Cloudflare checks broken yet AGAIN?

[Kxeon]

IMO alternative browsers need to present a unified front, whether it's confronting corporations like Cloudflare or dealing with EFF.

That seems like a good idea ngl. I would say something about it being absolutely impossible to get everyone together to fight the big guys; but I'm pretty sure it actually IS possible to do that, showing stuff like what's happening right now to us as an example, saying "This could be you!", and just like that, the little browsers are banded together in an alliance.
...
Ok, obviously it's not that simple, but I hope you get my point. This can happen to others, and it probably will happen to others if this isn't stopped.

[stefan11111]

is it that hard to write good code that doesn't break other browsers

Not for a captcha, no.

at least test your non-standard extensions on more browsers?

Well that's the issue, you see? Somewhere in the fairly recent past they started restricting what their captcha supports to a very very short list of browsers, which does not include Pale Moon or any other browser on UXP, nor some commonly-used other alternative browsers. Only a small handful of big, commercial browsers. That wasn't the case before, and wasn't the case at the time most websites decided to start using CF. Basically a rug-pull of sorts.

Since CloudFlare is effectively ghosting me at this point, and the EFF seems to not be interested in taking this up with me, I'm really not in a position to do anything about it at this moment. If you run into this issue, complain to CF and the website you are trying to use but can't because of CF's issues.

If it's not that hard to make a chaptcha work with browsers like palemoon, why break it?
What do they gain from breaking it, If it's not a hard thing to do?
Especially given it used to work fine.

[noellarkin]

IMO alternative browsers need to present a unified front, whether it's confronting corporations like Cloudflare or dealing with EFF.

That seems like a good idea ngl. I would say something about it being absolutely impossible to get everyone together to fight the big guys; but I'm pretty sure it actually IS possible to do that, showing stuff like what's happening right now to us as an example, saying "This could be you!", and just like that, the little browsers are banded together in an alliance.
...
Ok, obviously it's not that simple, but I hope you get my point. This can happen to others, and it probably will happen to others if this isn't stopped.

It has to be done. What Cloudflare has done, is dictate what browser engines are allowed on the internet. It may not be their intention to do so, but fact remains that they're doing it regardless, and they have to be judged by outcomes, not intentions. Their premise is flawed: "if you can't pass feature detection for Chrome, Firefox or Safari, you're probably a bot" - - this effectively removes all incentive for independent developers to try making alternative engines. All future browsers will end up either being Chrome/FF forks or having to deal with Cloudflare issues.

Ultimately, the Pale Moon community isn't alone in this - - CF's move effectively reduces the browser ecosystem to a Google, Mozilla and Apple, and disincentivizes independent developers as well as newer players from entering the market. I'm curious how Midori, K-Meleon, QuteBrowser, Falkon, Luakit, NetSurf, New Moon, MyPal etc are doing.
Pale Moon can't and shouldn't try taking on CF alone, because then the optics are very "old man screams at clouds". If its 10 different browsers not working, then there's a MUCH stronger case to be made.

PS: this link: https://community.cloudflare.com/t/veri ... ain/683018 fails to open in Pale Moon, but opens in LibreWolf with resistFingerprinting on (which spoofs practically everything). So clearly, Cloudflare is NOT preventing fraud by filtering out browsers that spoof canvas etc, it is just locking out specific browsers based on feature detection.

PPS: I searched "cloudflare pale moon" and the most recent results seem to be from 4chan:
https://boards.4chan.org/g/thread/10134 ... ng-by-pale

[Moonchild]

It has to be done.

I'm on board with joining forces but as you can imagine my plate is already way too full to organize anything like that. Someone independent and invested in this would have to step up and get independent/alternative browsers together (that kind of thing is also not my forte, anyway).

[noellarkin]

FWIW there's a fair amount of support for Pale Moon in the thread https://community.cloudflare.com/t/veri ... /683018/15 - - and a general acknowledgement that this is a result of Cloudflare's negligence - - an improvement from the victim-blaming that happened the last time this happened.

[Moonchild]

That's good to see, at least! Maybe some people are actually waking up to what's happening, here.

[noellarkin]

Are there any tech journalism websites that are sympathetic to Pale Moon that can publish an article on the matter?
I remember Martin Brinkmann (gHacks) had a whole blog category dedicated to Pale Moon, including reporting on the first time this cloudflare mess went down:
https://www.ghacks.net/2022/05/05/fix-p ... ification/
And there may be some influencers/youtubers who may be willing to post/stream about it.

[digitalaudiorock]

Yea, yesterday it was looking like that Cloudflare thread I started might auto-close with nothing but my posts and whoever those pro-Cloudflare trolls are. Nice to see that thing caught fire.

There's a number of references about Cloudlfare breaking some browsers as to whether it was intentional or not. However what WAS intentional is that, for quite some time, Cloudflare has been pretending to the public that they can do all these security checks reliably and kept really quiet about browser support. Then over time they seem to have pulled the rug out from under everyone with this "Oh by the way, we only support browsers X Y and Z" bullshit. The trolls in that thread claim that all site owners are aware of this, and that's bullshit. If they were up front from the beginning saying "If you use this feature nobody can visit your site unless they use browsers X, Y, and Z", no WAY would so many sites be using it.

Now THAT was a VERY deceptive stunt to pull and WAS very much intentional.

EDIT: PLUS all helped them gain a huge footprint in that market, in part because competing ones don't attempt that sort of browser specific nonsense (putting THEM at a disadvantage in many ways). THAT'S the part that makes this deception an issue for ALL of us.

Tom

[noellarkin]

Does anyone have a HackerNews account? Would make sense to post it there.

[jouven]

I don't know Louis Rossman standing in this community, I'm sure he'll have day with this situation, doesn't need to be specifically Pale Moon if it's also happening with other browsers.

[noellarkin]

Louis Rossman

LOVE his content
So what's the best way to get in touch with him? And who should do it? I'm not sure if random users tweeting at him would work. Does anyone here have a youtube channel/twitter account with many followers?
You're right, he has made videos slamming Chrome for anti-competitive practices before: https://www.youtube.com/watch?v=_x7NSw0Irc0
Regarding the united front, I'll check this out later tonight, download some more alternative browsers, and check if they're working with Turnstile sites.

[digitalaudiorock]

Out of curiosity I just tested Waterfox Classic (I tested with the https://idope.se/ link posted earlier), and that goes into an infinite loop without even prompting with a checkbox at all...completely broken. Regular Waterfox still works.

So I guess whatever the broke must be specific to UXP (XUL) based browsers(?). Not that that matters. Nobody gets to say that XUL browsers are obsolete (try as many seem to). That's why web standards exists.

Tom

[noellarkin]

Some more sites that aren't working:
https://www.sofi.com/
https://jackssmallengines.com/
https://www.legacy.com
https://www.spiritshop.com/
https://stangnet.com/

[noellarkin]

Other browsers that fail the Turnstile captcha:
- SeaMonkey
- Falkon
- New Moon
- Basilisk
- K-Meleon

Browsers the pass the Turnstile captcha (apart from FF, Chrome, Safari):
- MyPal
- QuteBrowser

[Kxeon]

Other browsers that fail the Turnstile captcha:
- SeaMonkey
- Falkon
- New Moon
- Basilisk
- K-Meleon

Alrighty, so Basilisk and K-Meleon are both Goanna... but what's with Falkon and SeaMonkey? Don't they use the same engines as Chrome and Firefox respectively?
Maybe Falkon is broken because of QtWebEngine and SeaMonkey because of SpiderMonkey? But QtWebEngine is based off of Chromium...
It seems that Konqueror fails Turnstile on both engines too... (WebEngine and Okular)
NetSurf also fails, but that definitely shouldn't be all that much of a surprise from what I can tell. (It doesn't even appear, lol.)
I would test Ladybird but it seems like I can't run it at all because it can't find Ninja..
Oh wait, as it turns out, second try was the charm! Oh, and by the way, it failed again. Turnstile doesn't even appear on Ladybird.

Code: Select all

23030.323 WebContent(454788): (js log) "Turnstile Widget seem to have crashed: " "wqpgj"

[billmcct]

Some more sites that aren't working:
https://www.sofi.com/
https://jackssmallengines.com/
https://www.legacy.com
https://www.spiritshop.com/
https://stangnet.com/

Well for me in PM, and I'm using the AVX2 x64 build, only:
https://idope.se/
https://jackssmallengines.com/
Fails, all others I don't even get a captcha, goes straight to page.

In Basilisk, only:
https://jackssmallengines.com/
Fails, all others go straight to page for me, NO captchas.
I am also using a VPN.

[digitalaudiorock]

all others I don't even get a captcha, goes straight to page.

This is one that everyone should avoid getting confused by...that is whether or not you get the challenge at all. That can likely be based on a number of factors we can never know about...for example whether you're using a VPN that results in an unresolvable WAN IP they they see for you're request etc. That's a totally unrelated blank box on their end I think.

Tom

[noellarkin]

all others I don't even get a captcha, goes straight to page.

This is one that everyone should avoid getting confused by...that is whether or not you get the challenge at all.

yep, IMO the litmus test is: when someone does get a captcha, are they able to pass the challenge?

[artics]

A solution could be the Privacy Pass extension.

https://github.com/cloudflare/pp-browser-extension

If some XUL wizard can port this to Palemoon we will never need to worry about Cloudflare checks again.

[moonbat]

A solution could be the Privacy Pass extension.

From reading it, it sounds as though the website needs to support Privacy Pass first; or will it automatically work on all Cloudflare sites?