←back to thread

Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

1343 points Hold-And-Modify | 1 comments | 05 Feb 25 19:08 UTC | HN request time: 0.216s | source

Hello.

Cloudflare's Browser Intergrity Check/Verification/Challenge feature used by many websites, is denying access to users of non-mainstream browsers like Pale Moon.

Users reports began on January 31:

https://forum.palemoon.org/viewtopic.php?f=3&t=32045

This situation occurs at least once a year, and there is no easy way to contact Cloudflare. Their "Submit feedback" tool yields no results. A Cloudflare Community topic was flagged as "spam" by members of that community and was promptly locked with no real solution, and no official response from Cloudflare:

https://community.cloudflare.com/t/access-denied-to-pale-moo...

Partial list of other browsers that are being denied access:

Falkon, SeaMonkey, IceCat, Basilisk.

Hacker News 2022 post about the same issue, which brought attention and had Cloudflare quickly patching the issue:

https://news.ycombinator.com/item?id=31317886

A Cloudflare product manager declared back then: "...we do not want to be in the business of saying one browser is more legitimate than another."

As of now, there is no official response from Cloudflare. Internet access is still denied by their tool.

1. doctor_radium ◴[07 Feb 25 20:56 UTC] No.42977383[source]
In the past a Cloudflare representative typically appears in these threads, and if that's happened, I missed it. Not to mention the MVP's comment in the locked Cloudflare thread that

"You should use an up to date major browser. Old Firefox forks are not supported and expected to have problems."

It's all incredibly telling, that they've given up trying to be impartial. When "they" start picking browser winners and losers, are OS's next?

In a way Cloudflare missed an opportunity, because a try()/catch() around the bit of failing JavaScript would have been perfect fingerprinting. Having said that, I don't expect it will take the Pale Moon team very long to patch the problem.

But where to go from here? Is there anybody besides the ACLU and EFF with enough resources to mount a "public nuisance" lawsuit? And what would constitute winning? A court-appointed overseer to make sure Cloudflare is regularly educating its staff on the variety of browsers in use today, and providing near 24–hour turnaround times when issues like this occur? It would be a start.

Personally I wonder if this whole style of security is a fool's errand and any blocking should be server-based and look at behavior, not at arbitrary support of this or that feature. I think it would also be helpful if anybody who finds themselves blocked would be given at least a sliver of why they were blocked, so they could try rectifying the problem with their ISP (bad IP), some blocklist, etc.