606
Cloudflare blocking Pale Moon and other browsers with smaller user bases (www.theregister.com)
submitted 5 months ago by dantheclamman@lemmy.world to c/technology@lemmy.world
75 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] AnAmericanPotato@programming.dev 202 points 5 months ago

Disgusting and unsurprising.

Most web admins do not care. I've lost count of how many sites make me jump through CAPTCHAS or outright block me in private browsing or on VPN. Most of these sites have no sensitive information, or already know exactly who I am because I am already authenticating with my username and password. It's not something the actual site admins even think about. They click the button, say "it works on my machine!" and will happily blame any user whose client is not dead-center average.

Enter username, but first pass this CAPTCHA.

Enter password, but first pass this second CAPTCHA.

Here's another CAPTCHA because lol why not?

Some sites even have their RSS feed behind Cloudflare. And guess what that means? It means you can't fucking load it in a typical RSS reader. Good job!

The web is broken. JavaScript was a mistake. Return to ~~monke~~ gopher.

Fuck Cloudflare.

[-] SerotoninSwells@lemmy.world 107 points 5 months ago* (last edited 5 months ago)

I get why you're frustrated and you have every right to be. I'm going to preface what I'm going to say next by saying I work in this industry. I'm not at Cloudflare but I am at a company that provides bot protection. I analyze and block bots for a living. Again, your frustrations are warranted.

  • Even if a site doesn't have sensitive information, it likely serves a captcha because of the amount of bots that do make requests that are scraping related. The volume of these requests can effectively DDoS them. If they're selling something, it can disrupt sales. So they lose money on sales and eat the load costs.

  • With more and more username and password leaks, credential stuffing is getting to be a bigger issue than anyone actually realizes. There aren't really good ways of pinpointing you vs someone that has somehow stolen your credentials. Bots are increasingly more and more sophisticated. Meaning, we see bots using aged sessions which is more in line with human behavior. Most of the companies implementing captcha on login segments do so to try and protect your data and financials.

  • The rise in unique, privacy based browsers is great and it's also hard to keep up with. It's been more than six months, but I've fingerprinted Pale Moon and, if I recall correctly, it has just enough red flags to be hard to discern between a human and a poorly configured bot.

Ok, enough apologetics. This is a cat and mouse game that the rest of us are being drug into. Sometimes I feel like this is a made up problem. Ultimately, I think this type of thing should be legislated. And before the bot bros jump in and say it's their right to scrape and take data it's not. Terms of use are plainly stated by these sites. They consider it stealing.

Thank you for coming to my Tedx Talk on bots.

Edit: I just want to say that allowing any user agent with "Pale Moon" or "Goanna" isn't the answer. It's trivially easy to spoof a user agent which is why I worked on fingerprinting it. Changing Pale Moon's user agent to Firefox is likely to cause you problems too. The fork they are using has different fingerprints than an up to date Firefox browser.

[-] AstralPath@lemmy.ca 35 points 5 months ago

Dude, thank you for this context. I was already aware of these considerations but just wanted to thank you for sharing this with everyone. Its participation like this that makes the internet a better place. 🍻

[-] SerotoninSwells@lemmy.world 15 points 5 months ago

That's very kind of you. Thank you for the kind words. 🍻

[-] Tiger@sh.itjust.works 13 points 5 months ago

Thank you for that info, very helpful.

[-] SerotoninSwells@lemmy.world 6 points 5 months ago

Thank you for reading and considering the information.

[-] Knossos@lemmy.world 8 points 5 months ago

Also Cloudflare adds a caching layer, often physically closer to users. Increasing speed of delivery and reducing server costs. It's a no-brainer for server admins.

Also, I don't work for Cloudflare either. The animosity is new to me, and certainly something I'll look into.

[-] MonkderVierte@lemmy.ml 7 points 5 months ago

But captchas have now proven useless, since bots are better at solving them now than humans?

[-] SerotoninSwells@lemmy.world 7 points 5 months ago

Welcome to bot detection. It's a cat and mouse game, an ever changing battle where each side makes moves and counter moves. You can see this with the creation of captcha-less challenges.

But to say captcha are useless because bots can pass them is somewhat similar to saying your antivirus is useless because certain malware and ransomware can bypass it.

load more comments (6 replies)
[-] mac@lemm.ee 6 points 5 months ago

Thanks for sharing!

[-] SerotoninSwells@lemmy.world 3 points 5 months ago

Thanks for reading and commenting!

[-] mac@lemm.ee 4 points 5 months ago* (last edited 5 months ago)

During my first (shitty) job as a dev outta school, they had me writing scrapers. I was actually able to subvert it pretty easily using this package that doesn't appear to be maintained anymore https://github.com/VeNoMouS/cloudscraper

Was pretty surprised to learn that, at the time, they were only checking if JS was enabled, especially since CF is the gold standard for this sort of stuff. I'm sure this has changed?

load more comments (3 replies)
[-] iopq@lemmy.world 3 points 5 months ago

Ever heard of counting attempts? Log the IP, present a CAPTCHA after 100 requests in a minute.

Besides, if I wrote a bot I would run a browser dialer from Chrome. It would request your site in a Chrome tab and appear completely legitimate to your stupid fingerprinting scripts

[-] Saik0Shinigami@lemmy.saik0.com 14 points 5 months ago

Ever heard of counting attempts? Log the IP, present a CAPTCHA after 100 requests in a minute.

Ever heard of IP rotation? This is one malicious source rotating through IPs over the course of 24 hours. They're attempting to credential stuff my logins ( on a production service ).

[-] SerotoninSwells@lemmy.world 7 points 5 months ago

Yes, the industry is well aware of this. We do behavioral detection on both sessions and IPs. This is fairly basic.

load more comments (1 replies)
load more comments (4 replies)
[-] singletona@lemmy.world 29 points 5 months ago

https://tildeverse.org/

Tilde.teams and tilde.club even have outwardly facing email accounts.

We have a newsgroup server.

We have a dedicated irc server.

Member gopher/https/gemini pages.

And other services.

And each tilde has it's own focus.

Be kind. Contribute as you can to discussions.

What is gemini

https://tilvids.com/videos/watch/e1d6ed23-315a-4fc6-8d5b-6d96d51e4819

Rocking the web bloat.

https://media.ccc.de/v/mch2022-83-rocking-the-web-bloat-modern-gopher-gemini-and-the-small-internet

Be Free.

[-] hansolo@lemm.ee 24 points 5 months ago* (last edited 5 months ago)

LibreWolf is next, and it's not exactly niche. I'm seeing it more and more, and LW defaults, even dropping resist settings, gets bounced by CloudFlare every time.

[-] Botzo@lemmy.world 7 points 5 months ago

Fire dragon here and yeah, sometimes Google won't even let me log in either.

load more comments (3 replies)
[-] 2xsaiko@discuss.tchncs.de 96 points 5 months ago

These bastards haven’t MITMed half the internet for nothing. This isn’t the first time they abuse that either.

I hate that I once fell for it too when I just started out hosting stuff and put it behind their proxy.

[-] Spaniard@lemmy.world 24 points 5 months ago

What do you use now instead of cloudflare?

[-] Potatisen@lemmy.world 14 points 5 months ago

What is MITMed?

[-] pogodem0n@lemmy.world 49 points 5 months ago

"Man in the middle". They are used by a lot of web services as a proxy, usually to prevent DDOS attacks.

[-] mox@lemmy.sdf.org 23 points 5 months ago

And when Cloudflare is the proxy for a web site, it's Cloudflare that provides the HTTPS connection, meaning that you don't actually have an encrypted channel directly to the site. Cloudflare is the man-in-the-middle eavesdropping on all of your communications with that site. Your bank transactions, your medical records, your personal messages, etc.

load more comments (3 replies)
[-] orbituary@lemmy.dbzer0.com 57 points 5 months ago

On librewolf, i get blocked. its a firefox fork and still it happens. had to set up a Firefox User Agent plugin.

[-] bigredcar@lemmy.world 55 points 5 months ago

It is obvious that Cloudflare is being influenced to enforce browser monopolies. Imagine if Cloudflare existed in 2003 and stopped non Internet Explorer browsers. If you use cloudflare to "protect" your site you are discriminating against browser choice and are as bad as Microsoft in 1998.

load more comments (1 replies)
[-] Dsklnsadog@lemmy.dbzer0.com 49 points 5 months ago

I would be very interested to know how they plan to resolve these issues with "Ladybird." Using a new engine will likely clash with the FALSE "security measures" of many websites and harm the browsing experience. It’s often said that users should demand respect for web standards, but in the meantime, as usability declines, users will gradually drift away. Firefox learned this lesson the hard way.

[-] AdrianTheFrog@lemmy.world 8 points 5 months ago

Servo is another wip web browser, managed by the Linux foundation's European branch. It's a little less far along but is making relatively quick progress now. Apparently discord already mostly works, with sending messages currently being a problem.

[-] JcbAzPx@lemmy.world 29 points 5 months ago

Need to start spoofing user agent strings again.

[-] Hupf@feddit.org 6 points 5 months ago

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 3.0)

[-] MonkderVierte@lemmy.ml 22 points 5 months ago* (last edited 5 months ago)

So make useragent sniffing useless by all being Chrome?

Funnily enough, some webpages work better if you block webgl and set the user agent to Lynx or Dillo.

[-] wordcraeft@lemm.ee 12 points 5 months ago

I was planning on moving away from Cloudflare to European providers anyway, so this just adds fuel to the fire.

I'm considering using BunnyDNS for DNS management, not using a CDN at all, and using Scaleway for serverless functions.

load more comments (2 replies)
[-] Jerry@feddit.online 12 points 5 months ago

I just duplicated this. I downloaded Pale Moon and went to https://hear-me.social/ and clicked on "Register". It puts up a Cloudflare "managed challenge" which loops endlessly when using Pale Moon, but not the other browsers I've tried it with, including Zen, another Firefox fork.

It's a problem, for sure.

[-] randamumaki 12 points 5 months ago

As a staunch Pale Moon user, Cloudflare is just being a bully and I circumvent their nonsense when I need to desperately use a particular site or just don't go to that site anymore if I can do without.

[-] SerotoninSwells@lemmy.world 5 points 5 months ago

Greed. I honestly don't know if they're even aware of the problem. Most corporations have cut teams to the bone and I can't see Cloudflare being an exception. The janitor is probably writing detection rules now.

[-] Lila_Uraraka 10 points 5 months ago

Pale Moon still exists? Huh

[-] ILikeBoobies@lemmy.ca 9 points 5 months ago

Should change my user agent to sod off

[-] zorro@lemmy.world 4 points 5 months ago* (last edited 5 months ago)

I feel like I remember reading that the pale moon JavaScript engine was broken and causing the capcha to break repeatedly?

Let me see if I can find sources

EDIT: Looks like I was remembering a previous issue where the captchas were causing the entire pale moon browser to crash. I believe this has been fixed, but the new issue is a much less exciting block.

[-] collapse_already@lemmy.ml 3 points 5 months ago

I wonder what happens if you use Pale Moon but set the user agent to Firefox.

[-] dantheclamman@lemmy.world 3 points 5 months ago

Another comment suggested that helped with LibreWolf, but that is a closer fork than Pale Moon, so not sure

load more comments
view more: next ›
this post was submitted on 04 Mar 2025
606 points (100.0% liked)

Technology

73567 readers
3183 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws