Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 2 comments | 05 Feb 25 19:08 UTC | HN request time: 0s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

Show context

ai-christianson ◴[05 Feb 25 20:07 UTC] No.42954365[source]▶

>>42953508 (OP) #

How many of you all are running bare metal hooked right up to the internet? Is DDoS or any of that actually a super common problem?

I know it happens, but also I've run plenty of servers hooked directly to the internet (with standard *nix security precautions and hosting provider DDoS protection) and haven't had it actually be an issue.

So why run absolutely everything through Cloudflare?

replies(20): >>42954540 #>>42954566 #>>42954576 #>>42954719 #>>42954753 #>>42954770 #>>42954846 #>>42954917 #>>42954977 #>>42955107 #>>42955135 #>>42955479 #>>42956166 #>>42956201 #>>42956652 #>>42957837 #>>42958038 #>>42958248 #>>42963387 #>>42964892 #

matt_heimer ◴[05 Feb 25 20:54 UTC] No.42954977[source]▶

>>42954365 #

Yes, [D]DoS is a problem. Its not uncommon for a single person with residential fiber to have more bandwidth than your small site hosted on a 1u box or VPS. Either your bandwidth is rate limited and they can denial of service your site or your bandwidth is greater but they can still cause you to go over your allocation and cause massive charges.

In the past you could ban IPs but that's not very useful anymore.

The distributed attacks tend to be AI companies that assume every site has infinite bandwidth and their crawlers tend to run out of different regions.

Even if you aren't dealing with attacks or outages, Cloudflare's caching features can save you a ton of money.

If you haven't used Cloudflare, most sites only need their free tier offering.

It's hard to say no to a free service that provides feature you need.

Source: I went over a decade hosting a site without a CDN before it became too difficult to deal with. Basically I spent 3 days straight banning ips at the hosting company level, tuning various rate limiting web server modules and even scaling the hardware to double the capacity. None of it could keep the site online 100% of the time. Within 30 mins of trying Cloudflare it was working perfectly.

replies(2): >>42955258 #>>42959421 #

johnmaguire ◴[05 Feb 25 21:15 UTC] No.42955258[source]▶

>>42954977 #

> It's hard to say no to a free service that provides feature you need.

Very true! Though you still see people who are surprised to learn that CF DDOS protection acts as a MITM proxy and can read your traffic plaintext. This is of course by design, to inspect the traffic. But admittedly, CF is not very clear about this in the Admin Panel or docs.

Places one might expect to learn this, but won't:

- https://developers.cloudflare.com/dns/manage-dns-records/ref...

- https://developers.cloudflare.com/fundamentals/concepts/how-...

- https://imgur.com/a/zGegZ00

replies(1): >>42955969 #

sophacles ◴[05 Feb 25 22:07 UTC] No.42955969[source]▶

>>42955258 #

How would you do DDoS protection without having something in path?

replies(2): >>42956173 #>>42962295 #

1oooqooq ◴[06 Feb 25 13:54 UTC] No.42962295{4}[source]▶

>>42955969 #

many ways but they are not plug and play so they would lose a few clients... but that is irrelevant as snooping trafic is their real businnes model.

replies(1): >>42965403 #

1. sophacles ◴[06 Feb 25 19:03 UTC] No.42965403{5}[source]▶

>>42962295 #

What are those many ways? Help me understand - I've been doing this shit a long time and I can't think of many ways to provide what Cloudflare does in a way that is cheap, easy, and scalable without working at the HTTP layer. So please help me learn something new, what are those ways?

replies(1): >>42971608 #

2. 1oooqooq ◴[07 Feb 25 11:54 UTC] No.42971608[source]▶

>>42965403 (TP) #

offer a l2 load balancer that act as a queue. if the site decides its a dos/bad request it sends either a dowgraded response the load balancer can read or a side channel comms. then the load balancer drop everything from that ip or other identifiable patterns based only on l2 info.

there are many others. just buy a book for industries that value privacy or pay someone.

↑