Changes made during the past week to Cloudflare's "Browser Integrity Check" used by many web sites result in an infinite redirect loop for many non-mainstream browsers. So far it appears this affects Palemoon, Waterfox, older Firefox, and Firefox developer edition:
https://forum.palemoon.org/viewtopic.php?f=70&t=28227
As it stands, this is effectively blocking a significant portion of the web from these browsers. Attempts to work around this by changing the user agent string do not appear to work. While the specific cause is not yet known, and Cloudflare doesn't appear to have acknowledged the issue, it's suspected that they might be moving to some sort of whitelist of browser signatures. So far, every thread on the issue entered at Cloudflare has been locked:
https://community.cloudflare.com/t/locked-threads-without-a-solution/381829
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 10 2022, @01:47AM (3 children)
Besides the user agent string, what constitutes "browser signature?" Buncha ever-changing heuristics?
(Score: 4, Interesting) by Anonymous Coward on Tuesday May 10 2022, @02:17AM (1 child)
Tons of things about browsers are used to ID individuals, "browser fingerprinting". It isn't much of a stretch that these same attributes and/or others could be used to ID browser vendors. E.g., feature only supported by Chrome, or supported by all browsers except Safari, etc. Although with javascript disabled, you probably defeat the vast majority of the attack surface for fingerprinting (short of standing out specifically because you block JS-- yeah, you can't win). But, Cloudflare knows this, and will throw captchas telling you you need to enable javascript to access content.
I disconnect and reconnect to try to get a new/clean IP, whenever CF, Google, etc., throws a captcha at me because I'm using a mobile carrier (tethering), and the CG NAT IP shared with thousands of other people is declared to have "suspicious activity". If that doesn't work, I just move on. Amazing that Google, CF and other giants seem to have never heard of CG NAT (yeah, I know, they are perfectly aware they are punishing thousands of innocents for every guilty actor, and they just don't give a fuck).
https://www.eff.org/deeplinks/2017/11/panopticlick-30 [eff.org]
https://coveryourtracks.eff.org/ [eff.org]
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 10 2022, @02:33AM
IIRC, it doesn't even load the captcha without javascript enabled. You just get the "checking your browser message".
(Score: 2, Informative) by Anonymous Coward on Tuesday May 10 2022, @10:11AM
First, SSL library and the settings the browser is using it with. https://ja3er.com/ [ja3er.com]
Second, HTTP session specifics (HTTP/2 parameters, headers and their order).
Third, what can be sniffed of the JavaScript engine.
The user agent is only a small part of the second group.
(Score: 5, Insightful) by Rosco P. Coltrane on Tuesday May 10 2022, @01:56AM (1 child)
Get used to it folks: that company has managed to wedge itself between you and a goodly portion of the internet, they unilaterally decide if your IP looks kosher, your browser looks kosher, sometimes lets your through despite your connection not quite looking squeaky-clean by allowing you to solve captcha after maddening captcha until you give up, all the while monetizing the shit out of your data going through their servers.
CloudFlare is just as hateful and just as dangerous as Google, just less high-profile. How actors like that are allowed to hold that much power on people's ability to use the internet in good faith unchecked, I'll never know.
(Score: 2, Insightful) by Anonymous Coward on Tuesday May 10 2022, @05:59AM
Modern Man's best weapon? .. the back button. Just ignore the websites that sign up to this nonsense.
(Score: -1, Troll) by Anonymous Coward on Tuesday May 10 2022, @02:03AM (14 children)
So this is why I can't log into SoylentNews today? I thought maybe I got banned.
Oh, maybe I did get banned.
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 10 2022, @02:07AM (5 children)
It's ACs like you that give ACs like me bad names.
Fucking ACs.
(Score: 2, Funny) by Revek on Tuesday May 10 2022, @02:29AM (1 child)
Y'all all post alike to me.
This page was generated by a Swarm of Roaming Elephants
(Score: 0) by Anonymous Coward on Tuesday May 10 2022, @02:30AM
See what I mean?
Fucking ACs.
(Score: -1, Troll) by Anonymous Coward on Tuesday May 10 2022, @06:35AM (2 children)
I know! I would post under my nick, if cloudfart would let me log in to my account. But as it is, we are all AC, now, which means we are all aristarchus, I guess. Don't Spam mod me, bro!
(Score: -1, Troll) by Anonymous Coward on Tuesday May 10 2022, @07:08AM (1 child)
We all know who you are, Ari, and we can recognize your leftist posts a mile away. Even janrinok can detect you. Perhaps you should stop posting, since you have been banned, and it is impossible for you to post, anyway?
(Score: -1, Troll) by Anonymous Coward on Tuesday May 10 2022, @07:05PM
Poor runaway, so easily trolled by people posting kinda like aristarchus. He can whine all day, but takes a special special person to get triggered by it!
(Score: 3, Interesting) by janrinok on Tuesday May 10 2022, @09:34AM (7 children)
(Score: 3, Informative) by janrinok on Tuesday May 10 2022, @09:36AM (4 children)
(Score: 0) by Anonymous Coward on Tuesday May 10 2022, @09:49AM (3 children)
Are you seriously suggesting that if we come in on ipv6, the Slashdot software would have no way to ban us? Or just a failure to connect to the modern internet. SoylentNews seems to be geriatric in more ways that one. I am getting off your lawn! Patience, old man!
(Score: 2) by janrinok on Tuesday May 10 2022, @10:47AM (2 children)
No, I am saying that until I check the code I do not know how robustly we handle IPv6 addresses. There could conceivably be errors occurring and addresses might be blocked when they shouldn't be. Most of Europe is IPv6 now - I no longer have an IP4 address according to most IP checking sites. I know also that there are TOR exit nodes with IPv6 addresses which might be talking directly to our servers. I simply wanted to know if the person reporting the block knew whether he was using IPv6 or not. The more information we have the easier tracing the problem might be. As I have no way of converting those hashes to real addresses then I asked the question.
The most likely cause remains, however, that somebody else has been abusing that IP address (no matter what type it is) and the block is a result of that activity.
(Score: 2) by RS3 on Tuesday May 10 2022, @07:22PM (1 child)
A few untried thoughts:
You can use "what's my IP" to find out your apparent IP.
Will a proxy / VPN give you a v4 or v6, regardless of your apparent IP?
I've been on WiFi where my local NAT IP was v4, but the Internet side of the gateway (router) was v6, so checking your local Ethernet / WiFi / Bluetooth(?) won't tell you what the world sees of your IP.
MS uses IPv4 to IPv6 "tunneling" / translation tech they call "teredo". Linux also has a mechanism for IPv4 to IPv6 tunneling / translation, probably functionally similar to NAT.
https://sitereport.netcraft.com/?url=https://soylentnews.org [netcraft.com]
Not sure what the actual webserver software sees though...
(Score: 2) by janrinok on Tuesday May 10 2022, @10:38PM
I was referring to sites such as whatsmyip.com when I said that I have an IPv6 address but the site also says that they could not detect an IPv4 address. Western Europe has a much bigger take up of IPv6 than is being reported in, say, the USA.
I understand, or at least I am aware of, the various systems that translate from v4 to v6 or back. If I 'ping' various sites I can get v4 or v6 responses depending on the site. There is obviously translation taking place somewhere but it is not clear where that 'somewhere' is - nor is it of any importance to me.
I can use 'whois' with v4 and v6 addresses and it works as expected. I can also ssh into remote machines, certainly within France, using v6. My router is set up to accept either system but the default option is v6. Ubuntu handles it all seamlessly.
My VPN (PIA) seems to always allocate a v4 address although I can establish contact with it using v6.
(Score: 1, Funny) by Anonymous Coward on Tuesday May 10 2022, @12:22PM (1 child)
I'm using IPv5 until I make up my mind one way or the other.
(Score: 2) by hendrikboom on Tuesday May 10 2022, @04:03PM
There was actually an IPv5 developed on the way to IPv6.
And there's a French movie called IPv5, which has nothing to do with computers.
(Score: 2, Insightful) by Anonymous Coward on Tuesday May 10 2022, @03:27AM (4 children)
Could anyone tell me if with Cloudflare the data is encrypted from user browser all the way to the data server? Or does Cloudflare decrypt and reencrypt in their servers?
Basically, is "everyone" going nuts (SSL, etc) about protection against Man in the Middle and then just using a company that does it as a service (MitMaaS)? That would also explain why a free tier is offered, BTW.
Otherwise, how does it really work?
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 10 2022, @03:49AM
Cloudflare terminates SSL for their clients. So, yes, it is a MitM.
(Score: 5, Interesting) by Anonymous Coward on Tuesday May 10 2022, @04:27AM (2 children)
Cloudflare is MitMaaS. That's how they run their "browser checks." They can monitor a sizable chunk of traffic on the internet. Everything from you to them is encrypted, and everything from them to the intended web server is supposed to be encrypted, but on the Cloudflare server everything is processed in cleartext and is available for sniffing by anyone who happens to have root on said server.
If that doesn't give you pause, try this out: Cloudflare has an intermediate CA cert and operates the most commonly-used DNS resolvers in the world.
Sleep well tonight. :)
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 10 2022, @05:16AM (1 child)
(Score: 4, Informative) by Anonymous Coward on Tuesday May 10 2022, @07:52AM
A list of the intermediate certs won't really do much for you. You'll have to distrust the root in order to completely block the intermediates. The root cert is "Baltimore CyberTrust Root" with KeyID E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0.
Just be aware, if you distrust that you'll get a cert error on, at the very least, EVERY site behind Cloudflare. It's possible, and I'd say likely, that there are other intermediate certs signed by that root as well.
You can find their intermediates by loading sites you know are on Cloudflare and checking the certificate details. For example, the intermediate for steamdb.info is "Cloudflare Inc ECC CA-3" with KeyID A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F.
(Score: 1, Troll) by Runaway1956 on Tuesday May 10 2022, @03:39AM (7 children)
that it isn't Firefox blocking Cloudflare?
Abortion is the number one killed of children in the United States.
(Score: 3, Informative) by PinkyGigglebrain on Tuesday May 10 2022, @04:02AM
I can only speak for myself but I'm not using Firefox so it is probably not Mozilla's fault this time.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: -1, Troll) by Anonymous Coward on Tuesday May 10 2022, @06:40AM (4 children)
Soylent blocks individual IP's, despite janrinok's denial. Many have gotten the notices about "bad posting". I have always wondered what "bad" posting was. Seems it is something that mocks conservatives, since they can in no way tolerate being mocked for being stupid, or gullible, or naive, or ignorant, since all of these are true. Nice for Cloudfare to join the SoylentNews fight to suppress the aristarchuses (aristarchoi?) of the world.
(Score: 0) by Anonymous Coward on Tuesday May 10 2022, @02:50PM
I'm interested in your definition of "many." Is it many different people, or a very very few who get them when they try from "many" different IPs?
(Score: 0) by Anonymous Coward on Tuesday May 10 2022, @03:13PM (2 children)
Tell us, Sweetie. Which party is forming it's own MinTru?
(Score: 2, Insightful) by Anonymous Coward on Tuesday May 10 2022, @07:06PM
Republicans, in response to FB, TW, and AP being entrenched in liberalism. Got it now? No, still mind-controlled by mass-media bias?
(Score: 1, Informative) by Anonymous Coward on Tuesday May 10 2022, @07:07PM
The GOP. Next?
(Score: 0) by Anonymous Coward on Wednesday May 11 2022, @06:07PM
Considering that Firefox now defaults to sending DNS queries to Cloudflare (APK must be devastated that hosts don't work), this seems extremely unlikely that they would also be blocking Cloudflare.
(Score: 5, Interesting) by PinkyGigglebrain on Tuesday May 10 2022, @03:59AM (2 children)
I've been having this and similar problems accessing a site hosted by cloudflare for the last month or so, and many others on other forums I've read have also been having problems for just as long. Just not as bad as it has been the last week.
Whats kind of ironic is that this 'browser check' that cloudflare does is apparently supposed to mitigate DDOS attacks but it has actually resulted in making at least one site it is supposed to be protecting unavailable for far longer that an actual DOS attack could hope to manage.
I just hope Cloudflare gets their act together, or the site I like finds another hosting service, soon.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 4, Insightful) by RS3 on Tuesday May 10 2022, @06:45AM
Yeah, I wonder if the site owners know this is happening? Might be good to let them know, and that there are better hosting companies.
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 10 2022, @01:51PM
This may explain why the browsers on my phone no longer work
(Score: 5, Touché) by digitalaudiorock on Tuesday May 10 2022, @12:43PM (2 children)
For what it's worth see the reply here from a product manager at Cloudflare:
https://news.ycombinator.com/item?id=31317886 [ycombinator.com]
I'm a long time Palemoon user and this is NOT the first time their bullshit has screwed me. While that reads like they might actually fix this, the whole scenario sucks. Last time I checked, the w3c standards didn't include "beg Cloudflare to bless your browser".
(Score: 0) by Anonymous Coward on Tuesday May 10 2022, @01:53PM
Stop giving them ideas. w3c already implemented sufficient bad ideas without you providing more. Thanks
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 10 2022, @06:51PM
I'm also often a PM user, and was having trouble logging onto multiple sites where I have accounts on (not all sites, SN was fine). And there was just a PM update (to 31.0.0) that fixed the problem. According to the "changes" page, apparently the last 2 releases have contained code that was screwed up
(Score: 0) by Anonymous Coward on Tuesday May 10 2022, @02:17PM (2 children)
Website owners don't want DDOS, so the use Cloudflare for a CDN.
This includes blocking a some requests that perhaps are not from paying eyeballs.
Website owners don't want automatic scraping of their sites, to the ask Cloudflare to also look for server fingerprints.
Seems like if you used Python to automate an approved browser, it would fingerprint ok.
So what do the fingerprints to that is useful?
(Score: 2) by number11 on Tuesday May 10 2022, @07:10PM (1 child)
Enable them to identify you, possibly uniquely, so they can sell that information? Some browsers have anti-fingerprinting features, but it's not clear how well those work (your fingerprint includes info like time zone, user agent, installed plugins, installed fonts, screen resolution, language)
(Score: 0) by Anonymous Coward on Wednesday May 11 2022, @11:31AM
Enable them to identify you, possibly uniquely,
So, how about a script to configure your browser to have exactly the same config as everybody else?
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 10 2022, @02:54PM (4 children)
as a good model internet user of today i will just throw my feelings out there with no real background knowledge at all for y'all to enjoy:
methinks we gotta lookout for about:config "DOM.storage.enable = true (default)" // "false" is correct but breaks "scroll-loading on news.yahoo.com" for example.
we should all be able to enjoy a working web with DOM.storage.enable = false.
why "dom.event.contextmenu.enable" is "true" by default is also beyond me. it allows a remote foreign website to disable your mouses right-click pop-up menu that has things like "save image ..." Pluuuse mozilla, PLEASE! THINK!
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 10 2022, @03:33PM (2 children)
dom.event.contextmenu.enable exists to allow websites to provide their own context menu. In Firefox, you override this with shift-rightclick. In chrome, I don't think you can override it. Shame on Google.
(Score: 2) by hendrikboom on Tuesday May 10 2022, @04:19PM (1 child)
How would an ordinary user go about discovering things like this override?
(Score: 0) by Anonymous Coward on Wednesday May 11 2022, @01:32AM
I’m not a normal user, I compile my own browser.
If I hear of a new annoyance, I go to the source and nop out the behavior.
(Score: 0) by Anonymous Coward on Tuesday May 10 2022, @08:02PM
Oh, hai, Runaway!
(Score: -1, Flamebait) by Anonymous Coward on Tuesday May 10 2022, @07:57PM
if your site uses clouflare, you are a dumb fucking asshole.
(Score: 3, Interesting) by Anonymous Coward on Tuesday May 10 2022, @10:18PM
Became serious recently when my credit union started using cloudflare. It wants to have me fill in a captcha when using Seamonkey. Spoke to the manager and that stopped for a month, then started up again.
Had a good relationship with that credit union for years, no login issues till now. Because they don't understand I don't want third parties to know when and where I bank, I'm getting a new credit union.
(Score: 2) by digitalaudiorock on Friday May 13 2022, @01:13PM
Just to update this one, apparently some time yesterday (5/12/2022) Cloudflare rolled out some change that addresses this, and the browsers in question no longer go into a redirect loop.
As far as I'm concerned however, this one's not "fixed". A real "fix" here is when/if Cloudflare moves to some sort of a "blacklist" approach as apposed to the apparent browser "whitelist" approach they're using. If that's not feasible, too fucking bad...just stop doing this entirely. Nobody has the right to start deciding what browsers we can use on a large portion of the web, and nobody appointed Cloudflare as the official browser police.
If anyone reading this administers any web site(s) that use Cloudflare, do us all a favor and send a message by switching to just about anyone else.