Cloudflare Verification Loop issues

[andyprough]

To accidentally do so once or twice is understandable. But continued occurrences would be a pattern of negligence.
... Misrepresenting blocked real legitimate users as blocked unwanted bots could, depending on the severity, constitute advertising fraud.

I like the fraud angle.

Bringing a negligence claim might be difficult, as you would also have to show damages. Courts would probably only hold Cloudflare to a requirement to make sure that the sites are accessible using the most popular browsers, so an individual person browsing the web would have difficulty showing how they were damaged. On the other hand, a developer of an independent browser could probably show some damages. That's where it could get interesting.

[tellu-white]

Another page with problems created by Cloudflare:

https://tinyurl.com

Cloudflare went into a loop and after a few seconds it crashed the browser:

01.png

02.png

[billmcct]

From reading about Turnstile I guess PM's not a real browser.
I suppose PM is now a Bot.

From Cloudflare:
"For Turnstile, the actual act of checking a box isn’t important, it’s the background data we’re analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser."

[flamelord]

I don't think CF will budge. They've clearly made their stance known.

No they have not. The last official word from them was that this situation should not be happening and they are willing to fix it on their end.

Nice of you to ignore 90% of my whole post.
They did make their stance known btw. In that thread it was plainly obvious.

If they backtrack and ’’fix’’ the issues it’s because of the effort people here made to post it to Hacker News and pressuring them to do it.

[BenFenner]

They did make their stance known btw. In that thread it was plainly obvious.

You mean in a "their silence is deafening" sort of way?

[Moonchild]

As far as I'm concerned, by not addressing this issue quickly and with urgency, they are violating the promises of the product that people pay for. An argument for leeway in regards to response time can be made. However, there are allegedly(?) other longstanding false positives that have not been addressed nor documented & shared as irreconcilable from unwanted bots.
As far as I'm concerned, repeatably blocking real legitimate users due to negligence is also violating the promises of the product that people pay for. Issues like this one have allegedly(?) happened multiple times and continue to reoccur. Cloudflare deploys challenges which block real legitimate users until the issue is fixed, particularly issues that are detectable prior to deployment with minimal testing or issues intuit-able as non-browser-agnostic even before testing. To accidentally do so once or twice is understandable. But continued occurrences would be a pattern of negligence.
Presuming the above allegations are substantiated, they also have a slippery slope into the accuracy of their metrics and reports. Misrepresenting blocked real legitimate users as blocked unwanted bots could, depending on the severity, constitute advertising fraud.

You are absolutely correct in all of that. No, this isn't the first time, or the second, or the third. If I recall correctly this is now the fifth time and the blocking of legitimate users has lasted up to 2 weeks. We're now a week into this occurrence and it doesn't look like this is any quicker this time around. Each time it also seems to be impacting more legitimate browsers that aren't Blink-based.
Yes they are absolutely breaking their promises. No, there isn't much we can do about it (short of expensive and lengthy litigation which would have to prove several difficult factors like actual harm and either gross negligence or malicious intent which is very difficult when the party affected isn't actually a client - in addition to the hurdle of international litigation). Since it affects people's Internet access this also treads into general accessibility areas beyond the mere commercial edge of it, but ultimately webmasters are in control of their own use of CloudFlare and they will have to vote with their wallet for this to change, I think.

[flamelord]

They did make their stance known btw. In that thread it was plainly obvious.

You mean in a "their silence is deafening" sort of way?

Telling us to use Google Chrome and rushing the thread to closure is not exactly silence
They literally gave the post of that guy(hired shill) who told us to use Chrome ''best solution'' even though he was being downvoted

This is as official as it gets for them
They won't give us the kind of official announcement you think they will

[dirkf]

From reading about Turnstile I guess PM's not a real browser.
I suppose PM is now a Bot.

From Cloudflare:
"For Turnstile, the actual act of checking a box isn’t important, it’s the background data we’re analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser."

So, "we break the Web", in fact.

Registering here shows one way to define a challenge without doing that, though, strangely similar to CF and captcha, 3 correct answers were needed to pass.

Any such measure, whether an HTML challenge as here or a sophisticated and unreliable spyware like Turnstile, is vitiated if bots are driven by LLM/AI that can pass as human in such a context. The result is that simple and useful tools are blocked, while corporate plundering is not affected. There is clearly a need for defence against DDoS, yet not this.

[Deadgye]

You are absolutely correct in all of that. No, this isn't the first time, or the second, or the third. If I recall correctly this is now the fifth time and the blocking of legitimate users has lasted up to 2 weeks. We're now a week into this occurrence and it doesn't look like this is any quicker this time around. Each time it also seems to be impacting more legitimate browsers that aren't Blink-based.
Yes they are absolutely breaking their promises. No, there isn't much we can do about it (short of expensive and lengthy litigation which would have to prove several difficult factors like actual harm and either gross negligence or malicious intent which is very difficult when the party affected isn't actually a client - in addition to the hurdle of international litigation). Since it affects people's Internet access this also treads into general accessibility areas beyond the mere commercial edge of it, but ultimately webmasters are in control of their own use of CloudFlare and they will have to vote with their wallet for this to change, I think.

Wallet voting is indeed often the only practical method.
The good neat thing about litigation being expensive and lengthy is that it turns liability risk into an opportunity cost analysis. If it's feasible for a suit to get passed the initial dismissal attempt, it can be cheaper to fix the alleged issue and modify SOPs, even if the plaintiff is unlikely to win. A false advertising claim is interesting as well, since the plaintiff does not need to show that they suffered actual injury from the defendant’s allegedly false advertising. Of course, such a claim would need to be made by current or potential customers, rather than end users like me.
There are likely similar suits that their documentation and actions have increased their liability risk for, some of which could have browsers like you or end users like me as plaintiffs. And the possibility of any of those particular suits upgrading to class action is not negligible, which increases their risk factor further. If even one such class action suit gets passed the gate, it'd be a no-brainer for those eligible to jump on board and increase the weight.

In any case, litigation is undesirable for everyone. But from a professional and legal standpoint, they should really get their shit in order. They're taking unnecessary risks for minor or negligible benefits. I'd like to believe they're not appropriately aware of that.

[back2themoon]

There's a new topic in the Cloudflare Community. My opinion is that we should refrain from commenting there (to avoid getting flagged again...), leaving it as "clean" as possible and see what happens - if anything happens.

But perhaps it's an opportunity for the Pale Moon developer(s) to voice their opinion there.

(Caution: link below may crash Pale Moon - temporary fix available here)

Disappointed in handling of less-popular browsers

[Moonchild]

But perhaps it's an opportunity for the Pale Moon developer(s) to voice their opinion there.

My direct input is really not valued by CloudFlare as shown in the past. I don't think it will make any difference this time around, and I'm not in the habit of doing the same thing over and over and expecting a different result. I've tried enough, and the most I ever got was a courtesy message (sometimes) way late after things had been restored with a half-hearted assurance it "wasn't on purpose".
But anyone else involved in development contribution now or in the past is welcome to be a voice for the project too - after all, it's their work that's being devaluated here too. I just personally don't feel any desire any more to waste my time on it. I apologize for that if people think "I'm not doing enough".

[damjang]

I'm also having troubles with Cloudflare trying to access www.convertapi.com and go to Sign-in. Sometimes only verification loop, but sometiames also PM closes directly or after some minutes (e.g. this happened while I read this tread and got a tab open on cloudflare stuck page!).
Hope they take in account PM and correct this problem

[Moonchild]

The app crashes should be solved in the upcoming browser update. It won't fix the looping but at least won't close the browser unexpectedly.

[__NM64__]

I made a post using my "plan B" browser on https://forums.nrvnqsr.com regarding this Cloudflare issue and one of the people I know that run the site asked the following:

Do you have any suggestions or alternatives?
We need Cloudflare right now, as without it, the site gets swarmed with enough bots that we cannot maintain the server properly.

I may be a computer geek, but I'm a hardware computer geek with barely any software-dev skills (there's a reason my choice of Linux distro is Mint rather than Arch or Gentoo). So if a more web-dev focused person can advise me what to relay, that'd be great.

...alternatively, I wonder if I should actually start a new forum thread titled something like "What are alternatives to Cloudflare for prevent bots from swarming a hosting server?" since it's arguable that my inquiry is only tangentially related to this thread rather than directly related.

[damjang]

The app crashes should be solved in the upcoming browser update. It won't fix the looping but at least won't close the browser unexpectedly.

Thank you!

[back2themoon]

Few more articles:

Cloudflare blocks minor browsers, Cloudflare promises to investigate but leaves it alone with no response
(not sure where that "Cloudflare representative" appeared - perhaps they confused the 2022 post, or I missed some of the 450+ comments on HN)

Cloudflare's CAPTCHA platform appears to block niche browsers such as Pale Moon

Privacy Guides repost
(powered by Discourse - probably won't open correctly in Pale Moon)

As for the new Cloudflare Community topic, it's already receiving some meaningless replies and "Solutions" by "MVPs".

[Pelican]

Control freaks need to grow up & mind their own business

Without web security the Internet would be more of a sewer than it already is.

What will be at blame is lazy and naive web developers and their network admins.

[Michaell]

...alternatively, I wonder if I should actually start a new forum thread titled something like "What are alternatives to Cloudflare for prevent bots from swarming a hosting server?"

I just loaded a page on substack.com and it attempted to load a script from datadoghq-browser-agent.com . I had it blocked but it sounds suspiciously like what CF is doing, except in this case it's a different domain. May not be relevant but made me think about other sites websites are using for this kind of stuff.

[BenFenner]

So if a more web-dev focused person can advise me what to relay, that'd be great

This is kind of a non-answer, but if they want to go nuts and switch hosting providers, they could have an amazing experience over at www.nearlyfreespeech.com and benefit from their sane, very good methods of dealing with DDoS attacks and similar.

I've been with them going on 8 years now and have never experienced a DDoS attack, and if I did, it would be no big deal because of how they handle them.
For example:
https://faq.nearlyfreespeech.net/full/attack#attack
https://faq.nearlyfreespeech.net/full/slashdot#slashdot

[gepus]

Off-topic:

.. which I verified by passing the verification with IceCat 115, Firefox ESR 115.19, and Firefox ESR 115.20.

- (unofficial) IceCat for Windows vs FirefoxESR 115.19, 115.20 -
Just want to bring to your attention that newer IceCat for Windows is compiled having only Win10/11 in mind (due to the version of Rust used).
Therefore, unlike Firefox ESR 115.19 or Firefox ESR 115.20, IceCat 115 for Windows won't run on Win7 anymore.