Most active commenters

    ←back to thread

    Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

    1343 points Hold-And-Modify | 11 comments | 05 Feb 25 19:08 UTC | HN request time: 0.002s | source | bottom

    Hello.

    Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

    Users reports began on January 31:

    https://forum.palemoon.org/viewtopic.php?f=3&t=32045

    This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

    https://community.cloudflare.com/t/access-denied-to-pale-moo...

    Partial list of other browsers that are being denied access:

    Falkon, SeaMonkey, IceCat, Basilisk.

    Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

    https://news.ycombinator.com/item?id=31317886

    A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

    As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

    Show context
    nikkwong ◴[06 Feb 25 05:13 UTC] No.42959315[source]
    Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.

    Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.

    Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.

    replies(13): >>42959473 #>>42959512 #>>42960071 #>>42960395 #>>42960397 #>>42961792 #>>42961906 #>>42964337 #>>42964617 #>>42965068 #>>42965688 #>>42965889 #>>42970070 #
    1. kcrwfrd_ ◴[06 Feb 25 06:00 UTC] No.42959512[source]
    Were you on a VPN?
    replies(2): >>42959541 #>>42959944 #
    2. nikkwong ◴[06 Feb 25 06:03 UTC] No.42959541[source]
    Nope, no VPN, making it all the stranger.
    3. whilenot-dev ◴[06 Feb 25 07:19 UTC] No.42959944[source]
    Some vendors are just weird... I'm always getting blocked by Etsy with Firefox after the first navigation on their site. It shows me a puzzle to solve and then, after solving the puzzle correctly (read "Success"), redirects me to "You have been blocked". It works with Chrome-based browsers though, but that doesn't make me want to use the website at all.

    No VPN, just good privacy settings in my case.

    replies(3): >>42960184 #>>42960194 #>>42966387 #
    4. ghxst ◴[06 Feb 25 08:06 UTC] No.42960184[source]
    Do you have the "resist fingerprinting" setting enabled in Firefox? (You can check in about:config)
    replies(1): >>42960230 #
    5. Symbiote ◴[06 Feb 25 08:08 UTC] No.42960194[source]
    While looking at a flight price on sas.dk I had to disable Firefox's built-in enhanced tracking protection.

    It seems excessive to not allow at least a single query in this situation.

    I had the same with a newspaper which I subscribe to. They shouldn't be tracking me, and don't show adverts to subscribers. In this case I wrote to their support person, who told me not to block the tracking.

    6. whilenot-dev ◴[06 Feb 25 08:16 UTC] No.42960230{3}[source]
    "privacy.resistFingerprinting" is "true", yes, and it'll stay that way. Why let me solve a puzzle just to block me afterwards anyway?
    replies(4): >>42960368 #>>42963023 #>>42964290 #>>42965454 #
    7. Lanolderen ◴[06 Feb 25 08:41 UTC] No.42960368{4}[source]
    To let you know who wears the pants in the relationship :)
    8. brudgers ◴[06 Feb 25 15:03 UTC] No.42963023{4}[source]
    I use multiple profiles with Firefox to sandbox cookies etc. My profiles are based on activity. HN, Facebook, and infrequently used sites…sometimes I use Linkedin but I dont want it following me around the web.

    I would prefer the web was different, but it is not.

    9. recursive ◴[06 Feb 25 17:04 UTC] No.42964290{4}[source]
    Maybe the performance of the puzzle also has some undeclared side channels.
    10. michaelt ◴[06 Feb 25 19:09 UTC] No.42965454{4}[source]
    Businesses that scrape websites for a living hire people in third-world countries to solve captchas 24/7 to keep the scraping bots running.

    So when I successfully solve a captcha, that doesn't make me 100% trusted not-a-scraping-bot. Instead it's an input into a statistical model, along with all the other identifying information they can hoover up, and that statistical model may still say no.

    11. worik ◴[06 Feb 25 20:52 UTC] No.42966387[source]
    > just good privacy settings in my case.

    You are blocking the trackers and damaging the revenue model.