CloudFlare: summary and status

[Moonchild]

Since this seems to be an on-going problem at this time, this topic aims to provide a summary and "current status" regarding CloudFlare and its promise they "aren't in the business of claiming any browser is more legitimate than another" handling of their Captcha/turnstile pages.

Start of the issue

On Jan 31^st, users reported that, similar to an occurrence in 2022, CloudFlare's captcha/"i'm under attack" mode had started failing and looping instead of passing and letting browser users through. It soon became clear that this time, any UXP browser wasn't the only being denied access to the sites being "protected" by CloudFlare. Even Firefox ESR 115 was affected.
The community was quick to respond, opening a CloudFlare community thread explaining the problem (which is the only communications channel available to end users, see below) and reporting the issue.
Assuming Mozilla applied corporate pressure for Firefox ESR, CloudFlare changed its captcha scripting soon after which, in turn, exposed a crash issue in UXP by triggering a situation that was not initially accounted for in JavaScript and would not normally occur. Despite the crashes, CloudFlare did not respond to reports about it, effectively causing DoS for all UXP browser users. The crash was solved with an accelerated release of Pale Moon 33.6.0.
Shortly after this, CloudFlare made another change which, this time, caused a different kind of denial of service by triggering script hang/out-of-memory issues through what seems to be deliberate behaviour when the script does not pass a collection of Web API checks (since the same behaviour was observed on their "officially supported browsers" as well if the user-agent was spoofed to Pale Moon!). The worst symptoms were mitigated with an out-of-band release of Pale moon 33.6.0.1, which still suffers from the script hang but can recover after the script termination watchdog kicks in.

Limited communication channels available and being ghosted

CloudFlare has extremely limited communication channels available. End users can only post in the self-help "community", webmasters/clients can only get direct communication with CloudFlare by being on one of the higher tier CloudFlare subscriptions, and third party software vendors (like myself) have no direct channel of communication with CloudFlare at all, despite being directly affected by their hold on many of the Internet's services/availability.
Even more so, attempting to contect them through what channels are available resulted in me being ghosted. A request for contact and opening a dialogue for the on-going issues was opened on Feb 13th 2025, nearly 2 weeks ago, with so far 0 response.

Your request (01388216) has been submitted, and we will be contacting you soon.

Status

Our current status is and remains that any and all websites that are behind a CloudFlare captcha or having activated their "I'm under attack" mode/turnstile pages, are unreachable from Pale Moon and other browsers. The issue in 2022 lasted approximately 2 weeks. This time we're left dead i the water for nearly a month as of the time of writing, with no view on any of this being resolved, no information from CloudFlare, no official statements (other than their short list of commercial browsers listed on their site that they "support"), and a clear and present discrimination against independent, Open Source projects like ours.
Consequentially, our project is currently losing daily active users, and we're being damaged with our traffic-based income being undermined as a result. The longer this lasts, the greater the damage is. Unfortunately my options are limited.
There are grounds for legal action as a last resort, but international anti-trust litigation is difficult and will likely take the better part of a decade to be resolved if I go by the US legal system.

[Basilisk-Dev]

There are grounds for legal action as a last resort, but international anti-trust litigation is difficult and will likely take the better part of a decade to be resolved if I go by the US legal system.

I appreciate you outlining the current situation with Cloudflare, and I completely understand the frustration. This issue also directly affects Basilisk, and I’m seeing similar impacts.

Regarding legal action, I want to express my potential interest in pursuing this as well. Since I’m based in the U.S., I may have additional legal avenues to explore that could be relevant to this case. If you’re seriously considering taking action, I’d be open to discussing options and possibly coordinating efforts.

Feel free to PM me and let me know your thoughts on this.

[Moonchild]

There was suddenly some movement on the ticket opened, and it was marked "resolved" with a form reply that they "have limited support availability for free tier customers". Since someone at the very least scanned the ticket today, a reply was sent since the case was not yet closed (that happens after 72 hours after their marking as "resolved") that should flag it for further review.

@Basilisk-Dev, I'll take you up on the offer for being a legal proxy if that ends up not working out. I'll be damned if I let them destroy us without a fight.

[Gemmaugr]

Would this be pertinent vis a vis a US approach?

https://reclaimthenet.org/ftc-probes-bi ... estigation

https://xcancel.com/AFergusonFTC/status ... 91287893#m

Cloudflare is working closely with Big Tech google, and only allow chromium-like browsers to access their clients sites (unknowingly towards the site owners in many cases), shadow-banning Pale Moon users.
It's also extremely anti-competitive for such a big CDN to act as a gate-keeper when in league with a monoculture corporation.

[Bottennapp]

Is there any possibility that the swedish Konsumentombudsmannen (KO) could be of use?

[Moonchild]

Is there any possibility that the swedish Konsumentombudsmannen (KO) could be of use?

I don't see how, as that organisation is for customer complaints of Swedish businesses, primarily. CloudFlare isn't a Swedish business, and we're not even a client of CloudFlare.

[back2themoon]

I'd suggest forwarding this as an official statement, to several media outlets. As many, as large and as related as possible.

[Moonchild]

As a status update, the following:

1. The ticket requesting a dialogue is still on hold/open/unanswered - CloudFlare continuing to ghost me. Considering other information received through other channels, at this point I don't think that will be going anywhere.
2. According to trusted sources familiar with the matter and through their outreach, it seems to be that within CloudFlare, there has indeed been a shift in policy towards only supporting the main commercial browsers, and simply not caring about user choice, independent development or smaller marketshare web browsers. The argument being given is that "none of their clients are forced to use CloudFlare", and none of their clients are forced to use the captcha/turnstile "feature" of their service, and also that nobody is forced to use Pale Moon (or other affected browsers), wholly ignoring the fact that the first argument is often countered by webmasters requiring CloudFlare's proxying to deal with the flood of bot traffic on the Internet. I'm sure they are happy about that lock-in but clearly don't want to admit it.
3. Cloudflare has taken the "official position" to not to expend resources supporting Pale Moon or the other browsers that they deem to "not be standards compliant with modern browsers". That in itself means they equate the implementation of the browsers they do officially support to "standards" (while those are and always have been two entirely different things. implementations are not standards and standards are not implementations). However, it is the parity they demand from any visitor. Of course, that is literally not possible unless the visiting browsers are using the exact same engine and version as the supported ones, in turn meaning they are not allowing any deviation or independent development or freedom of choice. Whether browser users are actually real human beings using actively developed and updated software doesn't even enter the picture in their reasoning.
4. The CloudFlare bot detection development team also indicated that for Pale Moon specifically, there's no way to support it without weakening the overall bot detection logic so the team developing it does not find it to be an acceptable tradeoff - of course I find that nonsense. Especially in this age of automated behavioural analysis being commonplace, human browsing behaviour is easily distinguishable from bot behaviour, but the real issue seems to be that this bot detection development team simply doesn't want to put in the work or effort to be accurate in their detection. Compare this to an antivirus suite hitting false positives; is it acceptable that an antivirus scanner would just flag and block suspected programs even if the developer of that program indicates it's safe? And keep blocking that program indefinitely because the AV publisher determined that "it's not used often enough to be an acceptable tradeoff of development time" to let the scanner pass it? Absolutely not. And the same should be the case here! I do not, for one second, believe that bots are indistinguishable from users using Pale Moon or the other affected browsers, and stating this is just deflecting the issue from IMO that dev team simply either not wanting to do the work, or having been told to not do the work from the upper echelon of CloudFlare (for which ever corporate/investment reason).
5. CloudFlare also seems to have completely skewed metrics of Pale Moon usage, having thrown a figure of 0.003% of traffic our way. If that was the case, a quick calculation would have the number of active Pale Moon users well under 1000, going by an estimate of active browser users on the globe (even including mobile). Whether that is a deliberate mistake or not, I don't know, but it certainly doesn't match reality.
6. CloudFlare also indicated that we "aren't that important". So that's basically it; we're not considered "important enough" to keep in mind. Our users apparently (according to CloudFlare) aren't important enough for the many thousands of websites that are affected to bring their business to them. The very real users of Pale Moon and other browsers affected by this don't matter in their calculations when they decide to either "add more value" (i.e. add another 'feature' they can sell to enterprise customers, as they have been doing over the more recent years) vs. "do things properly". In the end, money talks and freedom and user choice has to take a backseat.

To say that I'm both really disappointed and upset is an understatement.

I'd suggest forwarding this as an official statement, to several media outlets. As many, as large and as related as possible.

I welcome this. I don't know what media outlets in the USA would be relevant for this context, so I could use all of yours' help here.
If they want to get in touch with me directly with questions, they can e-mail biz @ palemoon {dot} org

[LuftWafflePilot]

This really might be the end of Pale Moon in a way, as someone said in the other thread. I mean if more and more websites use Cloudflare, and Cloudflare intentionally ignores the problem, lots of people will basically stop using PM for obvious reasons.
As if the situation wasn't bad enough already - my Firefox usage grew from having just Facebook, Youtube and Twitch opened in there to pretty much full secondary browser with 20 or so tabs opened, because shitload of website simply don't work in PM correctly.
But I can live with that (with some cursing and salt (not towards PM of course)).
What I can't live with (long term) is half the other sites randomly locking PM up because suddenly a Cloudflare check shows up (that started randomly/irregularly happening on one website I had no idea used Cloudflare). That would turn the situation 180° and would make PM the secondary browser. That's just sad.

If this goes on for long enough, will people still want to use PM? I don't know. It certainly already makes browsing a colossal pain in the arse, depending what websites you regularly visit. But if people jump the ship, what's the point spending your time and money developing something that's hardly being used anymore? Right now the future certainly looks grim from my point of view (but then again I am a pessimist...)

[back2themoon]

Declaring "the end of Pale Moon", because a tiny amount of mostly small websites with few resources use Cloudflare's increased "security" checks (a mainstream browser allow-list essentially - that's what these websites get if they don't PAY Cloudflare), is not my book. Be a pessimist all you want, but what is needed here is to keep pushing, and expose Cloudflare for what they are REALLY doing.

Personally, I am not affected by this issue. My 2-3 problem websites, were instantly handled by tellu-white's "Bypass Cloudflare with "Backup Browser" Cookies" extension. SourceForge instantly fixed their website with a simple post on their forum.

My only real headache was writing a setup guide for that extension, and getting people to actually read it. I am now trying to collect a list of media outlets to forward to Moonchild. I suggest you all contact your problem websites about this, and every tech community -or even general interest communities- you are a member of.

[back2themoon]

Oh, and Cloudflare has removed the "Send feedback" ability from their tool while it is endlessly "verifying" Pale Moon.

They had the time to "expend resources" for that, apparently.

[LuftWafflePilot]

Declaring "the end of Pale Moon", because a tiny amount of mostly small websites with few resources use Cloudflare's increased "security" checks (a mainstream browser allow-list essentially - that's what these websites get if they don't PAY Cloudflare), is not my book. Be a pessimist all you want, but what is needed here is to keep pushing, and expose Cloudflare for what they are REALLY doing.

Excuse me? I started seeing these fucking checks on like 20-40% sites I visit (it's difficult to guess because they show up seemingly randomly), including the largest czech eshop and a huge interational community website with tens of thousands of users, basically on sites I had no idea had anything to do with Cloudflare at all.
Tiny my arse... This IS a big problem.

[back2themoon]

Some are more affected than others, sure enough. You are, others are not. My post was about "declaring the end of Pale Moon".

I never said this wasn't a problem. Please pay more attention.

[frostknight]

Some are more affected than others, sure enough. You are, others are not. My post was about "declaring the end of Pale Moon".

Agree with this completely. Assuming such things is foolish.

[Moonchild]

Another status update:

1. Following the previous update in this thread, we had Michael Tremante from CloudFlare reached out, with what seemed to be a promising start of a dialogue, on March 4th. This was on the forum in a private message. To speed things up, I transitioned this to e-mail with my reply (within hours) to have a direct line to him (since that channel was offered).
2. To streamline things I reached out internally to main Pale Moon and UXP contributors and set up a closed mailing list to discuss things openly among community contributors and CloudFlare contacts. I asked whom of CloudFlare to add to the mailing list (in my direct e-mail reply) but that was never answered, so for the time being it was just Michael. I also offered discord as a way of having real-time contact - our community members responded well to that, but without CloudFlare also joining, that's not really a good way to move forward, so far.
3. After those initial messages (4th, 6th and 10th) it seemed like we might actually have a dialogue, however the channels I put time and effort into setting up on our end were not actually used by CF, and while CF suggested they would rather be in the controlling seat for any such effort, nothing else was offered from their side to get this ball rolling in terms of communications channels.
4. CloudFlare indicated they didn't want to roll back what they did end of Jan because of their continuous changes to the bot detection and the surprising notion that they apparently had trouble finding what broke it. After voicing my surprise, there was a pretty clear answer that they did find what was the issue (relying on 2 particular JavaScript functions without saying which ones, as well as some CSP assumptions, once again without stating which ones exactly). With this knowledge as well as my feedback how to easily detect Pale Moon's user-agent, they should have been able to fix this issue on short notice (within a day, I'm sure), but that didn't happen, so far... - and no information was provided to do anything on our end to work around the problem (other than pulling in Firefox cookies as Tellu-White's extension allows to do).
5. Along with that, the idea was tossed up to have people part of the discussion from our end signing an NDA with CF. It's a tricky question for some community members who may not be able to sign it due to their own existing employment elsewhere; but I personally would have no issue if it was reasonable (and sufficiently narrow to the problem at hand) and well-described. This and potential forward moving discussion was suggested on Monday (the 10th). I wrote a reply and offered the notion to the mailing list members. Instead of actually continuing the discussion though, CF went radio silent until sending me an overly broad and generic form-NDA document to sign on Friday at 6pm (through Adobe docusign) without any further explanation, context or personal outreach from Michael, with the NDA apparently put up for signing by someone else within CloudFlare -- of course that will mean it'll be at least again another week until anything happens in terms of even talking, let alone having a solution for CloudFlare still blocking our access. Of note: this NDA idea was to "speed things up" but it seems it's just being used to stall things unnecessarily at this point. I can't sign a generic overarching NDA that would actually clash with EU directives and local law for me, might interfere with my development of UXP/Pale Moon, on top of it still not being clear what good it would do for the problem at hand or how it would speed things up unless specific details are offered to do anything on the client side, or ask specific questions about the detection they are attempting and failing us on. Whitelisting is easy, is an NDA needed for that?

Our current situation remains unchanged: CloudFlare is still blocking our access to websites through the challenges, and the captcha/turnstile continues to hang the browser until our watchdog terminates the hung script after which it reloads and hangs again after a short pause (but allowing users to close the tab in that pause, at least). To say that this upsets me is an understatement. Other than deliberate intent or absolute incompetence, I see no reason for this to endure. Neither of those options are very flattering for CloudFlare.

I wish I had better news.

[andyprough]

overly broad and generic form-NDA document

I could be wrong about their intentions, but this overly broad and generic form NDA is pretty typical in my experience, as the corporate lawyer's job is to cover the corporation against any and all potential legal issues, so they will tend to write the first versions of contracts and NDA's and things of that nature in the broadest possible language. I'd reach out to Michael and ask him if it could be narrowed in scope down to the particular issue and to make it permissible in your jurisdiction, you might be able to get somewhere. Probably worth a try.

IANAL by the way.

[Nuck-TH]

They've gone silent and/or time stalling because they achieved their goal - stop propagation of news about their anticompetitive behavior. Nothing surprising.
NDA in current discussion is absolute bonkers. Call me paranoid, but methinks its goal is to disable any signee from ever commenting on the issue in the future or else.

I think both further stalling and demand of NDA should be brought to public news. World must know their heroes.

[Bilbo47]

NDAs are the devil, intended only to prevent truth from being known. Same with legal gag orders.

[back2themoon]

So, they were all talk and nothing else. I'd give them a deadline to actually do something useful.

After that, they'll be on the news again and this time, it'll be worse.

[Moonchild]

Update to the situation:

• As of right now, CloudFlare has (finally) made changes to their captcha/turnstile scripting to allow Pale Moon through. This seems to be a specific (naive) whitelisting "hack" to their system and not a systematic solution to separate bots from legitimate users which will (apparently) take much more effort. Despite that, CloudFlare has clearly indicated they still reserve the right to shut us out without notice if, in their opinion, this whitelisting will be abused by bots, meaning there remains a lot of tension between us and them.
• CloudFlare has asked us to implement several specific features into the platform to satisfy whatever suite they are currently using to determine if we are "a legitimate browser". I personally think this is a topsy-turvy world, as it should be CloudFlare's job to ensure their detection is accurate by detecting existing feature sets of legitimate browsers, not ours to make changes to our feature set to cater to whatever (likely continually changing) detection implementation they chose to use -- however, in the spirit of cooperation and moving forward, what has been requested has been prioritized in UXP development.
• CloudFlare has indicated they want to set up a "browser developer program" for long-term collaboration between browser vendors and CloudFlare, to catch these things in the future before they are deployed. Because of past experiences I remain sceptical about this until I actually see it being fleshed out. I'll report on this again when I know more.
• Even with the whitelisting, parts of our user base are still reporting issues with CloudFlare captchas/challenges. Notable causes for this seem to be: lower end hardware with limited acceleration support or remote desktop environments, specific configurations that harden the browser against privacy intrusion (since their "new" detection seems to be based as much on browser fingerprinting techniques as actual feature detection!), and apparently different media user configurations. CloudFlare needs to do more work to fix these denial of service issues.

I do not currently know what the status is for other affected browsers (quite the list), so this status update is only about Pale Moon specifically.