←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 3 comments | 05 Feb 25 19:08 UTC | HN request time: 0.633s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context
nikkwong ◴[06 Feb 25 05:13 UTC] No.42959315[source]
Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.

Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.

Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.

replies(13): >>42959473 #>>42959512 #>>42960071 #>>42960395 #>>42960397 #>>42961792 #>>42961906 #>>42964337 #>>42964617 #>>42965068 #>>42965688 #>>42965889 #>>42970070 #
ghxst ◴[06 Feb 25 05:52 UTC] No.42959473[source]
Try clearing your cookies and disabling all extensions, if that still results in a block you can try a mobile hotspot. You're either failing some server side check (IP, TCP fingerprint, JA3 etc.) or a client side check of your browser integrity (generally this is tampered with by privacy focused extensions, anti-fingerprint settings etc.). It's not a "fix" but can at least give you an indication of why it is happening.
replies(3): >>42959789 #>>42959948 #>>42960346 #
1. erinaceousjones ◴[06 Feb 25 08:37 UTC] No.42960346[source]
I think it's unfair this comment has been flagged or downvoted or whatever. It's pragmatic information!

The mobile hotspot thing... I have to do that to do anything involving Okta.

For some frustrating reason my IPv4 address, which I pay extra to my ISP to have, has been blocklisted by Okta. A login flow failure in one of the apps work uses triggered my address getting banned indefinitely is my best guess. My works Okta admins don't really understand how to unblock me on their Okta tenancy, and Okta support just directs me back to my local admins (even though it's any okta-using org I'm banned from logging into).

I get that misuse/abuse detection has to do its thing but it's so frustrating when there's basically zero way of a legitimate user from an IP of undoing a ban. My only recourse is to do all my using of okta from another IP.... If I was a legit spammer I wouldn't think twice about switching to another IP from my big pool, probably.

replies(1): >>42960548 #
2. ghxst ◴[06 Feb 25 09:12 UTC] No.42960548[source]
Thank you, I'm a bit surprised people took issue with my comment but I suppose I could have worded it better.

As for your case, I wonder if Okta is relying on an external service like IPQS to get a score, that could explain why they don't really have any control over it.

replies(1): >>43025574 #
3. erinaceousjones ◴[12 Feb 25 14:10 UTC] No.43025574[source]
Thankyou! I checked with IPQS and my residential IP had been flagged for being "a proxy". I routinely SSH VPN (sshuttle) into my home network to do things so maybe that's why.