(I’m responsible for Cloudflare’s L7 security products)
While we can’t comment on the specifics of any customer configuration, we do not block or challenge Firefox by default—either with our Bot Management products or with any other L7 security controls.
You can confirm this by signing up a free zone and making a request from Firefox.
You're saying there's not a simplistic "block Firefox rule" right? But, the user agent is surely one of the weighted features going into your ML stew. So it's plausible the poster is seeing that Firefox sends some calculation over the edge and causes blocking for them.
That is, you're not saying "Firefox doesn't change the scoring at all", right?
To add, without knowing the homepage firewall rule g2 has set up, we won't know exactly what sort of rules is triggering this, although the most likely signals they're using are either bot scores[0] or threat scores[0].
This is almost certainly a firewall rule put in place by the operators of that site. My own sites which are protected with Cloudflare do not exhibit this behavior when using Firefox.
Privacy preserving extensions like uBlock Origin, Canvas Blocker, Decentraleyes etc. used in Firefox also trigger the CloudFlare wall of harassment. Some of the actions of these extensions prevent browser fingerprinting and CloudFlare gets easily confused when this happens and unnecessarily triggers a lot of challenges for a user. You can easily get sucked into the blackhole of captchas - sometimes even solving 5+ captchas isn't enough to convince them that you are a real human.
I used to work there, and there wasn't a global "do this for this browser" (except for a little bit to reduce annoyance specifically for the Tor browser).
It is almost 99% certain to be a site operator firewall rule based on the browser user agent. This may even be accidental, they may have been hit by an aggressive bot using a UA string that matches Firefox and the site operator may not even realise they've done this (if they use Chrome, which is likely).
Is there a meme like name along the lines of "self-own" when you go online and have a tantrum about someone doing something to you only to find out it's your own doing that caused the issue?
I think it's two-fold: rise of tools like curl-impersonate (https://github.com/lwthiker/curl-impersonate) and the very consistent Firefox TLS fingerprint across platforms. Unlike Chromium (where you could differentiate a Linux, Mac or Windows computer from its chiphers, and so for example challenge only Linux clients), Firefox has NSS and NSS is used everywhere the Gecko engine is used while Chromium, although has BoringSSL for modern chiphers, also uses the underlying TLS stack of the operating system (whether it's Microsoft's SChannel, Apple's SecureTransport or Linux's... NSS). The only time Chromium uses a pure BoringSSL implementation is on Android (Conscrypt).
I mean, with that market share, popularity among open source fans... it's an easy group to target and filter oddballs.
I'm a Firefox user and I'm used to this treatment at every step of the way, no matter if it's about software, airports, opening a bank account so I can receive a salary, etc. Fundamental things everyone wants to do are being made hard to do the right way. It's always anti privacy, anti self repair, anti longevity/sustainability, anti user freedoms, anti whatever we ideally want in this world. Of course using Firefox is now suspicious.
Really? I'm a firefox user too and whilst I occasionally bump into some situation as you describe where I need to hop onto Chrome, I genuinely can't remember the last time this happened. Nope, actually - sometime last year, with some poorly-coded gig ticket purchase thing, if I remember right. I was able to check the code and amend some stupid niggle in WebDev tools to get around it.
Not saying I should have to accept that, but that's what it was.
My personal experience is that I do fallback some sites to testing in Chrome quite often, maybe once a week. But the number of times where using Chrome actually fixed the issue is maybe once a year? Really, it's just that I stumble on quite a number of broken websites.
A workaround is to install the Privacy Pass extension to bypass the captchas [1] [2]
It's an open source extension available for Chrome and Firefox. It allows to privately identify you're human, and is the process of going through IETF standardisation, so hopefully someday you won't need to install an extension for it. After you complete a captcha once, you won't need to do it again for a long time.
I'm not happy about installing extensions just to view some websites, but it'll make things less painful
Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.
Firefox user - have seen this many times. Always assumed it's either NoScript or Firefox's built-in tracking protection meaning there's some pre-existing cooking not set that Cloudflare places from other site visits, or because some script is getting blocked somewhere else.
Seeing the cloudflare challenge as a user can happen in any browser depending on the site and it's configuration. A site can choose a security level that requires all visitors to receive a JS/captcha challenge, and sites can make custom firewall rules to require JS/captcha challenges on any of hundreds of different attributes of a particular request using CF's web application firewall tools. One of those attributes is user agent, for instance.
I use Firefox Focus on my phone (opens links from apps in a private session - generally a great idea!) and always get this 5 second delay (which is often actually 10 or more seconds). I never considered that it's a Firefox-only thing!
This setup program is signed with an EV certificate from DigiCert and hosted on an https site. No other hoops left to jump through except this awesome Catch-22 implementation, which leaves no actionable solution.
I've been de-googling all of my services and software over the last couple years including a switch to firefox.
I have noticed cloudflare challenging me more and more often. I assumed it was related to privacy extensions like noscript, ublock, and privacy badger.
I also got perma blocked by cloudflare (no option to override to get access, not even their captcha), because I dared to disable web timing APIs in Firefox at some point in the distant past. (I felt those have no legitimate uses, and I still do)
I'd be curious to see if this is the case for other sites that use Cloudflare bot protection as well. There are a bunch of ways to tune the service so maybe they are just extra cautious?
> Open-source browsers are an important part of the web and should not be treated differently than their closed-source counterparts.
One way to interpret that is they should all have the same suspicion rules for lack of popularity applied to them. One way Cloudflare's rules could be causing this is if there's some threshold for fingerprints-per-second under which any UA is considered sus, and Firefox's market share is so low that it tends to fall under that threshold.
In which case, what lwt hiker is asking for is special treatment for the browser because they believe the Mozilla project's browser has special value to the web ecosystem. Which they are allowed to believe, but let's be clear about when we're seeking special treatment vs. being treated like any other user agent.
[+] [-] prdonahue|3 years ago|reply
While we can’t comment on the specifics of any customer configuration, we do not block or challenge Firefox by default—either with our Bot Management products or with any other L7 security controls.
You can confirm this by signing up a free zone and making a request from Firefox.
[+] [-] tyingq|3 years ago|reply
That is, you're not saying "Firefox doesn't change the scoring at all", right?
[+] [-] judge2020|3 years ago|reply
0: https://developers.cloudflare.com/bots/concepts/bot-score/
1: https://support.cloudflare.com/hc/en-us/articles/200170056-U...
[+] [-] tomjen3|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] alaricus|3 years ago|reply
[deleted]
[+] [-] alaricus|3 years ago|reply
[deleted]
[+] [-] rezonant|3 years ago|reply
[+] [-] webmobdev|3 years ago|reply
[+] [-] buro9|3 years ago|reply
I used to work there, and there wasn't a global "do this for this browser" (except for a little bit to reduce annoyance specifically for the Tor browser).
It is almost 99% certain to be a site operator firewall rule based on the browser user agent. This may even be accidental, they may have been hit by an aggressive bot using a UA string that matches Firefox and the site operator may not even realise they've done this (if they use Chrome, which is likely).
[+] [-] lwthiker|3 years ago|reply
[1] https://developers.cloudflare.com/bots/get-started/
[+] [-] dylan604|3 years ago|reply
[+] [-] zinekeller|3 years ago|reply
[+] [-] dingleberry420|3 years ago|reply
[deleted]
[+] [-] Aachen|3 years ago|reply
I'm a Firefox user and I'm used to this treatment at every step of the way, no matter if it's about software, airports, opening a bank account so I can receive a salary, etc. Fundamental things everyone wants to do are being made hard to do the right way. It's always anti privacy, anti self repair, anti longevity/sustainability, anti user freedoms, anti whatever we ideally want in this world. Of course using Firefox is now suspicious.
[+] [-] detritus|3 years ago|reply
Not saying I should have to accept that, but that's what it was.
Certainly not 'regularly'.
[+] [-] GekkePrutser|3 years ago|reply
Except for some boneheaded sites that refuse FF entirely ( https://business.apple.com is such an offender) I don't have issues with sites not working.
Edit: it looks like even Apple has got their act together now, it seems to support Firefox now too. Finally
[+] [-] throwlllllllll|3 years ago|reply
[+] [-] phh|3 years ago|reply
[+] [-] kordlessagain|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] lfkdev|3 years ago|reply
[+] [-] shaicoleman|3 years ago|reply
It's an open source extension available for Chrome and Firefox. It allows to privately identify you're human, and is the process of going through IETF standardisation, so hopefully someday you won't need to install an extension for it. After you complete a captcha once, you won't need to do it again for a long time.
I'm not happy about installing extensions just to view some websites, but it'll make things less painful
1. https://privacypass.github.io/
2. https://support.cloudflare.com/hc/en-us/articles/11500199265...
[+] [-] dingleberry420|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] trog|3 years ago|reply
[+] [-] rezonant|3 years ago|reply
[+] [-] eastdakota|3 years ago|reply
[+] [-] my69thaccount|3 years ago|reply
[+] [-] gzer0|3 years ago|reply
Edit 2: as another user has pointed out, this is most likely a firewall rule put in place by the website operator themselves.
[+] [-] jefftk|3 years ago|reply
Receiving a "you look like a bot" message when using Chrome configured to pretend to be Firefox isn't very surprising.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] tomerv|3 years ago|reply
[+] [-] cpeterso|3 years ago|reply
[+] [-] itvision|3 years ago|reply
The perks of living in a authoritarian state which tries to limit your access to the Internet.
[+] [-] StanislavPetrov|3 years ago|reply
Unfortunately these days this could be virtually anywhere.
[+] [-] dchest|3 years ago|reply
[+] [-] dan1234|3 years ago|reply
[+] [-] CamperBob2|3 years ago|reply
https://i.imgur.com/ZzExHt2.png
This setup program is signed with an EV certificate from DigiCert and hosted on an https site. No other hoops left to jump through except this awesome Catch-22 implementation, which leaves no actionable solution.
[+] [-] LegitShady|3 years ago|reply
I have noticed cloudflare challenging me more and more often. I assumed it was related to privacy extensions like noscript, ublock, and privacy badger.
[+] [-] megous|3 years ago|reply
dom.enable_event_timing / dom.enable_performance_navigation_timing
I only figured what was wrong after a month of no access to gitlab and other websites.
[+] [-] Operyl|3 years ago|reply
[+] [-] gfs|3 years ago|reply
[+] [-] dowath|3 years ago|reply
[+] [-] jtbayly|3 years ago|reply
[+] [-] shadowgovt|3 years ago|reply
One way to interpret that is they should all have the same suspicion rules for lack of popularity applied to them. One way Cloudflare's rules could be causing this is if there's some threshold for fingerprints-per-second under which any UA is considered sus, and Firefox's market share is so low that it tends to fall under that threshold.
In which case, what lwt hiker is asking for is special treatment for the browser because they believe the Mozilla project's browser has special value to the web ecosystem. Which they are allowed to believe, but let's be clear about when we're seeking special treatment vs. being treated like any other user agent.
[+] [-] NelsonMinar|3 years ago|reply
https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare...
https://www.mozilla.org/en-US/privacy/firefox-private-networ...
[+] [-] ddispaltro|3 years ago|reply