Most active commenters

    ←back to thread

    Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

    1343 points Hold-And-Modify | 12 comments | 05 Feb 25 19:08 UTC | HN request time: 0.001s | source | bottom

    Hello.

    Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

    Users reports began on January 31:

    https://forum.palemoon.org/viewtopic.php?f=3&t=32045

    This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

    https://community.cloudflare.com/t/access-denied-to-pale-moo...

    Partial list of other browsers that are being denied access:

    Falkon, SeaMonkey, IceCat, Basilisk.

    Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

    https://news.ycombinator.com/item?id=31317886

    A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

    As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

    Show context
    nikkwong ◴[06 Feb 25 05:13 UTC] No.42959315[source]
    Yesterday I was attempting to buy a product on a small retailer's website—as soon as I hit the "add to cart" button I got a message from Cloudflare: "Sorry, you have been blocked". My only recourse was to message the owner of the domain asking them to unblock me. Of course, I didn't, and decided to buy the product elsewhere. I wasn't doing anything suspicious.. using Arc on a M1 MBP; normal browsing habits.

    Not sure if this problem is common but; I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures. I would hope the cost to retailers is trivial in this case, I guess the upside of blocking automated traffic can be quite great.

    Just checked again and I'm still blocked on the website. Hopefully this kind of thing gets sorted out.

    replies(13): >>42959473 #>>42959512 #>>42960071 #>>42960395 #>>42960397 #>>42961792 #>>42961906 #>>42964337 #>>42964617 #>>42965068 #>>42965688 #>>42965889 #>>42970070 #
    LeifCarrotson ◴[06 Feb 25 17:08 UTC] No.42964337[source]
    > I would be pretty upset if I implemented Cloudflare and it started to inadvertently hurt my sales figures.

    The problem is that all these Cloudflare forensics-based throttling and blocking efforts don't hurt sales figures.

    The number of legitimate users running Arc is a rounding error. Arc browser users often come to Cloudflare without third-party tracking and without cookies, which is weird and therefore suspicious - you look an awful lot like a freshly instantiated headless browser, in contrast to the vast majority of legitimate users who are carrying around a ton of tracking data. And by blocking cookies and ads, you wouldn't even be attributable in most of the stats if they did let you in.

    It would be like kicking anyone wearing dark sunglasses out of a physical store: sure, burglars are likely to want to hide their eyes. Retail shrink is something like 1.5% of inventory, while blind users are <0.5% of the population. It would violate the ADA (and basic ethics) to prohibit out all blind shoppers, so in the real world we've decided that it's not legal to discriminate on this basis even if it would be a net positive for your financials.

    The web is a nearly unregulated open ocean, Cloudflare can effectively block anyone for any reason and they don't have much incentive to show compassion to legitimate users that end up as bycatch in their trawl nets.

    replies(4): >>42964656 #>>42965053 #>>42966257 #>>42967049 #
    1. TheRealPomax ◴[06 Feb 25 20:38 UTC] No.42966257[source]
    The number of legitimate users on "not chrome, edge, safari, or firefox" is about 10% of the browser market. I don't know about you, but if I'm running a shop, and the whole point of my website is to make sales, but my front door is preventing 10% of those sales? That door is getting replaced.
    replies(5): >>42966408 #>>42966448 #>>42966602 #>>42967069 #>>42967080 #
    2. supernovae ◴[06 Feb 25 20:54 UTC] No.42966408[source]
    If you were running a shop, you would realize that nearly 100% of the fraud is "not chrome, edge, safari, or firefox"

    It's unfortunate yes but that's what drives the threat signatures

    replies(1): >>42967518 #
    3. agoodusername63 ◴[06 Feb 25 20:59 UTC] No.42966448[source]
    Why would you assume that the 10% of non standard browsers are going to buy anything?

    Demographic is important here. If I was running a shop that sold software for Linux users, sure. If I'm running a store that sells pretty much anything else? I'm not caring.

    replies(1): >>42967171 #
    4. lotsofpulp ◴[06 Feb 25 21:20 UTC] No.42966602[source]
    You don't think the people actually running the shops, whose income depends on the shop, have thought of that and thus there exists a downside that more than offsets the upside?
    replies(2): >>42967179 #>>42998712 #
    5. NoMoreNicksLeft ◴[06 Feb 25 22:15 UTC] No.42967069[source]
    >That door is getting replaced.

    Sure. If there was another place to buy a better door at. But if that door manufacturer's the only one that makes doors, if the door installer and door technicians all tell you that they can't or won't make another door for you, then you just deal. Maybe crank up the prices a bit to try to mitigate your 10% shortfalls.

    The place where a business looks at that problem and sees money being left on the table that it can't live without and that it has no other way of making up for... that is a very narrow stretch, and only very marginal businesses live there.

    6. Aldo_MX ◴[06 Feb 25 22:17 UTC] No.42967080[source]
    Then you get burglars in your shop instead of legitimate customers.

    User Agents look the way they do because this is a recurring issue.

    A browser without network effects gets blocked, they look for a way to bypass the blocking, then they become mainstream and now the de-facto UA is larger than before.

    replies(1): >>42974094 #
    7. handoflixue ◴[06 Feb 25 22:31 UTC] No.42967171[source]
    Why would you expect people using non-standard browsers don't buy things? Presumably they still eat food, wear clothing, and enjoy hobbies.

    I'd think that a non-standard browser also strongly suggests that they're a financially-comfortable middle-class individual, and quite possibly a whale with FAANG income.

    replies(1): >>42980521 #
    8. handoflixue ◴[06 Feb 25 22:32 UTC] No.42967179[source]
    The people running the shops aren't the people making the decision - Cloudflare is. The shop's only real decision is "use Cloudflare" or "die to all the attacks Cloudflare exists to prevent"
    9. crtasm ◴[06 Feb 25 23:23 UTC] No.42967518[source]
    Why would fraudsters use a browser that's likely to be blocked? They'll be using the standard browsers like (mostly) everyone else.

    edit: it's noted downthread that automated testing of card details to find valid ones is a reason.

    10. TheRealPomax ◴[07 Feb 25 15:54 UTC] No.42974094[source]
    Fun fact: you can't steal paid software by faking a user agent, because that's not how sales work. But you can lose sales by blocking user agents.

    And use your brain for a hot second will you? Bad actors don't use a rare user agent, they use the same Chrome user agent that everyone else uses.

    11. what ◴[08 Feb 25 04:59 UTC] No.42980521{3}[source]
    It strongly suggest they’re a neet.
    12. mft_ ◴[10 Feb 25 10:00 UTC] No.42998712[source]
    Yes. I suspect that many people who run online shops don’t think about this issue and, mostly, don’t even know there is an issue.