For what is apparently the fifth time in recent years, changes to the Cloudflare browser integrity check are blocking the Palemoon browser as well as other non-mainstream browsers from any sites that use it. Every time this has happened before it's taken at least two weeks for them to address it. This one has gone on for a week and Cloudflare has yet to even acknowledge it. Here's the original post on the Palemoon forum:
https://forum.palemoon.org/viewtopic.php?f=3&t=32045
The following post was then made on the Cloudflare community forum. Oddly, the thread was apparently closed because forum users flagged it as spam. It's pretty clear that these were pro-Cloudflare trolls on the forum that Cloudflare themselves is apparently OK with...likely because they troll on Cloudflare's side:
https://community.cloudflare.com/t/access-denied-to-pale-moon-desktop-browser/764330
This was later started on Hacker News:
https://news.ycombinator.com/item?id=42953508
It's bad enough that many sites get coded so as to only work on mainstream browsers. However it's a much bigger issue when a company that's becoming the gateway to the web does so. In addition to the countless things that are wrong with this, I also agree with this post from user "Deadgye" on the Palemoon forum, making a case for false advertising on their part:
https://forum.palemoon.org/viewtopic.php?f=3&t=32045&start=100#p259382
The cynic in me wonders if every time I get blocked from a site, I might be doing a $blocked_bots++ to some statistics Clouldflare may brag about.
(Score: 3, Informative) by looorg on Saturday February 08, @12:33PM (4 children)
The widget wasn't only failing or looping forever. It crashed the browser. There was a patch for it yesterday. But all it seemed to do so far is making sure the browser isn't crashing from it. But it still loops for a really, really, long time. Then it might eventually move forwards or it just stalls out.
One would think that they wouldn't waste their time with trying to fuck around with a browser with as small a market segment as Pale Moon but apparently nothing it beneath them or the browser is a lot more popular then I would have thought.
(Score: 1, Interesting) by Anonymous Coward on Saturday February 08, @01:55PM
I use it, but the useragent mostly claims to be firefox. (it has a LOT of site specific user-agent strings)
(Score: 0) by Anonymous Coward on Sunday February 09, @12:24AM (2 children)
Such stuff probably requires enough javascript enabled too.
(Score: -1, Troll) by Anonymous Coward on Sunday February 09, @12:39AM (1 child)
Go read the links. Cloudflare is deliberately blocking anything that is not one of the six browsers on their list.
(Score: 0) by Anonymous Coward on Sunday February 09, @01:36AM
It's likely your browser will work if it supports their javascript challenge, even if it doesn't provide a "blessed" user agent string.,
(Score: 2) by DadaDoofy on Saturday February 08, @01:59PM (6 children)
"It's bad enough that many sites get coded so as to only work on mainstream browsers."
You do realize that every browsing platform a web application supports requires additional time and money for development, testing and maintenance, right? Why would app developers allocate those resources to supporting browsers most people have never even heard of, let alone use?
(Score: 5, Insightful) by pTamok on Saturday February 08, @02:16PM (4 children)
What should happen is coding to an open, stable, independent cross-industry standard, so that any browser, that is standards compliant, works.
Using the Alphabet/Google Chrome behaviour as the standard to follow is...inadvisable, unless you are Alphabet/Google. It changes on Alphabet/Google's whim, and in ways that benefit Alphabet/Google, entrenching a de-facto monopoly. Either Microsoft could not compete, or chose not compete.
(Score: 5, Insightful) by digitalaudiorock on Saturday February 08, @02:33PM
Exactly. If they were doing stuff right, Cloudflare would work on a browser that nobody's even coded yet, is that browser was written to standards. But instead we're heading toward Cloudflare being the web's browser police forcing everyone in into a walled garden. F that.
(Score: 3, Interesting) by DadaDoofy on Saturday February 08, @03:17PM (2 children)
"Either Microsoft could not compete, or chose not compete."
Or, Microsoft's been there, done that and got busted for it.
https://www.justice.gov/atr/us-v-microsoft-courts-findings-fact [justice.gov]
(Score: 3, Insightful) by aafcac on Saturday February 08, @08:26PM
Trying to have their own browser forced on users has cost the company quite a bit of money independent of the actual cost of legal bills. It also meant that they had to integrate it tightly enough with the rest of the OS that it wasn't a separate piece of software and couldn't easily be secured against online attacks the way that software like Chrome or Fx could be by being a separate piece of software that could be walled off from large chunks of the OS or may not even be present on some systems. Even Google has learned something from that in terms of moving more and more apps from the Android base install to items that could be updated via the playstore without Carriers having to cooperate.
(Score: 1) by pTamok on Saturday February 08, @09:55PM
They got busted for Internet Explorer. They didn't get slapped on the wrist for the Edge browser before it became a Chromium derivative. To quote from Wikipedia: Microsoft Edge Legacy [wikipedia.org]
Essentially, Microsoft gave up on developing their own browser and adopted Alphabet/Google's code.
(Score: 3, Insightful) by aafcac on Saturday February 08, @08:13PM
Only because Google deliberately goes out and breaks stuff or because web developers insist on doing things with a website that you shouldn't be doing with a website. We went through this in the '90s with JavaScript and IE fighting with Netscape over what should be included and it was a real mess.
There is absolutely no reason why we should still be doing that sort of nonsense now as the things that you legitimately need to do with a browser have standards and most of those standards have been in place for quite a while. There is very little reason for a website to need to know much more than the resolution of the device that's displaying it and what type of input devices are in use, whether it's keyboard+mouse or touch input.
(Score: 5, Interesting) by SomeGuy on Saturday February 08, @02:06PM (6 children)
Clownflare needs to review the security of your connection before proceeding.....
Does anyone know exactly what their so-called "security check" is actually testing?
Of course, these days the word "security" has come to mean a bunch of evil space clowns raping every ones every orifice until it bleeds.
And yea, this thing is so invasive it even crashes browsers sometimes. This crap has been blocking somel sites I need to access, that would work fine otherwise.
Welcome to the future of the web. At one button press any non-approved client is magically forbidden from operating. Oddball OS? Secure you. Custom browser required for accessibility? Secure off and die. Not running Coogle Grome? Secure your security hole. Extensions to block certain kinds of content? Secure your eyes with a ten foot florescent security pogo stick. Not the absolute latest? Time to open your wallet up so the big companies can secure your money.
With how invasive browser fingerprinting can be, who knows what they might be checking. I might just be holding my jaw wrong, so I have to be secured in the face.
Thank you Clownflare for "securing" my perfectly fine internet connection and computer in to a smoldering secure pile of debris.
(Score: 5, Informative) by digitalaudiorock on Saturday February 08, @02:36PM (1 child)
It's apparently determining whether or not you're really a browser as apposed to a bot, but it's doing so by exploiting weird, obscure, undocumented JavaScript quirks of specific browsers. Thus they're determining what browsers we're all allowed to use.
(Score: 4, Interesting) by aafcac on Saturday February 08, @08:15PM
Which doesn't really make much sense. I've got a 3rd display that's purely virtual and I could easily run a browser in that monitor and use a bot to interact with the browser, it's not that hard to do. Or, I could set that up to turn in a virtual machine that's completely walled off from the rest of my OS so that I can run the bot while I do other things on my computer. It's not really that much harder than running a regular bot and there's entire software packages that are set up to do so.
(Score: 4, Insightful) by Ken_g6 on Saturday February 08, @05:03PM (3 children)
On the other hand, if JavaScript can crash a browser, that browser really isn't secure. Crashes like that tend to come from buffer overflows that can be exploited for malicious activity.
(Score: 4, Touché) by SomeGuy on Saturday February 08, @08:06PM
That may be, but what gives them the right to come in to MY web browser and smash things up? What they are doing IS malicious.
(Score: 0) by Anonymous Coward on Sunday February 09, @12:45AM
Usually the browser doesn't crash, the site just gets stuck in a loop of "checking your security, reloading the page". You can close the tab anytime, you just can't get to the site behind their browser check.
(Score: 2) by deimtee on Sunday February 09, @03:34AM
In a laissez-faire anarcho-capitalist society, you would be correct, and that is how everyone would react. But we live in a rather different world where changing a number in the URL can get you a conviction under the Computer Fraud and Abuse Act. By those rules sending Javascript that crashes your computer is a felony.
Of course, it is one rule for Companies, and a different one for Peasants.
200 million years is actually quite a long time.
(Score: 2, Touché) by Mojibake Tengu on Saturday February 08, @03:13PM
If you really need to write a bot or browser against Cloudflare, use HTTP/3.
Leet bonus if you do with quiche, Cloudflare's own QUIC and HTTP/3 implementation.
Yes, Rust. But it's pretty embeddable, after all.
Lesson learned: When corporates diverge, adapt.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 4, Insightful) by VLM on Saturday February 08, @03:26PM (1 child)
I think its browser wars part 2.
Noobs to the internet and younger than 30-year-olds probably don't remember the www used to be fractured by browsers and god help us websites used to have footers like "Best viewed on MSIE 3.0" or whatever.
We're headed back to those days now.
There are older SuperMicro server hardware IPMI BIOSeses where the IPKVM stopped working on Chrome a year or two ago; who knows why; you need an alt-browser to use the IPKVM feature on hardware only a couple years old.
Meanwhile now trying to use an alt-browser will get you banned out on the web.
As a side note I'd assume these bans are due to AI training data gathering being obnoxious as usual. The way to fight AI crawler abuse is to identify the crawlers and feed them good-looking but intentionally bad inaccurate data to make the model results look bad, not to randomly ban IPs. "The Superbowl is next Tuesday, February 31st, at twenty-seven o'clock" nobody is going to fall for that but an AI crawler would fall for it.
(Score: 3, Insightful) by driverless on Sunday February 09, @06:59AM
That's because of the Google children's decision that as of next Tuesday everybody has to do this or things won't work with Chrome any more. It's not just the SuperMicro IPKVM, lots of devices and systems have stopped working because the Google children decided that they got to set the standard for how things are done on the Internet.
If Microsoft had tried this 20 years ago there'd have been mobs with pitchforks and flaming brands marching on Redmond.
(Score: 5, Insightful) by Anonymous Coward on Saturday February 08, @03:45PM
About 10% of sites that I hit -- usually through search engines -- use Cloudflare's deny host.
I just move on. There have been a *few* times where I really wanted access and had to use another browser, but I could count the times on one hand. When the Cloudflare Deny circle comes up, I just close the tab - even when it "works" there's no way to get through it, it just throws up another captcha, just refreshes the page, ad infinitum.
It's a tar pit.
You host with Cloudflare, and your site is inaccessible. Just that simple.
(Score: 3, Touché) by DadaDoofy on Saturday February 08, @05:56PM (6 children)
When did it become mandatory to use Cloudfare?
(Score: 3, Interesting) by DrkShadow on Saturday February 08, @06:01PM (5 children)
Is every online shop and hobbyist website aware of the problems with Cloudflare? (are articles like these part of making people aware?)
Perhaps we should have surgeon-generals' warnings for web-host front-ends -- "Will block users who are not using Google OS." We can enforce them under false advertising and fraud laws, perhaps.
(Score: 5, Interesting) by datapharmer on Saturday February 08, @10:10PM (4 children)
It’s tough. If you are a small shop, losing a little traffic vs fighting off hackers and spammers attacking your site built on Wordpress plugins of questionable quality is tough. The market shows that losing a bit of traffic was the better of two evils.
Cloudflare was born out of project honeypot, and it definitely did some good protecting things in the beginning, but they have made some questionable decisions over the years (like offering ssl between cf and the client and sending from cf to the server in plain text) and have been breaking more and more as time goes on. It’s gotten to the point that many of the clients I have that were using it on free, pro or business plans have had to move away because it started breaking things so badly and there is no product support (the forum and ticket systems are a joke).
(Score: 3, Interesting) by Anonymous Coward on Sunday February 09, @02:33AM (3 children)
1) less likely to buy stuff
2) less likely to subscribe to stuff
3) more likely to have ad blockers
4) less likely to be people with tons of followers who'd draw profit to your site
etc etc
Am I wrong? So recalculate the cost:benefit to the site taking into account this and similar realities.
p.s. I'm one of those "non-buyer" users.
(Score: 2, Touché) by Anonymous Coward on Sunday February 09, @03:31AM (1 child)
Don't forget, those "others" -
1) they tend to be your technical support
2) they tend to be the ones who will tell you if something is "safe" to do on the web (e-mail) or not
3) they tend to be corporate decision makers about IT policy
4) they write your software, probably your shopping cart, certainly your blogging platform
Be careful whom you hurt. :-)
(Score: 1, Touché) by Anonymous Coward on Sunday February 09, @05:34PM
Pale moon users? Nah. They're the ones that need technical support.
They're the ones who can't browse cloudflare sites.
The last I checked "archive.today" is not an official browser supported by Cloudflare and yet it works with a cloudflare protected site. Firefox Android works too (Firefox Android is a significantly different browser from Firefox desktop). There's shared code sure. But Palemoon had shared code too (and looking at Palemoon release notes and the CVEs mentioned it still seems to have shared code/exploits with Firefox).
Even if they do, you shouldn't be taking their advice on what is safe to do on the web when they keep using a browser that's likely to be more exploitable than Firefox AND remain so. Look at their response: they have a browser that crashes on a cloudflare site, if they really cared about security they should be submitting a CVE and thanking Cloudflare for helping them find a bug in their browser instead of crying so much about it.
They can claim to be more secure for all they like, but where are the Palemoon CVEs for these recent Palemoon specific crashes?
So, to me it looks more like the Palemoon devs aren't coping well with the challenge of keeping a browser up to date and secure.
(Score: 3, Interesting) by datapharmer on Sunday February 09, @02:38PM
Yes, based on that it’s true, but this as I mentioned is shifting - it is no longer a fringe issue. I see it with chrome and Firefox too where I simply can’t get to a site because it doesn’t like something mysterious about my connection. At one point I couldn’t even use their own dashboard due to inexplicable errors where it would just send null responses. They broke webrtc on connections for various software my clients were using for some unknown reason without notice and have thus far not fixed it, so those clients had no choice but to stop paying for their services and look elsewhere for equivalents.
Some of the other hosted “web application firewall” providers are no better - I regularly have to abandon websites that use them because they block me and the challenges just go in circles.
(Score: 4, Informative) by jman on Sunday February 09, @03:12PM
For GUI web surfing, switched to Firefox years ago from Mosaic. (Was always an "early" adopter. Quatro Pro instead of 123, Word Perfect - 5.1, baby! Best DAS-based processor ever written - instead of the M$ variant, or even, Ghu forbid, WordStar, though I do thank them for assisting in the mass adoption of CTRL keys.)
Enjoy using Selenium to automate report downloads for work, etc. Not just scraping for fun or profit; legitimate usage of automation to retrieve data I have a right to acquire.
One of the shops I maintain uses an online combo ERP/CRM which got hacked a while back. After things were restored and functional again, the site hired CloudF*ck to help protect their bits. Barn door already open folks!
I began having difficulty getting through to the site when using the main automation machine - which happens to run OSX - seeing only the endless turnstile. No amount of clicking "Verify you are human" would work. Oddly enough, the 'doze and 'nix machines versions of FF I have on hand, plus FF on the all-doze boxes for staff at the various offices, did not seem as affected, but did see false positives every now and again which a single click solved.
Thinking the Mac box could have been fingerprinted somehow, I tried creating brand new FF profiles, sometimes tweaking various things in the "Privacy and Security" section, sometimes not. Same result, endless turnstile.
On the Mac, latest versions of Chrome and it's "cousins" (Opera, Brave, etc.), Safari, are all OK, with occasional single turnstile checkboxes. FF and Waterfox, endless turnstile. LibreWolf and the Tor-based varieties of FF, OK. Palemoon never even got to the checkbox, just kept refreshing, showing a red "Feedbak" link in the turnstile for awhile, than having the turnstile disappears completely only to reappear moments later, still "Verifying".
And it wasn't just the ERP/CRM site. Prety much any place subscribing to CloudF*ck's "protection" caused the same result with Firefox. But only on the Mac box. Curious.
Alas, since I don't want to manually click the same dozen checkboxes every time to get this or that report data, have switched to SeleniumBase for automation, which while quite powerful and functional is not only Chrome based (Ugh), but also has its own syntax so the library of Python code I've built up over the years must be refactored (double Ugh). Thankfully it at least has a "driver" mode, so not each and every usage has to be a non-interactive "test".
While SeleniumBase works on the Mac, it's annoying that even non-automation usage of the browser won't work if Firefox is trying to access a CloudF*ck protected site.
Opened a ticket at CloudF*ck some months back, but they weren't very responsive, and quite frankly their tone and intimation that any use of automation with regards web browsing borders on criminal activity was quite offensive.
(Score: 4, Insightful) by digitalaudiorock on Sunday February 09, @05:25PM (1 child)
As the maintainer of Palemoon has pointed out, Cloudflare has said both of the following:
...and...
So which one is it?
(Score: 3, Insightful) by SomeGuy on Sunday February 09, @09:41PM
Also from the discussion there, they are randomly testing obscure scripting behavior - not just potential security issues - and keeping the details secret. Which means no one can guarantee compatibility with their tests.
So yea, Cloudsnare is in the business of saying one browser is more legitimate than another.
Logically, if they are really looking for "bots", they might be testing things like timing and automation extensions. So I'd fully expect eventual problems with slower computers, virtual machines, accessibility add-ons, and so on.
(Score: 2) by looorg on Monday February 10, @06:18PM (4 children)
Monday update. As I post this it's monday evening. It seems that a lot of the issues have resolved themselves, at least for me and the sites I visit that used it. They are all resolving themselves and the widget now. Either the people using cloudflare to protect themselves have tweaked their settings or Cloudflare unfucked themselves for the moment. Lets see for how long it last until they try again ...
(Score: 3, Informative) by digitalaudiorock on Monday February 10, @09:05PM (3 children)
For sure, Cloudflare has NOT fixed anything. Palemoon gets stuck indefinitely at that "Verifying" step.
As yet nobody at CF has even acknowledged that there's a problem in fact.
(Score: 3, Informative) by digitalaudiorock on Monday February 10, @09:17PM (1 child)
So apparently that Cloudflare feature is what they refer as "Turnstyle".
What's especially screwed about all this is that...as yet...I've not seen ANYTHING at Cloudflare about that that even HINTS at Browser requirements!! There is however stuff like this:
https://blog.cloudflare.com/turnstile-ga/ [cloudflare.com]
So yea...in addition to shitting all over any idea of an open internet they're using false advertising.
(Score: 2) by higuita on Wednesday February 12, @12:16PM
first, blocking bots is hard, as anyone that tried to do that will know... every little detail may give some hint, while not always bulletproof
some bots are specially hard, like selenium based bots. Moving and clicking the mouse inside the browser during that time may help, but it could be just a placebo
second they do many test in that captcha and, for unknown reasons, they sometime ( less than 1% from my point of view) they get stuck or create a captcha loop. This is happening even in plain chrome browsers. I actually open a ticket with them, as i'm a enterprise user of them. Maybe palemoon is triggering this problem more times than in chrome?!
third, for obvious reasons, they will never tell what they are testing and how, as that info can be used by bots to workaround those tests. This is always a build a better mouse-trap, you get better mouse that evade them
fourth, this is always changing, what works one day may not work a few days later, so there is a constant evolution of the captcha... and while more used browsers may get more data to test new versions, less used browsers may not have enough samples to correctly test, as there is always a very long tail of older or less used browsers, many of them that are actually bots, so probably skewing even more the samples. They are now also using machine learning tech to help identify bots, so i assume the captcha is also using some of it and the loops may be exactly the machine learning and the hard tests returning opposite results and it retrying to see if the result is different
Anyway, report the problem, give the header ray-id value (it also show in the bottom of the captcha page usually) and maybe the browser .har for that session. Not sure if they accept, but you can also offer to be a beta tester of the captcha, so you can test sooner, detect problems and have a easier path to report, to avoid breaking for all other people.
Just a warning, they support is very slow, specially for non-enterprise customers (and even those!!)... no idea the amount of requests they get per day, but due to the number of sites/users using their service, it may be a huge amount
(Score: 2) by looorg on Wednesday February 12, @02:22AM
Clearly I was just having good luck with the sites I visited. Cause it doesn't seem they have done anything. So it must have been tinkering from the owners of the sites cause a lot of sites are just as broken or eternal looping as before. I guess they noticed a massive drop in actual user traffic and decided to tweak things on their end.
Some sites that broke before tho seems to eventually resolve itself, but it takes a long time and many many MANY tries. Just leaving it in a tab to run for however long it takes. Eventually it just resolves or it spouts out some new error message I had never seen before about how my computer clock is apparently reporting the wrong time. Right. Sure. Keep telling yourself that Cloudfucker.
The thing with PaleMoon seems to be that it for some reason can't show the checkbox in the widget anymore, to verify that you are a human. It never comes up. It just loops and loops and loops and doesn't show it.