←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 9 comments | 05 Feb 25 19:08 UTC | HN request time: 1.041s | source | bottom

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context
nikkwong ◴[06 Feb 25 05:13 UTC] No.42959315[source]
Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.

Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.

Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.

replies(13): >>42959473 #>>42959512 #>>42960071 #>>42960395 #>>42960397 #>>42961792 #>>42961906 #>>42964337 #>>42964617 #>>42965068 #>>42965688 #>>42965889 #>>42970070 #
jen729w ◴[06 Feb 25 08:46 UTC] No.42960397[source]
Vendors who block iCloud Relay are the worst. I'm sure they don't even know they're doing it. But some significant percentage of Apple users -- and you'd have to think it's only gonna grow -- comes from those IP address ranges.

Bad business, guys. You gotta find another way. Blocking IP addresses is o-ver.

replies(6): >>42960506 #>>42962582 #>>42962962 #>>42963465 #>>42963466 #>>42963720 #
1. cprecioso ◴[06 Feb 25 09:03 UTC] No.42960506[source]
This would be weird, esp. given that Cloudflare is one of the vendors who act as exit nodes for iCloud Relay.
replies(2): >>42960816 #>>42962833 #
2. latexr ◴[06 Feb 25 09:56 UTC] No.42960816[source]
I believe your parent comment means when the target website blocks, not Cloudflare.

YouTube is a perfect example. Using iCloud Private Relay can now frequently label you as a bot, which stops you from watching videos until you login.

replies(2): >>42961119 #>>42961696 #
3. lloeki ◴[06 Feb 25 10:50 UTC] No.42961119[source]
Happened to me.

Interestingly enough I checked on another non-Private Relay device (it worked), disabled Private Relay, refreshed the page, which still blocked me, and it resulted in the ban instantly extending to my other non-Private Relay devices.

I presume some fingerprinting/evercookie was in place which led to a flagging/ban extension to my home IP.

4. tessela ◴[06 Feb 25 12:25 UTC] No.42961696[source]
It happens to me a lot, I just created a small automation to use https://cobalt.tools to download the content. Their loss, not mine.
replies(3): >>42961813 #>>42962483 #>>42963798 #
5. egberts1 ◴[06 Feb 25 12:44 UTC] No.42961813{3}[source]
Nice tool.
6. latexr ◴[06 Feb 25 14:12 UTC] No.42962483{3}[source]
I do something similar. Over 90% of my YouTube consumption is with Alfred workflows which use mpv and yt-dlp under the hood. I just press a keyboard shortcut and the frontmost tab closes in the browser and starts playing in mpv.

The remaining percentage is still annoying, as it happens from the phone.

7. jrootabega ◴[06 Feb 25 14:45 UTC] No.42962833[source]
I don't think that's weird. That's what I would want from an honest vendor who is involved in both services - block anonymization/obfuscation users if I'm paying you to block them. Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.

What I'd worry about is Cloudflare using their knowledge of their VPN clients to allow services behind their attack protection to treat those clients better, because maybe they're leaking client info to the protected services.

Not that I think Cloudflare/Apple/etc. are supremely noble/honest/moral, or that it's good that semi-anonymous connections are treated so badly by default; this juxtaposition just doesn't seem like a problem to me.

EDIT: OK, I back off of this position somewhat. Apple's marketing of iCloud Relay might allow users to believe it's more prestigious and reputable than a VPN/Tor. They do have fine print explaining that you might be treated badly by the remote services, but it's, you know, fine print, and Apple knows that they have a reputation for class and legitimacy.

replies(1): >>42965773 #
8. ir77 ◴[06 Feb 25 16:13 UTC] No.42963798{3}[source]
why is your tool so hard to use on ios? the website instructions say you need a companion siri shortcut, but no where is there actually a shortcut listed.

combing and coming through searches and reddit all comes up with non-working siri shortcuts that complain that the url is not found.

9. snuxoll ◴[06 Feb 25 19:42 UTC] No.42965773[source]
> Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.

They really do, actually. The fine print on their page only states:

iCloud Private Relay is not available in all countries or regions. Without access to your IP address, some websites may require extra steps to sign in or access content.

And they have documentation linked on that same page for website owners: https://developer.apple.com/icloud/prepare-your-network-for-... which even goes a step further and encourages website operators to use Privacy Pass to allow iCloud Private Relay users skip CAPTCHA challenges.

And really, this checks out, because iCloud Private Relay has a unique combination of circumstances compared to other commercial VPN users and Tor because:

* It isn't explicitly designed as a bypass tool of any form like commercial VPN's, your options for IP location are "same general location" or "same country and time zone" - content providers have no reason to block it for allowing out of region access

* Private relay is backed by iCloud authentication of both the device and the user, you can be beyond reasonably sure that traffic coming from an iCloud Private Relay endpoint is a paying iCloud+ user, browsing with safari, using their iPhone/iPad/Mac.

* It is backed by one of the most recognizable brands in the world, with a user base who is more likely to send you nasty messages for blocking this service.

On particular note of the last one, there's no "exception list" or anything available for end-users in Safari to bypass Private Relay for specific sites. My work one day decided to add the entire "Anonymizers" category to the blocklist in Okta, and I was suddenly unable to access any work applications on my iPhone which is enrolled in our enterprise MDM solution because I have Private Relay enabled. Enough people complained that the change was rolled back the same day it was implemented, because the solution was "turn it off" and that was unacceptable to many of our users.