mstremante wrote: ↑2025-03-28, 17:51
All: quick note that we are still working on this. I hope to have some updates (better testing setup, browser developer program update etc). next week.
Dear mstremante,
I hope this message finds you well. I would like to bring to your attention a critical security concern regarding Cloudflare's current approach to browser validation, That is very relevant in the moment, specifically Cloudflare's requirements for certain security vulnerabilities and features that enable canvas fingerprinting. This practice raises several significant issues that need to be addressed, particularly concerning potential security risks and privacy implications.
It appears that Cloudflare’s security checks rely on features that exploit known security vulnerabilities, such as canvas fingerprinting, which is increasingly regarded as a security defect. This creates a substantial issue because it forces browsers to incorporate a feature that is not only privacy-invasive but also recognized as a vector for malicious exploitation by bad actors in the wild. As a result, any browser that does not support this vulnerability is effectively blocked from passing your security checks, which raises a severely troubling question I must ask with all the respect possible:
- Is Cloudflare penalizing browsers for being too secure?
Perhaps it's better that this be a series of questions, so as a professional cybersecurity and software engineer working in the browser development space, I have several important questions I would like to pose based on the question above:
- Is it Cloudflare's intention to block browsers that do not support this security vulnerability from accessing the internet?
- Is an insecure browser engine, one that allows malicious or insecure canvas fingerprinting, now a stated requirement for passing Cloudflare’s security checks?
- If a browser like Pale Moon chooses to protect user privacy by blocking this fingerprinting, would Cloudflare still penalize it for not implementing the features that make it vulnerable as they have in the past?
- Does Cloudflare consider browsers that do not support this vulnerability to be illegitimate?
Many Chromium forks, including those that intentionally block canvas fingerprinting for its security implications, are currently experiencing issues with Cloudflare's security checks.
These forks, which prioritize user privacy and security, should NOT be penalized for opposing features that are widely regarded as SECURITY FLAWS. Many other browser engineers, including myself, believe this approach is unfair and should be reconsidered. Cloudflare, by enforcing such checks, appears to be advocating for INSECURE systems.
It is crucial to understand that requiring browsers to support features like canvas fingerprinting, which is widely viewed as a security vulnerability, does not align with industry best practices. By imposing such requirements, Cloudflare risks undermining user trust in the broader ecosystem and, frankly, damages its reputation as a security-focused service. Asking me to make a client system less secure as a prerequisite seems unwise, and as a cybersecurity professional, I have to wonder why your engineers are telling you that it doesn't work with secured clients. It makes me trust Cloudflare less, and it makes me want to advocate for my employers and my peers to advocate for not using your service.
Furthermore, are you aware that this could enable bad actors with malicious intent to exploit your protections in order to gain access to only insecure clients that have this security exploit possible?
Based only on the data I have now it seems like Cloudflare, by mandating a lack of security in browsers to pass its validation checks, is potentially hindering global internet security. The minimum requirement for passing your checks seems to be that browsers must allow or support known security flaws in their released software; I strongly urge you to reconsider the implications of this approach, and the long-term consequences it could have on internet security, as well as the security of your customers.
You claim to not want to be the company that decides which browser is legitimate or not... so may I respectfully ask, what is the bar? Because you can't say it's about support for specific apis when browsers that have those api's fully supported - they are full chromium forks - still can't pass your checks after they fix known security problems.
While I fully support Cloudflare’s efforts to combat bots - I personally dislike malicious bots, having been harmed by them myself - it is deeply concerning to me as a long time cybersecurity and software development professional to see your company requesting that open source projects add features that seem to only exist to specifically exploit known security defects in an effort to take away user privacy and security goals.
The fact that browsers that have closed security gaps, such as canvas fingerprinting, are being targeted by Cloudflare raises questions about the true nature of your security checks.
- Specifically, what is the actual threshold for passing Cloudflare's security validation?
- Is the goal to promote security, or to punish browsers that are considered "too secure"?
- Is PaleMoon being targeted simply because it is too secure by default?
- If PaleMoon decides not to support canvas fingerprinting, will Cloudflare still allow palemoon users free access to the Internet?
- Given that we know many chrome forks also experience these same issues but they are fully known to support the apis you requested, I would like to request further knowledge about your checks in order to fully understand all of the requirements needed by a browser to pass them, In the spirit of you wanting to not be the company that picks and chooses which browser is legitimate and which one is not. I can think of several chromium forks that have full support for the API's you've requested but are also having issues with Cloudflare, and I suspect it could be because they've explicitly decided to close security problems that perhaps Cloudflare is dependent on?
I sincerely hope that Cloudflare was unaware of these issues, but given that Cloudflare publicly claims to be a leader in internet security, I must assume that your team is well aware of these implications. If I can identify these issues, I trust your team has already recognized and, unfortunately, dismissed them. I hope we can work together on a fix, not just for Palemoon or Basilisk, all the same.
I am always open to constructive discussions made in good faith. I have also put significant effort into crafting this message in the most respectful and professional manner, while still highlighting the very real security concerns that Cloudflare's current approach poses to the broader internet ecosystem. It is vital that Cloudflare reassesses its approach to ensure that internet security is not continued to be compromised by Favoritism for browsers that can be exploited using known security defect that multiple vendors have decided to fix due to the risk it poses to their human customers.
