an honest vendor who is involved in both services - block anonymization/obfuscation users if I'm paying you to block them. Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.

What I'd worry about is Cloudflare using their knowledge of their VPN clients to allow services behind their attack protection to treat those clients better, because maybe they're leaking client info to the protected services.

Not that I think Cloudflare/Apple/etc. are supremely noble/honest/moral, or that it's good that semi-anonymous connections are treated so badly by default; this juxtaposition just doesn't seem like a problem to me.

EDIT: OK, I back off of this position somewhat. Apple's marketing of iCloud Relay might allow users to believe it's more prestigious and reputable than a VPN/Tor. They do have fine print explaining that you might be treated badly by the remote services, but it's, you know, fine print, and Apple knows that they have a reputation for class and legitimacy.

replies(1): >>42965773 #
45. dewey ◴[06 Feb 25 14:46 UTC] No.42962848{3}[source]
You can use iCloud Relay without even noticing that you are using it, this is not true with Tor as you'll spend most of your time waiting for reconnecting circuits.
replies(1): >>42967543 #
46. oremolten ◴[06 Feb 25 14:57 UTC] No.42962962[source]
Well its primarily because the security vendors for say WAFs and other tools list these IPs in the "Anonymizers" or "VPN" category and most typically these are blocked as seldom do you see legitimate traffic originating to your store front or accounts pages from these. Another vendor we use lists these under "hacking tools" So your option as a security professional is to express to your risk management team we allow "hacking tools" or lose iCloud Relay customers. Which way do you think they steer? In alternative cases a site may use a vendor for their cart/checkout page and don't even have control over these blocks as they are also blocking "hacking tools" or "anonymizers" from hitting their checkout pages.
replies(3): >>42962999 #>>42963660 #>>42964139 #
47. oremolten ◴[06 Feb 25 15:01 UTC] No.42962999{3}[source]
Wait till you see how M365 does management around iCloud relay makes it real fun troubleshooting suspicious login parameters...
48. anonym29 ◴[06 Feb 25 15:02 UTC] No.42963008{4}[source]
One cannot assume a problem is minor, rare, unimportant, or easy to fix purely on the basis of it being unintentional.

Consider automobile accidents.

49. brudgers ◴[06 Feb 25 15:03 UTC] No.42963023{5}[source]
I use multiple profiles with Firefox to sandbox cookies etc. My profiles are based on activity. HN, Facebook, and infrequently used sites…sometimes I use Linkedin but I dont want it following me around the web.

I would prefer the web was different, but it is not.

50. echoangle ◴[06 Feb 25 15:30 UTC] No.42963304{3}[source]
It’s more like a VPN instead of Tor
replies(1): >>42963411 #
51. hedora ◴[06 Feb 25 15:42 UTC] No.42963411{4}[source]
Actually, it’s closer to Tor, but hardcoded to two hops, and hop 1 and 2 are always different (audited) organizations.

I wish they’d just used Tor though.

replies(2): >>42963517 #>>42966211 #
52. hedora ◴[06 Feb 25 15:46 UTC] No.42963465[source]
I’ve noticed wifi at coffee shops, etc have started blocking it too.

I need to disable it for one of my internal networks (because I have DNS overrides that go to 192.168.0.x), or I’d wish they’d just make it mandatory for iPhones and put and end to such shenanigans.

Apple could make it a bit more configurable for power users, and then flip the “always on” nuclear option switch.

Either that, or they could add a “workaround oppressive regimes” toggle that’d probably be disabled in China, but hey, I’m in the US, so whatever.

Edit: I also agree that blocking / geolocating IP addresses is a big anti-pattern these days. Many ISPs use CGNAT. For instance, all starlink traffic from the south half of the west coast appears to come from LA.

As a result, some apps have started hell-banning my phone every time I drive to work because they see me teleport hundreds of miles in 10 minutes every morning. (And both of my two IPs probably have 100’s of concurrent users at any given time. I’m sure some of them are doing something naughty).

53. jillyboel ◴[06 Feb 25 15:46 UTC] No.42963466[source]
If you use a weird proxy you're gonna get blocked. Facts of life.
54. echoangle ◴[06 Feb 25 15:50 UTC] No.42963517{5}[source]
Isn’t hop 1 always apple and only the external IP is a secondary provider?
55. grayhatter ◴[06 Feb 25 16:02 UTC] No.42963660{3}[source]
> So your option as a security professional is to express to your risk management team we allow "hacking tools" or lose iCloud Relay customers

a professional would explain how the vendor is being lazy and making a mistake there because they don't understand your business.

depending on the flavor of security professional (hacker) they might also subtly suggest that this vendor is dumb and should be embarrassed they've made this mistake, thus creating the implication that if you still want to block these users you would also have to be an idiot

under so circumstance is what I ever allow anyone to get the mistaken impression that some vendor understands my job better than I do. As a "security professional" it's literally your job to identify hostile traffic, better than a vendor could.

56. grayhatter ◴[06 Feb 25 16:08 UTC] No.42963720[source]
> Bad business, guys. You gotta find another way. Blocking IP addresses is o-ver.

no, it's still the front line. And likely always will be. It's the only client identifier bots can't lie about. (or nearly the only)

At $OLDJOB, ASN reputation was the single best predictor of traffic hostility. We were usually smart enough to know which we can, or can't block outright. But it's an insane take to say network based blocking is over... especially on a thread about some vendor blocking benign users because of the user-agent.

replies(3): >>42964083 #>>42964426 #>>42974802 #
57. ir77 ◴[06 Feb 25 16:13 UTC] No.42963798{5}[source]
why is your tool so hard to use on ios? the website instructions say you need a companion siri shortcut, but no where is there actually a shortcut listed.

combing and coming through searches and reddit all comes up with non-working siri shortcuts that complain that the url is not found.

58. Ray20 ◴[06 Feb 25 16:25 UTC] No.42963941{3}[source]
To trivialize totalitarian regimes that carry out terror against their own citizens, that can outright kill you and whole your family, by comparing them to capitalistic corporate world where, in the worst case, you can simply choose another, less fancy option, is the height of madness.
replies(4): >>42964842 #>>42964845 #>>42965670 #>>42999625 #
59. weare138 ◴[06 Feb 25 16:39 UTC] No.42964083{3}[source]
I don't use iCloud Relay but it seems Apple's ASN would be 'reputable'.
replies(3): >>42964177 #>>42964390 #>>42965142 #
60. Yeul ◴[06 Feb 25 16:45 UTC] No.42964139{3}[source]
Oh I think we all know that the Endgame is only allowing the approved webbrowser from the approved hardware. And getting on those lists will be made very expensive indeed...
61. maratc ◴[06 Feb 25 16:50 UTC] No.42964177{4}[source]
It would appear to be, but only until the bad guys looking to come from reputable ASNs find out about this.
replies(1): >>42964481 #
62. recursive ◴[06 Feb 25 17:04 UTC] No.42964290{5}[source]
Maybe the performance of the puzzle also has some undeclared side channels.
63. LeifCarrotson ◴[06 Feb 25 17:08 UTC] No.42964337[source]
> I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures.

The problem is that all these Cloudflare forensics-based throttling and blocking efforts don't hurt sales figures.

The number of legitimate users running Arc is a rounding error. Arc browser users often come to Cloudflare without third-party tracking and without cookies, which is weird and therefore suspicious - you look an awful lot like a freshly instantiated headless browser, in contrast to the vast majority of legitimate users who are carrying around a ton of tracking data. And by blocking cookies and ads, you wouldn't even be attributable in most of the stats if they did let you in.

It would be like kicking anyone wearing dark sunglasses out of a physical store: sure, burglars are likely to want to hide their eyes. Retail shrink is something like 1.5% of inventory, while blind users are <0.5% of the population. It would violate the ADA (and basic ethics) to prohibit out all blind shoppers, so in the real world we've decided that it's not legal to discriminate on this basis even if it would be a net positive for your financials.

The web is a nearly unregulated open ocean, Cloudflare can effectively block anyone for any reason and they don't have much incentive to show compassion to legitimate users that end up as bycatch in their trawl nets.

replies(4): >>42964656 #>>42965053 #>>42966257 #>>42967049 #
64. Terretta ◴[06 Feb 25 17:13 UTC] No.42964390{4}[source]
Pretty sure the box with the "shield" icon on it, the ASN the web site would see, is, not coincidentally, CloudFlare?

https://support.apple.com/en-us/102602

"As mentioned above, Cloudflare functions as a second relay in the iCloud Private Relay system. We’re well suited to the task — Cloudflare operates one of the largest, fastest networks in the world. Our infrastructure makes sure traffic reaches every network in the world quickly and reliably, no matter where in the world a user is connecting from."

https://blog.cloudflare.com/icloud-private-relay/

65. ◴[06 Feb 25 17:18 UTC] No.42964426{3}[source]
66. IggleSniggle ◴[06 Feb 25 17:25 UTC] No.42964481{5}[source]
Oh they have. It's been a big problem for my company. I assume Apple must work on this from their end, but any success would seem to undermine the privacy guarantee of the service.

"Bad guys" using Private Relay is one reason these IPs get blocked: one abuser can cause an entire block of people to get flagged as a single malicious user; and a big enough group of users can also look like a single malicious user to many blocklisting strategies, because they all share the same IP.

67. justinpombrio ◴[06 Feb 25 17:37 UTC] No.42964617[source]
> Of course, I didn't, and decided to buy the product elsewhere

Consider messaging the owner to tell them you were trying to buy a product on their site and the site wouldn't let you. There's a chance that they'll care and be able to do something about it. But no chance if they don't know about the problem!

68. RobotToaster ◴[06 Feb 25 17:42 UTC] No.42964656[source]
I wonder if cloudflare blocks like these affect screen reader users, in which case they may violate the ADA.
replies(2): >>42964968 #>>42973781 #
69. tremon ◴[06 Feb 25 18:01 UTC] No.42964842{4}[source]
Your snide comment might have had some weight if there had been zero instances of the US government [0] or US corporations [1] killing people.

[0] https://en.wikipedia.org/wiki/List_of_assassinations_by_the_...

[1] https://en.wikipedia.org/wiki/List_of_worker_deaths_in_Unite...

70. imaginarypedro ◴[06 Feb 25 18:02 UTC] No.42964845{4}[source]
https://apnews.com/article/wisconsin-asthma-medicine-lawsuit...
71. dragontamer ◴[06 Feb 25 18:17 UTC] No.42964968{3}[source]
And if they did violate the ADA, do you seriously expect this administration's anti-DEI Department of Justice to pursue legal action?
replies(3): >>42965202 #>>42965622 #>>42966268 #
72. graemep ◴[06 Feb 25 18:26 UTC] No.42965053[source]
What about all false positives in aggregate?

The problem is site owners do not know - it just adds to the number of blocked threats in cloudflare's reassuring emails.

replies(1): >>42967770 #
73. potus_kushner ◴[06 Feb 25 18:28 UTC] No.42965068[source]
if the purpose of cloudflare is to block bots and allow humans in, then they fail miserably at their job. what they're doing instead can be summarized in one word: DISCRIMINATION. welcome to the age of internet apartheid.
replies(1): >>42965249 #
74. burnte ◴[06 Feb 25 18:35 UTC] No.42965142{4}[source]
Only because without consumers using their IPs, they're a well established company with predictable uses. Once people use it for everything, then the reputation will drop.
75. bdhcuidbebe ◴[06 Feb 25 18:45 UTC] No.42965249[source]
They are so successful in blocking noob scrapers that an entire industry is blooming around professional web scraping services.
76. bdhcuidbebe ◴[06 Feb 25 18:46 UTC] No.42965256{3}[source]
It is a niche browser with no hype going for it.
77. michaelt ◴[06 Feb 25 19:09 UTC] No.42965454{5}[source]
Businesses that scrape websites for a living hire people in third-world countries to solve captchas 24/7 to keep the scraping bots running.

So when I successfully solve a captcha, that doesn't make me 100% trusted not-a-scraping-bot. Instead it's an input into a statistical model, along with all the other identifying information they can hoover up, and that statistical model may still say no.

78. gosub100 ◴[06 Feb 25 19:31 UTC] No.42965670{4}[source]
I'd feel a lot safer walking the streets of any city in China late at night than I would in any blue states "zero tolerance" "gun free" zone.
79. throitallaway ◴[06 Feb 25 19:32 UTC] No.42965688[source]
Same thing with Captchas. If I'm placing a food order or something and I'm presented with a Captcha 9 times out of 10 I just say "screw it."
80. snuxoll ◴[06 Feb 25 19:42 UTC] No.42965773{4}[source]
> Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.

They really do, actually. The fine print on their page only states:

iCloud Private Relay is not available in all countries or regions. Without access to your IP address, some websites may require extra steps to sign in or access content.

And they have documentation linked on that same page for website owners: https://developer.apple.com/icloud/prepare-your-network-for-... which even goes a step further and encourages website operators to use Privacy Pass to allow iCloud Private Relay users skip CAPTCHA challenges.

And really, this checks out, because iCloud Private Relay has a unique combination of circumstances compared to other commercial VPN users and Tor because:

* It isn't explicitly designed as a bypass tool of any form like commercial VPN's, your options for IP location are "same general location" or "same country and time zone" - content providers have no reason to block it for allowing out of region access

* Private relay is backed by iCloud authentication of both the device and the user, you can be beyond reasonably sure that traffic coming from an iCloud Private Relay endpoint is a paying iCloud+ user, browsing with safari, using their iPhone/iPad/Mac.

* It is backed by one of the most recognizable brands in the world, with a user base who is more likely to send you nasty messages for blocking this service.

On particular note of the last one, there's no "exception list" or anything available for end-users in Safari to bypass Private Relay for specific sites. My work one day decided to add the entire "Anonymizers" category to the blocklist in Okta, and I was suddenly unable to access any work applications on my iPhone which is enrolled in our enterprise MDM solution because I have Private Relay enabled. Enough people complained that the change was rolled back the same day it was implemented, because the solution was "turn it off" and that was unacceptable to many of our users.

81. Analemma_ ◴[06 Feb 25 19:50 UTC] No.42965845{5}[source]
I can find you literally hundreds of posts from people insisting that ADA is nothing but a small-business-killing shakedown, that it's makework for lawyers, that it's doing nothing to help the disabled, and that it's just as bad if not worse than DEI. What makes your claim better than theirs?
replies(3): >>42966224 #>>42966878 #>>42967204 #
82. wraptile ◴[06 Feb 25 19:55 UTC] No.42965889[source]
Cloudflare doesn't report this to the site admins so they're just sitting there losing sales and thinking Cloudflare is doing a good job.
83. kube-system ◴[06 Feb 25 20:32 UTC] No.42966211{5}[source]
There's no way they'd use Tor, because it has major UX problems.
84. gosub100 ◴[06 Feb 25 20:34 UTC] No.42966224{6}[source]
I call your bluff. Do it.
replies(1): >>42966480 #
85. TheRealPomax ◴[06 Feb 25 20:38 UTC] No.42966257[source]
The number of legitimate users on "not chrome, edge, safari, or firefox" is about 10% of the browser market. I don't know about you, but if I'm running a shop, and the whole point of my website is to make sales, but my front door is preventing 10% of those sales? That door is getting replaced.
replies(5): >>42966408 #>>42966448 #>>42966602 #>>42967069 #>>42967080 #
86. pc86 ◴[06 Feb 25 20:40 UTC] No.42966268{4}[source]
Yes because accessibility and DEI are different despite partisans' attempts to make "DEIA" a real thing.
replies(3): >>42966400 #>>42967223 #>>42972977 #
87. worik ◴[06 Feb 25 20:52 UTC] No.42966387{3}[source]
> just good privacy settings in my case.

You are blocking the trackers and damaging the revenue model.

88. dragontamer ◴[06 Feb 25 20:52 UTC] No.42966389{5}[source]
You seriously think this administration gives a care about the disabled? They're already firing accessibility people in the government.

https://www.aclu.org/news/racial-justice/trumps-executive-or...

Right there in the executive orders. They're literally rolling back accessibility and making this a policy.

Read the EO yourself.

https://www.whitehouse.gov/presidential-actions/2025/01/endi...

replies(1): >>42967341 #
89. dragontamer ◴[06 Feb 25 20:54 UTC] No.42966400{5}[source]
Trump's team is rolling back DEIA already.

Did you read the executive order? It's not the left calling it DEIA. Its Trump.

> Sec. 2. Implementation. (a) The Director of the Office of Management and Budget (OMB), assisted by the Attorney General and the Director of the Office of Personnel Management (OPM), shall coordinate the termination of all discriminatory programs, including illegal DEI and “diversity, equity, inclusion, and accessibility” (DEIA) mandates, policies, programs, preferences, and activities in the Federal Government, under whatever name they appear.

https://www.whitehouse.gov/presidential-actions/2025/01/endi...

replies(1): >>42973449 #
90. supernovae ◴[06 Feb 25 20:54 UTC] No.42966408{3}[source]
If you were running a shop, you would realize that nearly 100% of the fraud is "not chrome, edge, safari, or firefox"

It's unfortunate yes but that's what drives the threat signatures

replies(1): >>42967518 #
91. agoodusername63 ◴[06 Feb 25 20:59 UTC] No.42966448{3}[source]
Why would you assume that the 10% of non standard browsers are going to buy anything?

Demographic is important here. If I was running a shop that sold software for Linux users, sure. If I'm running a store that sells pretty much anything else? I'm not caring.

replies(1): >>42967171 #
92. vscapitalx ◴[06 Feb 25 21:04 UTC] No.42966480{7}[source]
https://www.forbes.com/sites/gusalexiou/2023/06/30/website-a...

https://www.the215guys.com/blog/ada-lawsuits-targeting-websi...

replies(1): >>42967482 #
93. lotsofpulp ◴[06 Feb 25 21:20 UTC] No.42966602{3}[source]
You don't think the people actually running the shops, whose income depends on the shop, have thought of that and thus there exists a downside that more than offsets the upside?
replies(2): >>42967179 #>>42998712 #
94. lcnPylGDnU4H9OF ◴[06 Feb 25 21:54 UTC] No.42966878{6}[source]
> What makes your claim better than theirs?

Well, for starters it's not so absolute:

> it's doing nothing to help the disabled

It's obviously doing something for the disabled. Reserved disabled parking spots and wheelchair-accessible building entrances are requirements of the ADA. It seems reasonable to think it "improves people's lives". A whole bunch of contrary opinions are not necessarily reasons for disagreement as much as they are simply disagreement.

replies(2): >>42967289 #>>42980507 #
95. azemetre ◴[06 Feb 25 22:13 UTC] No.42967049[source]
Something tells me that if you asked the store owner that the poster tried to give money to, they'd be furious at cloudflare for stopping the transaction.
replies(1): >>42967534 #
96. NoMoreNicksLeft ◴[06 Feb 25 22:15 UTC] No.42967069{3}[source]
>That door is getting replaced.

Sure. If there was another place to buy a better door at. But if that door manufacturer's the only one that makes doors, if the door installer and door technicians all tell you that they can't or won't make another door for you, then you just deal. Maybe crank up the prices a bit to try to mitigate your 10% shortfalls.

The place where a business looks at that problem and sees money being left on the table that it can't live without and that it has no other way of making up for... that is a very narrow stretch, and only very marginal businesses live there.

97. Aldo_MX ◴[06 Feb 25 22:17 UTC] No.42967080{3}[source]
Then you get burglars in your shop instead of legitimate customers.

User Agents look the way they do because this is a recurring issue.

A browser without network effects gets blocked, they look for a way to bypass the blocking, then they become mainstream and now the de-facto UA is larger than before.

replies(1): >>42974094 #
98. handoflixue ◴[06 Feb 25 22:31 UTC] No.42967171{4}[source]
Why would you expect people using non-standard browsers don't buy things? Presumably they still eat food, wear clothing, and enjoy hobbies.

I'd think that a non-standard browser also strongly suggests that they're a financially-comfortable middle-class individual, and quite possibly a whale with FAANG income.

replies(1): >>42980521 #
99. handoflixue ◴[06 Feb 25 22:32 UTC] No.42967179{4}[source]
The people running the shops aren't the people making the decision - Cloudflare is. The shop's only real decision is "use Cloudflare" or "die to all the attacks Cloudflare exists to prevent"
100. 1shooner ◴[06 Feb 25 22:35 UTC] No.42967204{6}[source]
>it's doing nothing to help the disabled

I make you a deal: Instead of hundreds of posts from random people, find me just 50 posts from disabled people that agree with this.

101. fsckboy ◴[06 Feb 25 22:39 UTC] No.42967223{5}[source]
I'm not expert on this, but it appears that the Dept of Justice rolls DEI and A into one DEIA, which makes some sort of sense since any litigation would be similar. Not sure about other federal agencies

https://www.justice.gov/archives/jmd/diversity-equity-inclus...

102. fsckboy ◴[06 Feb 25 22:48 UTC] No.42967289{7}[source]
I've no problem with the govt making sure that disabled people get accommodation so they can participate in civic life. I do have a problem with the govt requiring private individuals to pay for it, "handle the load", etc. even engaged in public accommodation: because it's obvious that a 20,000 sq ft publicly trade Delaware class C corp retailer has room for ramps and generous allocations of space around swinging doors, bathrooms etc. But if I rent a 500 sq foot postage stamp shop in NYC to open my dream counter service juice store which is a step up from the sidewalk, it's just too much of a burden for a new business of which 9 out of 10 fail anyway. You think juice store owners have anything against disabled people? they don't.

We all need to pay for it, not pass feel good legislation that shoves it down the throats of sole proprieter LLCs.

103. gosub100 ◴[06 Feb 25 23:19 UTC] No.42967482{8}[source]
the first link had one comment in support of the move, and a single, dissenting (yet reasonable) reply.2nd article had no comments whatsoever. Remember, the claim I'm responding to was "literally hundreds of posts from people insisting that ADA is nothing but a small-business-killing shakedown, that it's makework for lawyers, that it's doing nothing to help the disabled"
104. crtasm ◴[06 Feb 25 23:23 UTC] No.42967518{4}[source]
Why would fraudsters use a browser that's likely to be blocked? They'll be using the standard browsers like (mostly) everyone else.

edit: it's noted downthread that automated testing of card details to find valid ones is a reason.

105. Liskni_si ◴[06 Feb 25 23:26 UTC] No.42967534{3}[source]
Yeah maybe if you somehow managed to email them without their email provider stopping that email from reaching them…
106. crtasm ◴[06 Feb 25 23:28 UTC] No.42967543{4}[source]
That doesn't line up with my experience at all.

You will still notice when some sites completely block you, of course.

107. edelbitter ◴[07 Feb 25 00:01 UTC] No.42967770{3}[source]
It is difficult to gauge the size of the Cloudflare effect.. if the usage statistics the site owner is collecting.. are also not collected for those undesirables.
108. SLJ7 ◴[07 Feb 25 06:37 UTC] No.42970070[source]
You should really take the few minutes to email them and let them know that's happening. It's not their fault Cloudflare is awful.
109. littlestymaar ◴[07 Feb 25 07:48 UTC] No.42970428{5}[source]
> Its subreddit has 52k members. There are probably hundreds of thousands of users.

I don't get your reasoning here, you shouldn't even expect more than a fraction of the reddit users to have even installed and tried the browser, let alone using it regularly.

replies(1): >>42984903 #
110. Xelbair ◴[07 Feb 25 11:45 UTC] No.42971553{3}[source]
No, only thing i have is dns-over-https.

But i should turn that on.

111. TRiG_Ireland ◴[07 Feb 25 14:33 UTC] No.42972977{5}[source]
So why is the Trump administration also removing accessibility features from government websites, and firing ASL interpreters?
replies(1): >>42973464 #
112. pc86 ◴[07 Feb 25 15:07 UTC] No.42973449{6}[source]
Because it's a pretty simple legal maneuver to say "no this EO isn't requiring us to shut down this program because we call it 'DEIA' instead of 'DEI' so it's different."

The EO is using the language of the programs to ensure that they're shut down.

Accessibility has been around forever. One of the major proponents of it was a Republican nominee for President. It has broad bipartisan support.

DEI has been around for 45 minutes and is racism disguised as anti-racism.

113. pc86 ◴[07 Feb 25 15:07 UTC] No.42973464{6}[source]
Because the administration is thousands of people and it's possible for them to do both good things and boneheaded stupid things simultaneously?
replies(1): >>42973522 #
114. dragontamer ◴[07 Feb 25 15:11 UTC] No.42973522{7}[source]
The head of the administration, Trump, literally issued an order. An order that's being carried out right now.

And that order is messing with disability programs and other accessibility issues. Directly.

replies(1): >>42974875 #
115. samspot ◴[07 Feb 25 15:31 UTC] No.42973781{3}[source]
In my experience, screen reader users stick to the mainstream browsers to preserve compatibility. https://webaim.org/projects/screenreadersurvey10/
116. TheRealPomax ◴[07 Feb 25 15:54 UTC] No.42974094{4}[source]
Fun fact: you can't steal paid software by faking a user agent, because that's not how sales work. But you can lose sales by blocking user agents.

And use your brain for a hot second will you? Bad actors don't use a rare user agent, they use the same Chrome user agent that everyone else uses.

117. jidar ◴[07 Feb 25 16:52 UTC] No.42974802{3}[source]
Blocking based on ASN has never and should never be the frontline. It's the illusion of increased security with little actual impact. The bad guys are everywhere and if blocking an ASN has an improvement on your actual breaches then your security is total crap and always will be until you start doing the right things.
118. pc86 ◴[07 Feb 25 16:59 UTC] No.42974875{8}[source]
A sibling comment quoted it as well but the relevant thing is here:

> Sec. 2. Implementation. (a) The Director of the Office of Management and Budget (OMB), assisted by the Attorney General and the Director of the Office of Personnel Management (OPM), shall coordinate the termination of all discriminatory programs, including illegal DEI and “diversity, equity, inclusion, and accessibility” (DEIA) mandates, policies, programs, preferences, and activities in the Federal Government, under whatever name they appear.

IMO this is a crystal clear example of why you don't lump unrelated programs in together. You lump accessibility with DEI because accessibility is largely favored and DEI is largely not. Their hands are likely tied by the text of this EO because the previous administration didn't keep DEI separate from accessibility. As I stated elsewhere accessibility is a decades-old cause while DEI has been around barely the past couple years in government circles and wider press.

If the previous administration had left them separated and stopped hamfisting DEI into DEIA I don't think this OE would have mentioned accessibility at all. But since it does, if you're a federal employee you don't really have a choice unless you want to try to make the argument that accessibility on its own is not DEIA and therefore it can stay but that's likely a losing battle.

replies(2): >>42979396 #>>42995200 #
119. dragontamer ◴[08 Feb 25 01:14 UTC] No.42979396{9}[source]
I quoted it and irrelevant.

Trump signed the order like that. If he wanted to change the order, he would have written it differently.

In any case, President Elon is pissed at accessibility folks harassing him over Twitter firings (including the firing of Twitters accessibility teams). This is stuff well within their politics and is 100% what they want.

replies(1): >>43001287 #
120. what ◴[08 Feb 25 04:55 UTC] No.42980507{7}[source]
>reserved disabled parking spots

I’ve never seen an actually disabled person use one. They’re always occupied by cars with placards but the people are pretty clearly abled or able enough to walk across the parking lot.

121. what ◴[08 Feb 25 04:59 UTC] No.42980521{5}[source]
It strongly suggest they’re a neet.
122. InsideOutSanta ◴[08 Feb 25 18:18 UTC] No.42984903{6}[source]
Why would you join a subreddit for an obscure browser if you never even bothered to run it?
replies(1): >>42989610 #
123. littlestymaar ◴[09 Feb 25 09:46 UTC] No.42989610{7}[source]
You vastly underestimate how many “just curious” lurkers there are on any subreddits !
replies(1): >>43003066 #
124. TRiG_Ireland ◴[09 Feb 25 23:24 UTC] No.42995200{9}[source]
Fascists always despise disabled people. This is entirely on brand.
replies(1): >>43001336 #
125. mft_ ◴[10 Feb 25 10:00 UTC] No.42998712{4}[source]
Yes. I suspect that many people who run online shops don’t think about this issue and, mostly, don’t even know there is an issue.
126. wvh ◴[10 Feb 25 12:47 UTC] No.42999625{4}[source]
Many roads can lead to that hell. It's not because you take the scenic route that you shouldn't have some sense of awareness about where you might be headed. There is no us and them, just human nature.
127. pc86 ◴[10 Feb 25 15:18 UTC] No.43001287{10}[source]
It's not irrelevant because as I said earlier if you run a "DEIA" office and an EO says to dismantle DEI, it's a pretty easy legal maneuver to at least argue that they're different and that you don't need to shut the DEI stuff down because your office does other things too and they're all interrelated. Not saying it would work but this cuts it off at the pass. "DEIA" is a Democratic invention and that language is necessary to shut down DEI.

> President Elon

Oh I'm sorry I was under the mistaken impression you were trying to have a good faith discussion about the merits of what's happening.

The federal government is comprised of millions of unelected bureaucrats (I don't mean that pejoratively that's literally what they are). There is nothing particularly earth shattering about what Elon is doing. He's given a task by the president and he's carrying it out, which is what every single unelected executive branch employee does at one level or another.

128. pc86 ◴[10 Feb 25 15:22 UTC] No.43001336{10}[source]
Give me a break the fascism nonsense is completely played out. Get another false ad hominem there are better ones to pick from.
replies(1): >>43020826 #
129. InsideOutSanta ◴[10 Feb 25 17:53 UTC] No.43003066{8}[source]
You're asserting that they are curious enough about a free browser to join a subreddit, but not curious enough to download it?
130. TRiG_Ireland ◴[12 Feb 25 01:45 UTC] No.43020826{11}[source]
He's following the fascist playbook to the T. There's no need to sugarcoat it.
131. erinaceousjones ◴[12 Feb 25 14:10 UTC] No.43025574{4}[source]
Thankyou! I checked with IPQS and my residential IP had been flagged for being "a proxy". I routinely SSH VPN (sshuttle) into my home network to do things so maybe that's why.