Cloudflare Verification Loop issues

[back2themoon]

Actually whatever they did it now causing PM to completely freeze up and become unresponsive.

That's exactly what LuftWafflePilot meant, and also confirmed by others.

Are there any other avenues we could use to bring publicity to this issue? Social media, for instance?

Agreed. Social media are less easy to ignore. Someone could lead the way on where, when and how. I'd try but know nothing about SM engagement.

[Sessh]

I don't participate on SM either, but if anyone was going to try, that Adam Martinetti guy was the one that fixed this issue before right? Maybe he's a good one to try to get in touch with?

[jouven]

Add this to uBlock's "My rules" section to prevent cloudflare from freezing PM (PM doesn't pass the challenge anyway):

Code: Select all

* cloudflare.com * block

Forgot to mention, remove or rename, any "siteurl cloudflare.com *" rules.

[cannonmc]

First, thanks to everyone who is trying to sort things

Back to crashes this morning. Fortunately I only use one site regularly that uses CF which I could reach using Opera.

Overnight CF is now blocking Opera saying I need up-to-date browser. My Opera is latest version.

I did notice, between crash periods, that the CF Captcha button on tinyurl.com had a feedback button. I did click it a couple of times but it didn't say who it was feeding back to.

CF does allow Waterfox but sadly I have to use a different machine for that.

I tried Basilisk, got a message to allow cookies. Allowed them and now it is crashing.

I do feel CF is being malicious

[q160765803]

It seems that CF challenge widget causing PM OOM by a very long report/log message, and freezing browser with infinity reflowing.

[Sessh]

Wow... it does seem to be malicious targeting at this point. I wonder how many of these other browsers are aware this is going on? Maybe a class action could happen after all.

[Moonchild]

Tried going through the hoops to get in touch with CloudFlare for this issue since it endures and is getting worse, excluding the "community" since that is obviously a waste of time. It's gotten worse.

My original account for when I was their customer is locked and can't be re-used. (never mind that they are still sending me $0.00 invoices for non-existing services every month)
A new account won't have access to their ticketing system unless it's about account recovery, billing or cloudflare registrar issues:

Image2.png

Chat is locked down to business accounts and enterprise accounts only:

Image3.png

There's no obvious way to report anything to cloudflare directly or to open a communication channel if you are a third party/don't have an account.
Even if you create an account you have to pay them first before they will even listen to you...? This is getting ridiculous.
I also haven't even found any information to contact them for legal issues if that's going to have to be the way to go forward and get something done about this. Maybe I'm blind, but I scoured their pages for over an hour.

[sunstarunicorn]

By going through Brave, I was able to get the CloudFlare chat bot to pop up.

It unfortunately does not allow typing, so all you can do is click on pre-determined options, but it might be a route that we can go down.

I was able to get it to cough up CloudFlare's abuse report form. I don't know if it will help our situation at all, but maybe?

https://developers.cloudflare.com/funda ... int-types/

https://abuse.cloudflare.com/

Additionally, I did see CloudFlare's sales phone number posted on their website. I haven't called it, but I presume a determined soul could wind their way through the automation to a Real Person. Even if that Real Person is a salesman, perhaps they could provide the Legal Team's contact information?

I did suggest social media earlier and I assume CloudFlare has accounts on Twitter (X), but I am not a big social media user myself. I'd be happy to throw my minuscule support behind a campaign to get CloudFlare's attention, though.

Is there any way to pool our efforts with the other browser teams being affected by this issue?

[Sessh]

Pooling efforts is a good idea if it's possible. I imagine developers of these other affected browsers would be pissed about the current situation too. Worth a shot I guess?

Opera specifically has 2-3% chunk of market share on it's own doesn't it? Their wiki says that all of Opera's offerings (total) have over 320 million active users as of 2021, but not sure how much of that number is the Opera browser itself. Still, that's a lot. They'd probably have the funds and clout to make some real noise about this. I didn't know Vivaldi was an Opera product either. (Actually, Vivaldi was made by the former Opera CEO and former Opera employees.)

[andyprough]

I did suggest social media earlier and I assume CloudFlare has accounts on Twitter (X), but I am not a big social media user myself.

Here's the twitter account for Adam Martinetti, who is the person at Cloudflare that apparently helped with this Pale Moon blocking problem last time:
Adam Martinetti (@adamemcf)

Maybe someone with a twitter account can try to direct message or otherwise contact him on twitter.

Adam also has a LinkedIn account. I have an old LinkedIn account I never use, but I can try to send Adam a connection request and then message him if he accepts my connection request. Or if someone else here is more involved with LinkedIn they can try to connect with him.

[flamelord]

First, thanks to everyone who is trying to sort things

Back to crashes this morning. Fortunately I only use one site regularly that uses CF which I could reach using Opera.

Overnight CF is now blocking Opera saying I need up-to-date browser. My Opera is latest version.

That's odd. I'm on outdated Chropera(last updated build of Win7) and it's working fine. I only used 4chan however.

[jobbautista9]

Sent an email with the Cloudflare forum link to the reporter from TheRegister.com this afternoon, and to Martin Brinkmann at Ghacks.net.

Has one of them responded to your email? It's been a week and almost a half now...

[Harkonnen]

Not only CF widget now freezes palemoon, it causes runaway memory usage too. It just ate 24GB in like a 2 minutes, until PM was killed by OOM killer...

[andyprough]

Has one of them responded to your email? It's been a week and almost a half now...

Yes, Martin Brinkmann responded, but he was mostly interested in Firefox ESR 115 which was getting locked out by Cloudflare at the time, and Cloudflare fixed the problem for that browser almost immediately. (Apparently they are able to fix their mistakes when they realize they are hurting a favored stepchild of Google's). Martin already wrote in 2022 about Cloudflare doing this to Pale Moon repeatedly, so there's nothing terribly new for him to add at this point, and I don't expect he'll jump on it right away. If Opera continues to get locked out by Cloudflare then that could be a new angle for him.

Liam Proven with TheRegister is very busy writing about a variety of tech topics. So I don't expect to hear back from him right away. But ultimately he may be the most likely to write an article, as he is using MyPal and Midori, and is in the same boat as the Pale Moon users. I'll try to remember to ping him with an update in the next week.

I also chatted with Roy Schestowitz at TechRights on their IRC channel a few days ago. I wouldn't be surprised if he eventually links to @back2themoon's Hacker News post or some other mention of the problem, as TechRights has covered what they refer to as "ClownFlare" for a long time. But on the other hand, Schestowitz made it clear to me that his opinion is that people should simply avoid sites that use Cloudflare at all costs, which is actually my own personal opinion and my own tactic. So there's a good chance that TechRights simply never bothers to write about the people that are locked out of Cloudflare sites - sites that Schestowitz doesn't feel are worthy of getting any traffic at all anyway. He may, in fact, be quite happy that Cloudflare is locking people out of sites and may be hoping that Cloudflare locks a lot more people out of sites until they've destroyed the traffic to all their clients' sites. Which - actually - is kind of hard to disagree with. This entire business model of running a mafia-type "protection" racket at exorbitant fees for websites is quite obscene when you think it over.

tl;dr - yes, I did hear from a couple people who may eventually write something, but no, I wouldn't hold my breath that they will right away as they are either frightfully busy or don't currently have compelling reasons (or both).

[Moonchild]

sites that Schestowitz doesn't feel are worthy of getting any traffic at all anyway. He may, in fact, be quite happy that Cloudflare is locking people out of sites and may be hoping that Cloudflare locks a lot more people out of sites until they've destroyed the traffic to all their clients' sites. Which - actually - is kind of hard to disagree with.

Certainly a point to make, but at the same time there's the critical question to ask which is more likely: that people simply stop visiting the sites "protected" by CloudFlare, or that they will use a different browser that "just works everywhere"? Maybe you could find people that will do the former for a few sites that run into the problem, but with CloudFlare being as pervasive as it has become, it'll become a pretty big sacrifice for a lot of people to make -- and the bottom line is some people will, and some people won't; net result being the smaller browsers lose a chunk of the small market share they already have, losing income, and just being squeezed.

This entire business model of running a mafia-type "protection" racket at exorbitant fees for websites is quite obscene when you think it over.

I absolutely agree, and they didn't start out that way. This is something from the last few years where they really started clamping down on the "protection" side of things. Their primary reason-to-be was initially proxying and caching for performance reasons, with the "protection" just being inherent for being behind a public-facing proxy IP.
Over time they tacked on more and more and more additional features in the paid tiers that are actually mostly niche use for normally catered installations of big companies, and going big on big traffic data as well. "generating value" is the keyword I think that was driving all this, not "providing a service".

Having run our project servers without their "protection" it does get us the occasional issue with attacks or overloading the servers with automated traffic that require some administration (because I've made it a point to go fully unmanaged VPS so it's all in my own hands, but that was my choice; I didn't have to), but for websites that are using a decent hosting company, that could easily be taken care of by the hosting experts who deal with traffic and abuse daily. I can also say that the abuse has been less than what I saw in their reporting at the end of my usage of them, so I think CF was already starting to block legitimate traffic and misreporting it as "bad", back then. So what I'm saying is, most webmasters don't actually need all this - and also keep in mind that's not all there is to it. Using CF you are giving them control of your DNS, TLS certificates, and more. Not to mention that all traffic flowing to your websites goes through CF and all data is fully exposed to everyone the traffic passes by in their reverse proxy network.

But on the other side it's "easy" to use CF. And many, many people fall for the "it's free and easy" angle for the lowest tiers CF offers (including the paid "pro" which is more like a "not entirely just a demo" tier). Nothing really to be done about that except inform them of the consequences.

[q160765803]

And there are some sites that has inline CF protection which can cause browser hang by reflowing, for example: https://gita.komica1.org/00b/index.htm
Blocking access to challenges.cloudflare.com can resolve the problem in the moment.

[Sessh]

tl;dr - yes, I did hear from a couple people who may eventually write something, but no, I wouldn't hold my breath that they will right away as they are either frightfully busy or don't currently have compelling reasons (or both).

I actually hope Brinkmann will stick up for us again as well as the others. I actually had no idea Cloudflare was such a malicious company until this incident. The only way to get this dealt with without anyone having to push for a CA is to get the right people to make a fuss about it and create enough of a disturbance to force their hand. Otherwise, we and others will be left with crashing browsers (apparently being done on purpose now by CF) and being blocked from accessing some parts of the internet. It's not right. Their paying customers haven't lost enough traffic/sales yet I guess. I'd bet most of them don't even know and have just put blind trust in this company that is maliciously screwing them over with their gate keeping DOS hostility nonsense towards browsers that have done nothing to them.

[Nuck-TH]

I actually had no idea Cloudflare was such a malicious company until this incident.

They are not necessary malicious. They are big corporation now, so too big to fail(c). Or to care. Either about puny singular users or non-mainstream software.

[flamelord]

I feel like I need to quote myself here for the people who say CF isn't working on Opera
Maybe you missed my post

That's odd. I'm on outdated Chropera(last updated build of Win7) and it's working fine. I only used 4chan however.

[sunstarunicorn]

sites that Schestowitz doesn't feel are worthy of getting any traffic at all anyway. He may, in fact, be quite happy that Cloudflare is locking people out of sites and may be hoping that Cloudflare locks a lot more people out of sites until they've destroyed the traffic to all their clients' sites. Which - actually - is kind of hard to disagree with.

Certainly a point to make, but at the same time there's the critical question to ask which is more likely: that people simply stop visiting the sites "protected" by CloudFlare, or that they will use a different browser that "just works everywhere"? Maybe you could find people that will do the former for a few sites that run into the problem, but with CloudFlare being as pervasive as it has become, it'll become a pretty big sacrifice for a lot of people to make -- and the bottom line is some people will, and some people won't; net result being the smaller browsers lose a chunk of the small market share they already have, losing income, and just being squeezed.

...

But on the other side it's "easy" to use CF. And many, many people fall for the "it's free and easy" angle for the lowest tiers CF offers (including the paid "pro" which is more like a "not entirely just a demo" tier). Nothing really to be done about that except inform them of the consequences.

It sounds to me like we are now dealing with a company that is in the business of gate-keeping the Internet and discriminating against Internet users who prefer not to use The Big Three for a variety of reasons.

Moreover, this is a company which can do what The Big Three cannot - squeeze out the competition until alternative browsers die.

Because, to be blunt and frank, telling folks who want to use alternative browsers that they can't use a significant portion of the Internet is a dead-end road. It's going to end in tears - for us. If Schestowitz doesn't see that people are just going to use browsers That Work, well...

If we can't get help from journalists and the public pressure campaign is dead in its tracks, perhaps looking at this from a legal angle is the way to go. I'm not at all familiar with European anti-monopoly/anti-trust laws, but perhaps we Pale Moon (and other alternative browser users) here in the US need to start making some noise. Not with CloudFlare, but with our State Attorney Generals - after all, part of their job is to protect consumers in their states and a company which is discriminating against a consumer's choice of Internet vehicle seems like it would be in their area of concern.

Or maybe we American Pale Moon users need to go directly to the White House. Or go both routes, which I plump for.

The thing is, if we try to go to our governments, I think we'd be able to make a much better case if we can outline all of CloudFlare's shenanigans. That means, going back to when they first tried to kick alternative browsers off the Internet, but I don't know that history. We don't need chapter and verse, but if we can outline how this has been an escalating pattern of behavior on CloudFlare's part, that might be enough to stir up the government consumer protections. Especially if a lot of us file complaints.

What do ya'll think?