←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 1 comments | 05 Feb 25 19:08 UTC | HN request time: 0.241s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context
nikkwong ◴[06 Feb 25 05:13 UTC] No.42959315[source]
Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.

Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.

Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.

replies(13): >>42959473 #>>42959512 #>>42960071 #>>42960395 #>>42960397 #>>42961792 #>>42961906 #>>42964337 #>>42964617 #>>42965068 #>>42965688 #>>42965889 #>>42970070 #
ghxst ◴[06 Feb 25 05:52 UTC] No.42959473[source]
Try clearing your cookies and disabling all extensions, if that still results in a block you can try a mobile hotspot. You're either failing some server side check (IP, TCP fingerprint, JA3 etc.) or a client side check of your browser integrity (generally this is tampered with by privacy focused extensions, anti-fingerprint settings etc.). It's not a "fix" but can at least give you an indication of why it is happening.
replies(3): >>42959789 #>>42959948 #>>42960346 #
underdeserver ◴[06 Feb 25 06:54 UTC] No.42959789[source]
That's quite a lot to ask. Not OP, but I'm not doing all that just because sometime else misconfigured their anti-DDoS, unless I really need to.
replies(1): >>42960127 #
ghxst ◴[06 Feb 25 07:55 UTC] No.42960127[source]
My intention was to explain how to identify what could be causing the issue, not to give any indication that I think this is acceptable. Unfortunately like you point out, sometimes you _really_ do have to deal with a website behind an over sensitive WAF, in which case the steps I provided can be helpful.
replies(1): >>42960318 #
1. Moru ◴[06 Feb 25 08:33 UTC] No.42960318[source]
My problem is that I help a lot of people set up their computers because they want to get rid of ads and tracking. They don't know how to fix this. Or more likely don't even realise there is a problem and will just close it down and continue with their day. So I guess it's not my problem but it is someones problem.