Most active commenters
  • EVa5I7bHFq9mnYK(3)

←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 12 comments | 05 Feb 25 19:08 UTC | HN request time: 0.001s | source | bottom

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context
windsignaling ◴[05 Feb 25 21:30 UTC] No.42955454[source]
As a website owner and VPN user I see both sides of this.

On one hand, I get the annoying "Verify" box every time I use ChatGPT (and now due its popularity, DeepSeek as well).

On the other hand, without Cloudflare I'd be seeing thousands of junk requests and hacking attempts everyday, people attempting credit card fraud, etc.

I honestly don't know what the solution is.

replies(15): >>42955722 #>>42955733 #>>42956022 #>>42956059 #>>42956088 #>>42956502 #>>42957016 #>>42957235 #>>42959074 #>>42959436 #>>42959515 #>>42959590 #>>42963545 #>>42963562 #>>42966987 #
EVa5I7bHFq9mnYK ◴[06 Feb 25 06:00 UTC] No.42959515[source]
Credit card fraud exists because credit card companies can't (or won't) implement elementary security measures. There should be a requirement to confirm every online payment, but many sites today require just a cc number+date+code+zip, with no additional confirmation, can't call it other than complicity in the crime.
replies(1): >>42960226 #
1. il-b ◴[06 Feb 25 08:16 UTC] No.42960226[source]
Lost sales due to 2fa are greater than losses due to refunds
replies(1): >>42960358 #
2. xrisk ◴[06 Feb 25 08:40 UTC] No.42960358[source]
Why would 2FA cause lose sales? One would imagine it’s because people are being auto charged for shit they don’t want but haven’t noticed or forgot to cancel.
replies(4): >>42960443 #>>42960457 #>>42960502 #>>42962495 #
3. ◴[06 Feb 25 08:52 UTC] No.42960443[source]
4. EVa5I7bHFq9mnYK ◴[06 Feb 25 08:53 UTC] No.42960457[source]
Because it's more work? Also 2fa often fails for the rightful card owner. And Cloudflare overzealous "security" is one of the reasons for failure.
replies(1): >>42960801 #
5. ◴[06 Feb 25 09:02 UTC] No.42960502[source]
6. simplyinfinity ◴[06 Feb 25 09:53 UTC] No.42960801{3}[source]
in europe 2fa is mandatory for all (or almost all) online purchases, especially first time purchase from a merchant when your card hasn't been authorized. Sites using stripes' link get away with no 2fa most of the time, but not all the time. Make it mandatory on visa/mastercards level, and you won't loose much sales, as all transactions would require it and people will have to 2fa everywhere.
replies(2): >>42961963 #>>42969339 #
7. EVa5I7bHFq9mnYK ◴[06 Feb 25 13:10 UTC] No.42961963{4}[source]
An hour ago paid to Contabo cloud service provider, headquartered in Munich. No 2fa.
8. crazygringo ◴[06 Feb 25 14:13 UTC] No.42962495[source]
Because it just doesn't work with shocking frequency.

Maybe 10% of the time I make a purchase online, it shows me a screen where it says it's waiting for my bank to verify, I'll have to input a code or accept a notification or something.

A solid half the time it fails. Either the site decides the transaction was rejected before I even get a chance to respond (within seconds), or I just don't get any notification or code or anything, or I do authorize it and it still gets rejected.

replies(1): >>42966216 #
9. xrisk ◴[06 Feb 25 20:33 UTC] No.42966216{3}[source]
idk here in India, we have 2FA for everything. I would say it very rarely fails, speaking from personal experience.
replies(1): >>42966332 #
10. crazygringo ◴[06 Feb 25 20:47 UTC] No.42966332{4}[source]
I think a lot of other countries have it much more standardized. Or it's just more common so the bugs get fixed.

But in the US there are so many credit card providers, each one seems to do it differently, and the UX flows just break. And it seems difficult for a site to even test, and how will you even figure out if it's the provider or network or merchant or notification that's failing?

11. BrenBarn ◴[07 Feb 25 04:20 UTC] No.42969339{4}[source]
Yeah, and this is actually a huge pain for visitors. I was in Europe a couple months ago and couldn't buy stuff like train tickets online. Why? Because everything wants to verify with a text, and I couldn't do that because I had gotten a European SIM card because my US plan doesn't do international roaming.

There are several colliding problems there (cheap cell phone plan, 2fa being via text, online purchases requiring 2fa) but it still illustrates to me the pain of doing simple stuff in the modern tech space. I wish the powers that be would work harder on solutions that don't require extra work from the people doing small, normal stuff. It would be better to have a lot more fraud occur but a lot more of the perpetrators pursued and caught. A lot of anti-fraud measures seem to be largely about passing the buck to someone else instead of actually eliminating the humans who are driving the fraud.

replies(1): >>42972794 #
12. TsiCClawOfLight ◴[07 Feb 25 14:19 UTC] No.42972794{5}[source]
2FA for our cards is not via text, but via app. It's your credit card provider that doesn't implement 3D secure properly.