Most active commenters

    ←back to thread

    Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

    1343 points Hold-And-Modify | 32 comments | 05 Feb 25 19:08 UTC | HN request time: 0.001s | source | bottom

    Hello.

    Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

    Users reports began on January 31:

    https://forum.palemoon.org/viewtopic.php?f=3&t=32045

    This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

    https://community.cloudflare.com/t/access-denied-to-pale-moo...

    Partial list of other browsers that are being denied access:

    Falkon, SeaMonkey, IceCat, Basilisk.

    Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

    https://news.ycombinator.com/item?id=31317886

    A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

    As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

    Show context
    nikkwong ◴[06 Feb 25 05:13 UTC] No.42959315[source]
    Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.

    Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.

    Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.

    replies(13): >>42959473 #>>42959512 #>>42960071 #>>42960395 #>>42960397 #>>42961792 #>>42961906 #>>42964337 #>>42964617 #>>42965068 #>>42965688 #>>42965889 #>>42970070 #
    1. jen729w ◴[06 Feb 25 08:46 UTC] No.42960397[source]
    Vendors who block iCloud Relay are the worst. I'm sure they don't even know they're doing it. But some significant percentage of Apple users -- and you'd have to think it's only gonna grow -- comes from those IP address ranges.

    Bad business, guys. You gotta find another way. Blocking IP addresses is o-ver.

    replies(6): >>42960506 #>>42962582 #>>42962962 #>>42963465 #>>42963466 #>>42963720 #
    2. cprecioso ◴[06 Feb 25 09:03 UTC] No.42960506[source]
    This would be weird, esp. given that Cloudflare is one of the vendors who act as exit nodes for iCloud Relay.
    replies(2): >>42960816 #>>42962833 #
    3. latexr ◴[06 Feb 25 09:56 UTC] No.42960816[source]
    I believe your parent comment means when the target website blocks, not Cloudflare.

    YouTube is a perfect example. Using iCloud Private Relay can now frequently label you as a bot, which stops you from watching videos until you login.

    replies(2): >>42961119 #>>42961696 #
    4. lloeki ◴[06 Feb 25 10:50 UTC] No.42961119{3}[source]
    Happened to me.

    Interestingly enough I checked on another non-Private Relay device (it worked), disabled Private Relay, refreshed the page, which still blocked me, and it resulted in the ban instantly extending to my other non-Private Relay devices.

    I presume some fingerprinting/evercookie was in place which led to a flagging/ban extension to my home IP.

    5. tessela ◴[06 Feb 25 12:25 UTC] No.42961696{3}[source]
    It happens to me a lot, I just created a small automation to use https://cobalt.tools to download the content. Their loss, not mine.
    replies(3): >>42961813 #>>42962483 #>>42963798 #
    6. egberts1 ◴[06 Feb 25 12:44 UTC] No.42961813{4}[source]
    Nice tool.
    7. latexr ◴[06 Feb 25 14:12 UTC] No.42962483{4}[source]
    I do something similar. Over 90% of my YouTube consumption is with Alfred workflows which use mpv and yt-dlp under the hood. I just press a keyboard shortcut and the frontmost tab closes in the browser and starts playing in mpv.

    The remaining percentage is still annoying, as it happens from the phone.

    8. rthomas6 ◴[06 Feb 25 14:25 UTC] No.42962582[source]
    Wait, this comment made me aware of the existence of iCloud Relay. Apple built their own Tor only for Apple users? Why would they do that? Why not use Tor???
    replies(3): >>42962630 #>>42962848 #>>42963304 #
    9. guipsp ◴[06 Feb 25 14:30 UTC] No.42962630[source]
    Because it is 1. Not Tor and 2. Fast
    10. jrootabega ◴[06 Feb 25 14:45 UTC] No.42962833[source]
    I don't think that's weird. That's what I would want from an honest vendor who is involved in both services - block anonymization/obfuscation users if I'm paying you to block them. Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.

    What I'd worry about is Cloudflare using their knowledge of their VPN clients to allow services behind their attack protection to treat those clients better, because maybe they're leaking client info to the protected services.

    Not that I think Cloudflare/Apple/etc. are supremely noble/honest/moral, or that it's good that semi-anonymous connections are treated so badly by default; this juxtaposition just doesn't seem like a problem to me.

    EDIT: OK, I back off of this position somewhat. Apple's marketing of iCloud Relay might allow users to believe it's more prestigious and reputable than a VPN/Tor. They do have fine print explaining that you might be treated badly by the remote services, but it's, you know, fine print, and Apple knows that they have a reputation for class and legitimacy.

    replies(1): >>42965773 #
    11. dewey ◴[06 Feb 25 14:46 UTC] No.42962848[source]
    You can use iCloud Relay without even noticing that you are using it, this is not true with Tor as you'll spend most of your time waiting for reconnecting circuits.
    replies(1): >>42967543 #
    12. oremolten ◴[06 Feb 25 14:57 UTC] No.42962962[source]
    Well its primarily because the security vendors for say WAFs and other tools list these IPs in the "Anonymizers" or "VPN" category and most typically these are blocked as seldom do you see legitimate traffic originating to your store front or accounts pages from these. Another vendor we use lists these under "hacking tools" So your option as a security professional is to express to your risk management team we allow "hacking tools" or lose iCloud Relay customers. Which way do you think they steer? In alternative cases a site may use a vendor for their cart/checkout page and don't even have control over these blocks as they are also blocking "hacking tools" or "anonymizers" from hitting their checkout pages.
    replies(3): >>42962999 #>>42963660 #>>42964139 #
    13. oremolten ◴[06 Feb 25 15:01 UTC] No.42962999[source]
    Wait till you see how M365 does management around iCloud relay makes it real fun troubleshooting suspicious login parameters...
    14. echoangle ◴[06 Feb 25 15:30 UTC] No.42963304[source]
    It’s more like a VPN instead of Tor
    replies(1): >>42963411 #
    15. hedora ◴[06 Feb 25 15:42 UTC] No.42963411{3}[source]
    Actually, it’s closer to Tor, but hardcoded to two hops, and hop 1 and 2 are always different (audited) organizations.

    I wish they’d just used Tor though.

    replies(2): >>42963517 #>>42966211 #
    16. hedora ◴[06 Feb 25 15:46 UTC] No.42963465[source]
    I’ve noticed wifi at coffee shops, etc have started blocking it too.

    I need to disable it for one of my internal networks (because I have DNS overrides that go to 192.168.0.x), or I’d wish they’d just make it mandatory for iPhones and put and end to such shenanigans.

    Apple could make it a bit more configurable for power users, and then flip the “always on” nuclear option switch.

    Either that, or they could add a “workaround oppressive regimes” toggle that’d probably be disabled in China, but hey, I’m in the US, so whatever.

    Edit: I also agree that blocking / geolocating IP addresses is a big anti-pattern these days. Many ISPs use CGNAT. For instance, all starlink traffic from the south half of the west coast appears to come from LA.

    As a result, some apps have started hell-banning my phone every time I drive to work because they see me teleport hundreds of miles in 10 minutes every morning. (And both of my two IPs probably have 100’s of concurrent users at any given time. I’m sure some of them are doing something naughty).

    17. jillyboel ◴[06 Feb 25 15:46 UTC] No.42963466[source]
    If you use a weird proxy you're gonna get blocked. Facts of life.
    18. echoangle ◴[06 Feb 25 15:50 UTC] No.42963517{4}[source]
    Isn’t hop 1 always apple and only the external IP is a secondary provider?
    19. grayhatter ◴[06 Feb 25 16:02 UTC] No.42963660[source]
    > So your option as a security professional is to express to your risk management team we allow "hacking tools" or lose iCloud Relay customers

    a professional would explain how the vendor is being lazy and making a mistake there because they don't understand your business.

    depending on the flavor of security professional (hacker) they might also subtly suggest that this vendor is dumb and should be embarrassed they've made this mistake, thus creating the implication that if you still want to block these users you would also have to be an idiot

    under so circumstance is what I ever allow anyone to get the mistaken impression that some vendor understands my job better than I do. As a "security professional" it's literally your job to identify hostile traffic, better than a vendor could.

    20. grayhatter ◴[06 Feb 25 16:08 UTC] No.42963720[source]
    > Bad business, guys. You gotta find another way. Blocking IP addresses is o-ver.

    no, it's still the front line. And likely always will be. It's the only client identifier bots can't lie about. (or nearly the only)

    At $OLDJOB, ASN reputation was the single best predictor of traffic hostility. We were usually smart enough to know which we can, or can't block outright. But it's an insane take to say network based blocking is over... especially on a thread about some vendor blocking benign users because of the user-agent.

    replies(3): >>42964083 #>>42964426 #>>42974802 #
    21. ir77 ◴[06 Feb 25 16:13 UTC] No.42963798{4}[source]
    why is your tool so hard to use on ios? the website instructions say you need a companion siri shortcut, but no where is there actually a shortcut listed.

    combing and coming through searches and reddit all comes up with non-working siri shortcuts that complain that the url is not found.

    22. weare138 ◴[06 Feb 25 16:39 UTC] No.42964083[source]
    I don't use iCloud Relay but it seems Apple's ASN would be 'reputable'.
    replies(3): >>42964177 #>>42964390 #>>42965142 #
    23. Yeul ◴[06 Feb 25 16:45 UTC] No.42964139[source]
    Oh I think we all know that the Endgame is only allowing the approved webbrowser from the approved hardware. And getting on those lists will be made very expensive indeed...
    24. maratc ◴[06 Feb 25 16:50 UTC] No.42964177{3}[source]
    It would appear to be, but only until the bad guys looking to come from reputable ASNs find out about this.
    replies(1): >>42964481 #
    25. Terretta ◴[06 Feb 25 17:13 UTC] No.42964390{3}[source]
    Pretty sure the box with the "shield" icon on it, the ASN the web site would see, is, not coincidentally, CloudFlare?

    https://support.apple.com/en-us/102602

    "As mentioned above, Cloudflare functions as a second relay in the iCloud Private Relay system. We’re well suited to the task — Cloudflare operates one of the largest, fastest networks in the world. Our infrastructure makes sure traffic reaches every network in the world quickly and reliably, no matter where in the world a user is connecting from."

    https://blog.cloudflare.com/icloud-private-relay/

    26. ◴[06 Feb 25 17:18 UTC] No.42964426[source]
    27. IggleSniggle ◴[06 Feb 25 17:25 UTC] No.42964481{4}[source]
    Oh they have. It's been a big problem for my company. I assume Apple must work on this from their end, but any success would seem to undermine the privacy guarantee of the service.

    "Bad guys" using Private Relay is one reason these IPs get blocked: one abuser can cause an entire block of people to get flagged as a single malicious user; and a big enough group of users can also look like a single malicious user to many blocklisting strategies, because they all share the same IP.

    28. burnte ◴[06 Feb 25 18:35 UTC] No.42965142{3}[source]
    Only because without consumers using their IPs, they're a well established company with predictable uses. Once people use it for everything, then the reputation will drop.
    29. snuxoll ◴[06 Feb 25 19:42 UTC] No.42965773{3}[source]
    > Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.

    They really do, actually. The fine print on their page only states:

    iCloud Private Relay is not available in all countries or regions. Without access to your IP address, some websites may require extra steps to sign in or access content.

    And they have documentation linked on that same page for website owners: https://developer.apple.com/icloud/prepare-your-network-for-... which even goes a step further and encourages website operators to use Privacy Pass to allow iCloud Private Relay users skip CAPTCHA challenges.

    And really, this checks out, because iCloud Private Relay has a unique combination of circumstances compared to other commercial VPN users and Tor because:

    * It isn't explicitly designed as a bypass tool of any form like commercial VPN's, your options for IP location are "same general location" or "same country and time zone" - content providers have no reason to block it for allowing out of region access

    * Private relay is backed by iCloud authentication of both the device and the user, you can be beyond reasonably sure that traffic coming from an iCloud Private Relay endpoint is a paying iCloud+ user, browsing with safari, using their iPhone/iPad/Mac.

    * It is backed by one of the most recognizable brands in the world, with a user base who is more likely to send you nasty messages for blocking this service.

    On particular note of the last one, there's no "exception list" or anything available for end-users in Safari to bypass Private Relay for specific sites. My work one day decided to add the entire "Anonymizers" category to the blocklist in Okta, and I was suddenly unable to access any work applications on my iPhone which is enrolled in our enterprise MDM solution because I have Private Relay enabled. Enough people complained that the change was rolled back the same day it was implemented, because the solution was "turn it off" and that was unacceptable to many of our users.

    30. kube-system ◴[06 Feb 25 20:32 UTC] No.42966211{4}[source]
    There's no way they'd use Tor, because it has major UX problems.
    31. crtasm ◴[06 Feb 25 23:28 UTC] No.42967543{3}[source]
    That doesn't line up with my experience at all.

    You will still notice when some sites completely block you, of course.

    32. jidar ◴[07 Feb 25 16:52 UTC] No.42974802[source]
    Blocking based on ASN has never and should never be the frontline. It's the illusion of increased security with little actual impact. The bad guys are everywhere and if blocking an ASN has an improvement on your actual breaches then your security is total crap and always will be until you start doing the right things.