For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with promises to do better:
2024-03-11: Cloudflare checks broken again?
2024-07-08: Cloudflare checks broken yet AGAIN?
2025-01-30: Cloudflare Verification Loop issues
This time around it has been over 6 weeks and CloudFlare has been unable or unwilling to fix the problem on their end, effectively stalling any progress on the matter with various tactics including asking browser developers to sign overarching NDAs:
Re: CloudFlare: summary and status
Some of the affected browsers:
• Pale Moon
• Basilisk
• Waterfox
• Falkon
• SeaMonkey
• Various Firefox ESR flavors
• Thorium (on some systems)
• Ungoogled Chromium
From the main developer of Pale Moon:
Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.
I wish I had better news.
(Score: -1, Troll) by Anonymous Coward on Monday March 17, @06:36PM (1 child)
Seeing as how it's easy to spin up an "alternative" browser, and as a fact scammers do it all the time, why would this be a surprise?
(Score: 4, Touché) by VLM on Monday March 17, @07:39PM
Ironically, its easier for scammers / spammers to spin up a non-alternative browser in a docker container because they're the popular browsers. They have the infrastructure (or at least stolen access to it, LOL) unlike the general public.
This is probably why there's not a huge amount of discussion here; if I "need" to see something in firefox its a couple minutes away with the linuxserver people's docker images (not that I've done that recently, but it has worked in the past).
(Score: 5, Interesting) by Anonymous Coward on Monday March 17, @06:58PM (2 children)
That's what they are supposed to do. You can bet they made a deal with Google, Microsoft, maybe Firefox and Apple. Obviously they benefit from this. I hope we find a way to circumvent CloudFlare and all these other "gatekeepers" out there.
Too much blockage. The internet needs a laxative
(Score: 2) by Unixnut on Tuesday March 18, @09:04AM (1 child)
The fault is with the web developers who use cloudflare. Had they not all decided on putting their websites behind "gatekeepers" we would not have this issue.
Truth be told for me Cloudflare and others have long since not worked (probably because I make heavy use of niche browsers like pale moon), and I figure any website owner who puts their website behind a gatekeeper obviously wants to remove traffic from their site, so I honour their request and go find a non-gatekeeper alternative instead.
(Score: 2) by Undefined on Tuesday March 18, @02:48PM
This is the way.
Websites should just work. IMO, as soon as you start coding for "if it's this browser, do this, otherwise, do that" you're contributing to Internet-rot.
Yeah, that definitely narrows what you can do, but the vast majority of the time, it removes what you shouldn't do.
I make sure specialty coding stays off my lawn.
(Score: 3, Funny) by Anonymous Coward on Monday March 17, @07:44PM
Help us Obi-Wan Ken-E.U., you're our only hope.
(Score: 2) by looorg on Monday March 17, @08:42PM (2 children)
I thought this had changed a few days after this was mentioned the last time here [1]. But it wasn't there was just some momentary glitch in the matrix that didn't crash things. It went back to endlessly looping and bringing down the entire browser with it. It's been like that ever since.
The only thing I have noticed is that a few sites that did use to use Cloudflare have since changed their settings and are relying less on it. I guess they noticed a somewhat significant drop in traffic or something.
Still it seem petty and stupid and I still don't understand the reason for them implementing it to begin with. But I'm sure some MBA have their reasons.
[1] https://soylentnews.org/article.pl?sid=25/02/07/044225 [soylentnews.org]
(Score: 2) by corey on Monday March 17, @10:05PM (1 child)
Yeah I am also doubting the necessity of this feature. I often get a message saying “making sure you’re a human” For a few seconds before the actual page loads. Is there an actual problem of bots operated by hackers that crawl websites to necessitate this rubbish? I wonder how much of a problem it really is.
I’m only grateful that mostly it’s automatic and not a captcha that asks me to identify all crossings or motorcycles in a bunch of images.
(Score: 2) by looorg on Monday March 17, @10:13PM
That is the one. Or that is how it's supposed to work or how it works in other browsers. It loops for a bit and then it have the display with the checkbox asking if you are human or not. In the looping-browsers that box just never comes up. It stalls. Then it doesn't display the box. Then it either crashes the browser, loops again or something such. It just doesn't stop and displays that box for you to click in and verify that you are human, cause that is apparently what is human -- clicking in boxes.
It's been a while since I saw that one with click all the bikes, crossings, stairs, motorcycles or whatnot. Even in other browsers.
(Score: 1, Interesting) by Anonymous Coward on Monday March 17, @09:09PM (5 children)
And archive.org (and its various other instantiations, e.g., archive.ph, etc.) hits me with a CAPTCHA every single time now.
I don't think it's Firefox though. I expect it's the ad/tracking blockers, including the pi-hole on my home network.
What a shame.
Although IIUC, how heavy-handed a site might be is a function of how strict Cloudflare's *customers* want to be WRT verification. Which doesn't excuse the bugs in Cloudflare's tools.
(Score: 0) by Anonymous Coward on Tuesday March 18, @12:02AM (4 children)
archive.ph (and the other aliases for archive.today like archive.is, archive.ph, etc.) will give you a fake cloudflare captcha screen if you use cloudflare's public recursive dns resolver, 1.1.1.1 aka one.one.one.one. It is setup to be an infinite loop, to piss off visitors and generate complaints (incorrectly) to cloudflare.
It's believable since cloudflare captcha/turnstile is so damn broken already.
E.g., firefox DoH setting defaults to using cloudflare.
(Score: 0) by Anonymous Coward on Tuesday March 18, @04:40AM (3 children)
I don't use Cloudflare's DNS or anyone else's. I use my own, local (on hardware in my physical possession) recursive resolver. As such, I query Archive's authoritative name servers, not cloudflare's, not google's. Just the root servers, then the authoritative servers for the various archive sites.
It's possible that the archive sites are doing this themselves, but the captchas started around the same time lots of folks were making noise about Cloudflare's heavy-handed tactics. As such, it seems that archive may well be behind Cloudflare's "Anti-DOS" wall.
I'll be years dead before any system of mine uses DoH. Whether from Cloudflare, Google or anyone else. It's just another way for Cloudflare, Google, et. al to gather even more data on their users^W product. No thanks.
(Score: 1, Troll) by datapharmer on Tuesday March 18, @10:33AM (2 children)
Which is why I as your evilcorp isp operator I have added some very special routing rules for your connection that send your root server requests to some alternative servers I control to make sure you get the very “best” answers for who is authoritative for the domains you are interested in.
Thank you for choosing evilcorp.
(Score: 0) by Anonymous Coward on Wednesday March 19, @12:13AM (1 child)
AC you replied to here.
My ISP (AS131279) doesn't do any of those things. They are good stewards of privacy and use freedom.
So fuck off, whitey!
(Score: 2) by janrinok on Wednesday March 19, @08:33AM
Perhaps you don't realise but AS131072 - AS132095 (all quoted as being in the block used by your ISP) are shared by multiple VPN providers. They don't each have their own privately owned network of VPNs. Rather, they pay for VPSs as they need them. They can be allocated dynamically. This passes the hardware management task to another company and enables the original ISP to minimise running costs by only paying for what they need. kolie has a much better knowledge of this sort of thing than I do (it is part of his business) and this is only my description based on limited knowledge. Our own SN servers must be peered to other (multiple) servers to ensure that the internet can route around 'damage'.
Your chosen ISP might be the paragon of virtue, but the others you know nothing about. The administration of your chosen provider may be wonderful. It will probably secure your personal data if it holds anything at all, but there will at least be an account identifier, a hashed password, and a date that the account currently lapses otherwise they cannot identify who has paid to use their services. But the chances are that it will also have the records/logs of whoever it is peered to.
if you do a "whois AS131279" for the provider you quoted you should then read down the page:
North Korea - a well know provider of safe and secure internet services. They are actually managing the VPS that your connection goes through. Of course this will probably not be who you are paying as your ISP. The unfortunate thing is that you don't get to choose which VPN server your connection goes to, you can only choose your ISP and request a VPN in a given region. Your ISP will have decided the peering to suit itself. Your request will be routed to a VPS that is managed by someone else entirely.
AS131279 may have many thousands of IP addresses available to it, but they are all managed by the same company.
[nostyle RIP 06 May 2025]
(Score: 5, Interesting) by EJ on Monday March 17, @10:52PM
I'm not usually for being overly litigious, but maybe an ADA accessibility lawsuit could benefit us all.
(Score: 4, Informative) by SomeGuy on Monday March 17, @10:57PM (2 children)
Some of the things they do to "check" the browser include intentionally throwing exploits at it.
Apparently, this is considered acceptable now. If you aren't running the absolute latests approved stuff it is now ok for everyone to come over and rape you.
I tried contacting one specific site that was using the cloudsnare "checking", but they eventually sent me back a snobby e-mail telling me that I had to use one of their officially supported browsers - either the absolute latest Chrome, Firefox, or Edge. Anything else, and fuuuuuck me.
It's not even just the cloudflair stuff - the electronics vendor mouser.com block most of these browsers too, claiming you are a bot. But they mainly check the user agent, and it has to match the absolute latest - I've had to update the fake UA string multiple times already. Interestingly it blocks bog-standard Firefox on 32-bit Linux as a "bot" because they don't know 32-bit Linux still exists.
There are also increasingly more and more sites that are plain old broken in these non-mainstream browsers. All of this blocking is just adding to the idiotic justification to ignore them.
It's too late now. The damage has been done.
Coming soon to Windows 10!
(Score: 3, Interesting) by Anonymous Coward on Monday March 17, @11:35PM
If free market worked as advertised, Mouser would lose so much business that they'd correct that absurd behavior. A year or two ago I needed to buy some stuff, was going to order from Mouser, they blocked me, so I bought elsewhere.
(Score: 3, Touché) by Rich on Tuesday March 18, @01:59AM
Just successfully checked "mouser.de" with LibreWolf. Tested for availability and prices of the 13700 OTA, no issues, but no NS/TI alternative in DIP for tinkerers either (see lcsc for the XD13700). Maybe it's a combination of criteria?
(Score: 0) by Anonymous Coward on Tuesday March 18, @08:03PM
I tend to use Opera on Android, which I didn't think was niche and I've had this Cloudflare crappery now for a couple of months, if I need to access a site 'protected' by this nonsense I'll cycle through one of the other four browsers installed (currently, with Chrome being the last choice) to get around various online braindeaths like this.
If none of them work, I might try accessing the site on the non locked-down laptop when I get home, but increasingly I go 'fuck it' and look elsewhere.
A funny thing though, I've found that even fully up to date Chrome on Android with the phone connecting through wireguard can trip this annoying shite on sites where a 'straight' connection doesn't, unfortunately there's neither rhyme nor reason to it, sometimes it does trip the loop, other times it gets in after several attempts.
(Score: 4, Informative) by digitalaudiorock on Wednesday March 19, @01:41PM (2 children)
First of all, thanks janrinok for this submission! The previous submissions when this happened before were all from me I believe.
So today I'm finding that the Cloudflare check is actually working in Palemoon. The maintainer of PM has been working with Cloudflare on this one:
https://forum.palemoon.org/viewtopic.php?f=65&t=32190 [palemoon.org]
Looking at the last posts in there however, he doesn't seem convinced that Cloudflare has actually addressed this in a manner that won't just get broken again, and I suspect he's correct.
The bottom line certainly seems like Clouldflare is quite simply claiming to be able to do stuff that they CANNOT do and still maintain support for non-mainstream browsers. My bet is that we have NOT seen the end of this nonsense.
(Score: 2) by janrinok on Wednesday March 19, @03:45PM (1 child)
Thank you. However, it is also affecting the stories that we want to collect for publication. Some sites still provide RSS feeds and they are very useful. However, Cloudflare is currently preventing the reading of those RSS feeds. This is true of both OS and some proprietary RSS readers. Apparently they are not 'browsers' so should not be allowed to access legitimate feeds on the internet. Go figure....
[nostyle RIP 06 May 2025]
(Score: 2) by digitalaudiorock on Wednesday March 19, @07:18PM
I'm not surprised by that especially reading the posts in the thread I linked from the PM maintainer. I've always wondered for example if any Tor browsers can get past that BS. I suspect not.
This whole Cloudflare "turnstile" browser check thing is a truly evil trend on the web...just no questions about it.