Cloudflare Verification Loop issues

[flamelord]

The other day I submitted a story on soylentnews.org that just got put up this morning:

https://soylentnews.org/article.pl?sid=25/02/07/044225

So a little more publicity about this one.

Soylentnews? WTF is this website? Never even heard of it in my entire life
Who the fuck would come up with such a title for a website in the first place?

[Moonchild]

Soylentnews? ... Never even heard of it in my entire life

So just because you've never heard of it, you feel it's OK to bash it? Tone it down, please. I know it's in your name but keep the flaming down, thanks.

[Enobarbous]

No, because it's not under our control what they check for, and they regularly change their checks.

I did some digging with mozregression and maybe this will be useful? The last version where cloudflare check doesn't work is nightly 2019-07-09,

app_name: firefox
build_date: 2019-07-09
build_type: nightly
build_url: https://archive.mozilla.org/pub/firefox ... .win32.zip
changeset: 404680ad41e4e7d08aa46081a70095486f14e15f
pushlog_url: https://hg.mozilla.org/mozilla-central/ ... 23b717db3c
repo_name: mozilla-central
repo_url: https://hg.mozilla.org/mozilla-central

the first version that passes the check - nightly 2019-07-10

app_name: firefox
build_date: 2019-07-10
build_type: nightly
build_url: https://archive.mozilla.org/pub/firefox ... .win32.zip
changeset: e704e3565db9260efaa854f2916ca023b717db3c
pushlog_url: https://hg.mozilla.org/mozilla-central/ ... 23b717db3c
repo_name: mozilla-central
repo_url: https://hg.mozilla.org/mozilla-central

Maybe this will be useful to determine what exactly PM is missing for cloudflare to work?

Small point: 2019-07-10 works fine with CF with its own user-agent (ff70a), but fails the check if you install the agent from FF85+ So, we should probably also set challenges.cloudflare.com to something at the FF78 level, just to get a more compatible check...
Also, there seems to be some difference in working with csp between FF and PM. In particular, if csp is enabled in PM 33.6, cf check hangs at the stage of infinitely rotating circle, but if you disable csp (security.csp.enable = false), then it becomes possible to check "I am not a robot" and only after that cf reloads the page with a request to pass the check again.

[Moonchild]

Maybe this will be useful to determine what exactly PM is missing for cloudflare to work?

I doubt it. At most this would be the point where the entirety of Firefox's feature set satisfies whatever CF checks for explicitly for that version. Also, that pushlog is huge.

if csp is enabled in PM 33.6, cf check hangs at the stage of infinitely rotating circle, but if you disable csp (security.csp.enable = false), then it becomes possible to check "I am not a robot"

Not the case for me. It just spins regardless.

[Enobarbous]

I doubt it. At most this would be the point where the entirety of Firefox's feature set satisfies whatever CF checks for explicitly for that version.

I actually got interested in a minimally working version of ff when I saw that in mypal68 by feodor2 this time (unlike previous cases) cloudflare continues to work, even in older versions. And given that it's pretty rough and selective in porting patches, it seems to me that it's just a matter of some js functionality...

Also, that pushlog is huge.

Unfortunately. But throwing out what is specified for both 2019-07-09 and what is clearly related to tests and webextension, there is not much left. My first thought was Intl.RelativeTimeFormat.prototype.formatToParts, but I think we already have that....

[Nuck-TH]

I actually got interested in a minimally working version of ff when I saw that in mypal68 by feodor2 this time (unlike previous cases) cloudflare continues to work, even in older versions. And given that it's pretty rough and selective in porting patches, it seems to me that it's just a matter of some js functionality...

Even if needed functionality will be pinpointed and implemented it will work exactly until CF does same thing again.

[Enobarbous]

Even if needed functionality will be pinpointed and implemented it will work exactly until CF does same thing again.

And that might be better than nothing. Yes, of course, I also think cloudflare should fix this on their side. Unfortunately, there is no guarantee that it will happen.

[digitalaudiorock]

Soylentnews? ... Never even heard of it in my entire life

So just because you've never heard of it, you feel it's OK to bash it? Tone it down, please. I know it's in your name but keep the flaming down, thanks.

Thank you! For anyone interested soylentnews.org has a LOT of members. It was really a spinoff from slashdot.org when that became a corporate run piece if crap.

[Pelican]

Cloudfare does provide extensive options in their settings, but not being one of their user', I wouldn't know if there is an option to allow/disallow according to browser or OS. Such options would be invaluable for private groups and corporate networks. Perhaps that is something that Cloudfare could offer, and then it can be the site owners themselves who dictate who can access their site.

If anyone from their team is reading this thread... nudge, nudge, wink no more!

[back2themoon]

If Cloudflare offered a setting to allow/disallow Pale Moon, then it'd mean they could actually detect Pale Moon properly and this issue wouldn't exist in the first place. I guess they could simply detect via user-agent and offer an on/off toggle, but since they don't even bother to respond I doubt they are doing that.

SourceForge was easily able to tweak their settings and fix this, but I'm not sure if it was through Cloudflare's settings, or via their own website configuration. Sounds like the latter ("we have many custom rules"). I assume they completely disabled it for Pale Moon but could be wrong.

https://sourceforge.net/p/forge/site-su ... 6494/#7007

[BenFenner]

Off-topic:

Soylentnews? WTF is this website? Never even heard of it in my entire life

Imagine not having an account at Soylent News.

https://soylentnews.org/~BenFenner

[flamelord]

Soylentnews? ... Never even heard of it in my entire life

So just because you've never heard of it, you feel it's OK to bash it? Tone it down, please. I know it's in your name but keep the flaming down, thanks.

Yes, because I have never heard of it I don’t see it getting much traction there. That was my point.
How many people browse that site?
If Hacker News can’t put pressure on CF then I doubt this site can.

[jouven]

Regarding CF settings, TLDR CF gatekeeps the sites that use their web security services allowing only three browsers, however with the power of plausible deniability=shift the work to the site owners+filter by user-agent it allows every browser.

The CF configuration is a combination of https://developers.cloudflare.com/waf/t ... ity-level/ + https://developers.cloudflare.com/waf/r ... hallenges/

JS challenge

With a JS challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser.

The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds.

No additional explanation.
A bit after:

Supported browsers
If your visitors are using an up-to-date version of a major browser — such as Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they will receive the challenge correctly.

From what I've checked, in the security settings pages I do have access (I have a free account), the only two things that would allow PM is an user-agent filter or lowering the security level (I doubt the latter would filter specifically for PM). Meaning that spoofing PM, for the sites that create exceptions for PM, can be abused by bots using the PM user-agent...
Another thing CF does is shift responsibility to the site owners, as in if the site owners want other browsers accessing their sites they need to do the work and create the rules. But like I mentioned it probably can be abused...

[Alpha1_2]

Operating system: Windows 10
Version 64-bit: 33.5.1 and 33.6.0
Problem URL: https://hd24bit.com/ and crashes

Starting with version: 35.5.1, early Feb 25 (AEST) and just updated to 33.6.0 and is still looping today (09 Feb 25), I can't get past the Cloudflare checks trying to access https://hd24bit.com/; it just goes into a loop that keeps re-prompting with a checkbox. I have a subscription to another site (https://isra.cloud/) that uses that Cloudflare checks and it's doing the same.

Alpha1_2

[back2themoon]

I can't get past the Cloudflare checks...

Yes, that's what this entire topic is about. The crashes are fixed since PM 33.6.0, but the access denial "Verifying..." loop can only be fixed by CF.

Since Cloudflare remain silent, I'd suggest for you to contact that website (using another browser obviously) and explain that Cloudflare is blocking and denying access to their content for users preferring Pale Moon, and several other non-mainstream browsers. Even mainstream browsers have been reported to break at times with Cloudflare's buggy verifications. You could also suggest some solutions:

a) Tweak their website to make it work with Pale Moon, as SourceForge promptly did: https://sourceforge.net/p/forge/site-su ... 6494/#b21f

b) Consider a less hostile and more reliable Cloudlflare alternative like https://www.nearlyfreespeech.net/ mentioned here earlier. I'm sure there are many others and perhaps we should build a Cloudflare-alternatives list for quoting/forwarding.

I'll start reporting the same, even though websites smaller than SourceForge may have less flexibility and desire to fix this. We've all given Cloudflare enough time already.

[Moonchild]

I hope everyone realizes by now that CloudFlare is contradicting themselves in a major way.

Supported browsers
If your visitors are using an up-to-date version of a major browser — such as Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they will receive the challenge correctly.

While at the same time saying

{We} do not want to be in the business of saying one browser is more legitimate than another

By not making browsers that do not meet their limited definition of "an up-to-date version of a major browser" receive the challenge correctly, they are, in fact, in the business of saying that any other browser is less legitimate, since they are treating them similar to bots and automated scripts, and in turn treating all users of those browsers as less legitimate than the users of their short list of "supported" browsers.

I brought this point up last time this was an issue (when this "browser support" section was a new thing in their "CloudFlare Challenge" documentation), and assurances were given that they would do their best to allow all legitimate browser users through their challenges. Clearly, those assurances were bogus, as an effort was made only, so far, this time around, to "fix" the challenge for Firefox ESR 115 when it was initially broken at the same time as our access, but leaving all other legitimate browsers hanging.

It should be clear to any reasonable person reading this at this point that CloudFlare, despite their assurances, is, in fact, in the business of saying one browser is more legitimate than another, and effectively, though their gatekeeping of many thousands of websites for users of those browsers, are causing damage to the developers and publishers of those browsers by harming the core functionality a browser has: successfully reaching and displaying websites. The damage is indirect and consequential by effectively reducing the usefulness of independent browsers and making users move to "browsers they support" by no other action than their deliberate discriminatory "browser challenges".

Off-topic:
I think there's plenty there to build a legal case, and a class action for all browsers affected by this that are not on their short-list of "supported browsers", but I'm not in the best position to (nor in the capacity of) starting this kind of lawsuit, being both outside of US jurisdictions physically, and not having the financial resources for this kind of litigation, so if anyone else is in the position to be a class leader and start this in a US court, we'd have a way forward legally. The longer this lasts and the more likely a repeat is to happen, the more inclined I am to get involved in a legal dispute.

[Shadow]

My observation gives indication the seemingly only employee who has given attention to this previously might currently be on paternity leave.

That would explain the nothing happening.

More quotes:

There's a lot that goes into Turnstile's simple checkbox to ensure that it's easy for everyone, preserves user privacy, and does its job stopping bots. Part of making challenges better for everyone means that everyone gets the same great experience, no matter what browser you're using.

For Turnstile, the actual act of checking a box isn't important, it's the background data we're analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it's an actual browser.

Source: https://blog.cloudflare.com/turnstile-ga/

Poignant comment here: https://news.ycombinator.com/item?id=37703905

Goodbye web browsing with non-top-3 browser engines

[back2themoon]

...the seemingly only employee who has given attention to this previously might currently be on paternity leave.

However ridiculous that may sound (only employee in the whole of Cloudlflare), at least it opens a window for this not being an aggressive change of policy against non-mainstream browsers, but rather them being their usual sloppy, irresponsible selves.

Not that great either, but at least things mostly work. Mostly.

[KlarkKentThe3rd]

Until this is fixed just get used to have 2 browsers open sometimes. Which is a non-solution, but just like copy+pasting text into Facebook comment window, to get over their bug, it is what works.

[LuftWafflePilot]

Until this is fixed just get used to have 2 browsers open sometimes. Which is a non-solution, but just like copy+pasting text into Facebook comment window, to get over their bug, it is what works.

I started dualing PM with Firefox years ago, because some sites (primarily FB, IG, Twitch, Youtube, reddit and anything Google for me) simply will never work correctly or well enough in PM for various reasons.