Cloudflare Verification Loop issues

[therube]

Off-topic:

What do ya'll think?

What do ya'll think?

[andyprough]

Because, to be blunt and frank, telling folks who want to use alternative browsers that they can't use a significant portion of the Internet is a dead-end road. It's going to end in tears - for us. If Schestowitz doesn't see that people are just going to use browsers That Work, well...

Shestowitz saw this coming years ago and has been mirroring nearly all of TechRights content onto Gemini space alongside their regular http(s) website since 2019.

Amazingly, in that 6-year period TechRights and its sister site TuxMachines have racked up over 100 million page views on Gemini - which is just absolutely mind-boggling to think about. They are currently serving up millions of page views per month on Gemini. Unbelievable - an alternative to the web, without most of the web's problems, where no one but the nerdiest of the nerds hangs out, and you can sit in that space and rack up millions upon millions of views and probably make decent money.

[BenFenner]

I actually had no idea Cloudflare was such a malicious company until this incident.

That is quite the rock you must have been under.

[andyprough]

Add this to uBlock's "My rules" section to prevent cloudflare from freezing PM (PM doesn't pass the challenge anyway):

Code: Select all

* cloudflare.com * block

Forgot to mention, remove or rename, any "siteurl cloudflare.com *" rules.

I'm perma-blocking Cloudflare from now on. I tried one of the Cloudflare sites tonight, not only did it lock up the browser but it also grabbed the cursor and wouldn't let go so I couldn't kill the browser window with xkill. Cloudflare is just pure malware at this point, its only purpose is to try to damage the computer.

I filed a Cybersecurity Incident Report against community.cloudflare.com for running malware that causes browser lockup and super-high CPU usage and thermal heating issues with the US Cybersecurity & Infrastructure Security Agency ("CISA"): https://myservices.cisa.gov/irf?id=irf_ ... intake-top
There's a new CVE related to a Cloudflare product causing a cross-site scripting vulnerability: https://www.cve.org/CVERecord?id=CVE-2025-22332
Since the super-high CPU usage associated with the way Cloudflare is locking up the browser seems reminiscent of some cross-site scripting attacks, I said in my complaint that this current Cloudflare attack on Pale Moon browser could be related to CVE-2025-22332. Probably it isn't related, but who knows?

[flamelord]

Moderator note: inappropriate flagging removed

Trump and whatever US President and politicians want to spy on you

The only way to fight back is by cyber-attacking Cloudflare, of course good luck with doing that and not ending up in jail

[Moonchild]

Off-topic:

Trump and whatever US President and politicians want to spy on you

The only way to fight back is by cyber-attacking Cloudflare

Let's not go there, alright? Please stay on-topic and don't start throwing wild accusations and outlandish "solutions" into the mix that will polarize people. There's no point in doing so.

[flamelord]

Moonchild, there is no point in denying the interconnectedness of things though.
Look at how the US Government is now demanding IDs for Americans to access sites like Pornhub.
The whole Cloudflare situation with Pale Moon and other browsers is just another part of the whole Orwellian dystopian plan that the powers that be have in store for us.

Going to US state attourneys as some other poster suggested is not likely to help, or if it will help it may just be a temporary bandaid merely prolonging the inevitable.

It has been weeks since Cloudflare broke Pale Moon and they’ve only escalated the situation since then.
Some posters here were delusional saying that ’’Cloudflare hasn’t issued an official statement yet’’ but they did just that when they told us to fuck off via their paid shills in their forum and they have been continuing to extend their middle finger by breaking it even further to the point of absurdity.
This is literally a full frontal assault on Pale Moon. Big guy picking on the little guy type of stuff.

[Moonchild]

Moonchild, there is no point in denying the interconnectedness of things though.

Really? Let's analyze that, then, since you are obviously not content just getting a warning.

Look at how the US Government is now demanding IDs for Americans to access sites like Pornhub.

How is that at all relevant to CloudFlare's broken "security checks"?... That's right, it isn't.

The whole Cloudflare situation with Pale Moon and other browsers is just another part of the whole Orwellian dystopian plan that the powers that be have in store for us.

I would call that a conspiracy theory - also irrelevant here. Conspiracy theories don't prove definitive interconnectivity.

Going to US state attourneys as some other poster suggested is not likely to help, or if it will help it may just be a temporary bandaid merely prolonging the inevitable.

Not being a US citizen I have no idea if this would help, but I'd say if people more familiar with the US judicial system think this might be an avenue to take, then I don't think dismissing it out of hand is going to be in any way better than taking the chance it might help. "If you don't take a shot you will always miss your mark".

Some posters here were delusional saying that ’’Cloudflare hasn’t issued an official statement yet’’ but they did just that when they told us to fuck off via their paid shills in their forum and they have been continuing to extend their middle finger by breaking it even further to the point of absurdity.

Be careful what you label as delusional. Do you know they were paid shills? Do you have any sort of evidence or even probable suspicion of that (have you investigated the posters to see if they are linked to the company? etc.)? CloudFlare has been 100% silent in any official capacity as far as I can tell. While that eventually can lead to conclusions of deliberate inaction, I do not subscribe to community posts being somehow orchestrated by CloudFlare itself, and hammering on that point is, like the previous point, more in line with a conspiracy theory than factual matters.

This is literally a full frontal assault on Pale Moon. Big guy picking on the little guy type of stuff.

Which is a fine opinion to have, but be careful what you draw into this. I agree this is gross negligence, or potentially malicious (depending on mens rea), but to tie this in with some assumption of political, corporate or other conspiracy is taking it too far. If you want to discuss that please make a new topic in the off-topic board and you can speculate all you want (without going off on polarizing political rants, please) -- over here, I'd like to continue to focus on the practical side of the matter: analysis of the problem, potential workarounds, potential community action to take to make CloudFlare or webmasters take action to solve it, etc.

[Gemmaugr]

Just got a response from reporting the issue to a non-postable site:

"The issue in your OP is one that should really be brought to [Admin]'s attention for possible resolution. I'll contact [Admin] and relay your concerns about Cloudflare and the lack of access to this site via "non-mainstream" browsers, for his consideration.
😐

Meanwhile, I've also read your previous posted comment in the [Redacted] section, as seen from your Profile page, concerning your requested mitigation of the "Cloudflare restriction" on this site's search engine as it adversely affects the lesser used, variant ["non-mainstream"] browsers which you've mentioned (See your post here) and can assure you that any part [firewall rules] of Cloudflare's services are not likely going to be altered at any point in the near future (Note: Cloudflare is an independent, third party company that specializes in internet security. IMHO, as one of its clients, this site should not amend any of Cloudflare's recommended, set policies ["restrictions"] that are deployed by default. Although Cloudflare's Web Application Firewall [WAF] feature (Not the entire Cloudflare security package) may be disabled by a site admin as part of a custom course of action to try to remedy the situation with the "non-mainstream" browsers, there's no telling whether doing so would inadvertently expose this site and any browsers to any new security vulnerabilities as well as the security vulnerabilities that were already resolved when Cloudflare's WAF was enabled by default). Also, although doable, exceptions for certain members' IP addresses to pass through Cloudflare's restrictions might not be practical as [Admin] might possibly have to maintain a [long?] list of multiple IP addresses in case any changes in the future with Cloudflare's WAF occur and those IP addresses need to be re-entered (Again, this is something that [Admin] should address).

You have to understand that prior to the usage of Cloudflare's services more than two years ago, the server that hosts this site was prone to persistent DDOS and other kinds of attacks (See example here for more details) which lead to periods of persistent problems including temporary site downtime for many members. Without Cloudflare's services [WAF feature as it is], this site would once again become vulnerable to those persistent attacks. Cloudflare's services, despite having any perceived adverse affects upon this site's search engine which appear to manifest within any lesser used, variant ["non-mainstream"] browsers for the few members who use them but not within the mainstream browsers like Chrome, Firefox, Opera, ... etc. used by many (If not most) members, are an indispensable and essential part of ensuring the continued operation of this site for our community.

IMHO, if those perceived adverse affects upon this site's search engine as seen in the lesser used, variant ["non-mainstream"] browser which you are using, are too much for you to bear than perhaps you should visit this site using a more mainstream browser or another lesser used, variant ["non-mainstream"] browser that is not as affected by the "Cloudflare restriction". Like the old saying goes, "The majority rule".

In any case, I'll email [Admin] and let him know about the situation.

I hope that all of this helps you~!
🙂"

[Sessh]

There appear to be plenty of Cloudflare alternatives that offer the same kind of protection without trying to force compliance to specific browsers though.

[Gemmaugr]

There appear to be plenty of Cloudflare alternatives that offer the same kind of protection without trying to force compliance to specific browsers though.

That is true; https://alternativeto.net/software/cloudflare/ (although it seems many of them have a similarly unctuous reputation. google, Amazon, Tencent).

[back2themoon]

I am guessing Cloudflare's free plan (the one that builds a better Internet) is too attractive to pass for small website owners.

It also seems pretty clear that Cloudflare has became a household name in this area. I'm sure they hold on to that reputation very dearly, and wouldn't want it tarnished.

[aliex]

While CloudFlare's behavior is horrendous I think there is also the bug in Pale Moon code if some external site can cause an endless loop which cannot be stopped by browser itself and causes OOM to boot. usually when javascript misbehaves I just get a dialog window with an option to stop offending script - but in this case it does not work work for some reason.

[Mike_Walsh]

I also chatted with Roy Schestowitz at TechRights on their IRC channel a few days ago. I wouldn't be surprised if he eventually links to @back2themoon's Hacker News post or some other mention of the problem, as TechRights has covered what they refer to as "ClownFlare" for a long time. But on the other hand, Schestowitz made it clear to me that his opinion is that people should simply avoid sites that use Cloudflare at all costs, which is actually my own personal opinion and my own tactic. So there's a good chance that TechRights simply never bothers to write about the people that are locked out of Cloudflare sites - sites that Schestowitz doesn't feel are worthy of getting any traffic at all anyway. He may, in fact, be quite happy that Cloudflare is locking people out of sites and may be hoping that Cloudflare locks a lot more people out of sites until they've destroyed the traffic to all their clients' sites. Which - actually - is kind of hard to disagree with. This entire business model of running a mafia-type "protection" racket at exorbitant fees for websites is quite obscene when you think it over.

I can't entirely agree with what you're saying here, Andy. I've been with www.bleepingcomputer.com since early 2016.....not far off a decade. During that time, I've made a lot of friends there, along with earning a decent amount of respect from many I've helped over the years. I was invited to join the staff at the beginning of COVID, and have earned respect there, too.....especially given I'm the sole Linux-only mod on a site originally set-up specifically to render assistance to just Windows users.

7-8 months ago, the site's owner, Lawrence Abrams - respected in his own right among the InfoSec community - added CloudFlare's verification widget into the mix to combat the ton of bots we were getting overrun with. Up until around a fortnight ago, I was getting past the "Are you human?" challenge without issue. Now, unless I use one of the many Chromium-based portables I package for the Puppy community, I can't even sign in, let alone access the site and do my job.

I admit I've been a Chromium & 'clones' man since it appeared on the market in 2008, buttt.......using Pale Moon is a personal choice. I happen to LIKE the browser. Have done for the last 11-12 years.

And now you're seriously suggesting that I just meekly turn around & wave goodbye, while saying "So long, guys. Been nice knowing ya...", by way of trying to make some kind of one-man protest which we ALL know will have zero effect?

Whilst I can understand & appreciate where you're coming from with your statement, it won't be practical - or even desirable - for ALL PM users to enact. Yet we still need SOME way of making these clowns sit up, take notice, admit they're wrong AND do summat about it.

I'm not hopeful ATM, though....

Mike.

[Moonchild]

While CloudFlare's behavior is horrendous I think there is also the bug in Pale Moon code if some external site can cause an endless loop which cannot be stopped by browser itself and causes OOM to boot. usually when javascript misbehaves I just get a dialog window with an option to stop offending script - but in this case it does not work work for some reason.

That really isn't true. Anyone can write recursive javascript that will hang up any browser. Something as simple as calling an interval from within an interval callback will literally grind any browser to a halt. Without seeing the unobfuscated source of CF's challenge code (which is of course not available for inspection) there's no telling what is causing this, but the behaviour seems to be typical of a recursive function issue which is by definition a problem in the script.

[vannilla]

I have ran some tests these days and I have discovered that Pale Moon's native user agent (that is, without any "Firefox" or "Gecko" shims in it, just "Goanna" and "PaleMoon") breaks the Cloudflare verification which will just loop infinitely even if the browser in use itself is one of the mainstream ones.
I have not tested the compatibility profiles, but I think they'll similarly break since they are different than a pure Firefox.
Basically, before Cloudflare checks if the browser meets whatever criteria they set, the user agent must match their list of "acceptable" strings.

[Moonchild]

Does this mean we can avoid the hangs with a native UA on challenges.cloudflare.com? If so, that would be a useful thing to push out through the dynamic useragent updates.

[back2themoon]

No, I think vannilla meant the native Pale Moon UA will cause mainstream browsers to hang, too. Of course, this is only a testing scenario.

This may prove there's some discrimination going on here though. It's clearly not about security and "update your browser" BS. Or they are just clueless and their software is amateurish at best.

[vannilla]

Unfortunately changing Pale Moon does not fix anything as they do other checks. The experiments only prove that not using very specific user agent strings can hang one of the "supported" browsers too.

[Moonchild]

Ah okay. so the "hang" seems to be a deliberate result of failing the "integrity check", then.
I can imagine it's done to make bots hang that use browser engines in their back-end (they shouldn't do that - it's not their task to interfere with running software even if it's an undesired bot - it should only deny access to the site the bot is trying to reach), but it does mean the code is absolutely malicious because it's intentional! After all, if it was a Pale Moon "bug" then mainstream should never hang, no matter if it failed their check in any way, whether UA based or otherwise.