So many privacy nuts use Chrome and don't realize this:
> What about Google Chrome?
> I tried all of the above in Firefox. So I naturally tried to access the same page in Google Chrome to see if I’d still be blocked. Thankfully, I wasn’t.
> But of course I wasn’t because Chrome doesn’t have the same privacy- and security-enhancing designs that Firefox does. Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed. It also doesn’t resist fingerprinting or let me modify settings to the same degree that Firefox does because Chrome relies on those fingerprinting technologies to ensure that I am targeted by ads it deems necessary for me to see.
> Being blocked on Firefox and not blocked on Chrome also tells me that Cloudflare is blocking me based on the fingerprint (or lackthereof) of my browser. Everything about my connection is identical between the two requests, aside from the browser being used. It’s the same security certificates, same corporate VPN, same machine, even the same timeframe when I try to access the site.
If you care about anything these days, don't use Chrome.
I’m no Google fanboy but I wasn’t satisfied with this:
> Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed
What information does Chrome provide in this scenario that Firefox doesn’t? It feels like backward logic: it worked in Chrome therefore it must be because Chrome gave extra info. In reality it could be a whole bunch of things, something as mundane as Firefox being a rarer user agent so subject to more filtering.
It strikes me that all of this is an inexact science. I've run into rate limit messages with sites before now that go away when I switch browsers, no matter what the browser is. I assume it's because, with the limited information given, the DDOS protection software assumes that same IP + different UA = different computer.
I have no clue but I wasn’t persuaded that this specific scenario works with Chrome because it was giving away more information. At a bare minimum at least try a third browser!
The heuristics used to attempt to differentiate between a so-called "bot" and a "human" are, IMHO, inadequate as long as there are "humans" that are allegedly mistaken for "bots" and blocked. "Use Chrome" is not a solution. A person using Firefox or some other non-Google software is still a "human". But not according to these brilliant "site protection" schemes. What level of false positives is acceptable.
Using JS to "verify that this is not a bot" is a way to force users to enable JS and expose themselves to more advertising.
Easy to say don't use Chrome, harder to say don't use Cloudfare.
And if we're taking things to task for monopolizing a market and being a threat to the future of the open internet, I'd say Cloudfare is and will always be a bigger threat.
The moment the Cloudfare dictatorship becomes less benevolent, everyone is gonna feel it.
This loop happened all the time for me in Kiwi Browser on mobile. I have a couple of fingerprint-reducing extensions installed there. I also use other extensions like Dark Reader to make website backgrounds pitch black to reduce OLED display drain and improve readability in darker environments. It appears to be better lately, happening more often while I am travelling and changing IPs, less when I am at home. Still it wastes time when it does the loop, it forces me to use unmodified Chrome, wasting more battery power and harming eyes at dark with those white backgrounds. Unfortunately more and more websites are proxying through CF, thinking they are 'protecting' their website. But CF acts like the chinese Great Firewall, deciding who can and cannot to access the site.
I don't quite understand the "ads it deems necessary for me to see" comment.
You will always get ads on sites that serve ads. The thing the tracking might do, is change which particular ads you get.
The right solution to that, is to use an ad blocker, and to pay for sites that have an ad-free alternative.
Also, fingerprinting isn't always "bad" -- any business who takes credit cards online, wants to try to exclude people who will commit fraud (because they might have done it before.)
Preventing fingerprinting, means you prevent certain anti-fraud, which means that you see higher prices and more friction doing commerce online, which also affects your experience. The connection is just much less direct.
>If you care about anything these days, don't use Chrome.
I care about a lot of real world stuff - human rights, wars, the environment, friends etc. I don't care if Chrome knows who I am and tries to show me ads which uBlock then blocks. There are more important things to worry about than privacy geekery.
Hi there, I'm the PM for Cloudflare's challenge platform. I'd love to look into what the cause of the problem is, so you don't see these difficulties.
> Cloudflare detected the high frequency of requests and denials (but not their faulty loop that caused this pattern of requests, of course), and tagged my browser as suspicious.
I can tell you at least that we don't penalize users for this looping behavior, so this wouldn't cause us to see your browser as suspicious. I hope we can dig into this more and uncover the cause of the problem.
Personally, I'm a big Firefox user, and this isn't behavior I see. If there were a widespread Firefox wide issue, automated alerts would trigger and we'd consider this a critical incident.
You can drop me an email at amartinetti at cloudflare if you're interested in troubleshooting.
The cause of the problem is that your software is faulty by design.
1. IP addresses are to be used for packet routing. Certainly not for assigning
"behavior scores" to users in the background. IP addresses say nothing about
your visitors, my IP address could have been a complete stranger's IP
address yesterday.
2. Deciding who can access half the web based on their TLS signature achieves
nothing in the long run except reinforce browser monopolies, and goes
completely against the spirit of the open web.
I guess now I have to use Chrome for browsing the web from home. Yes, I do
run a crawler-like bot as a hobby project, I got what I was asking for.
(Funnily enough, it still works if I just emulate Chrome's TLS signature). But
I also have friends who have done absolutely nothing of sorts (no technical
skills), and still got caught up in this latest ban wave.
Let's be honest here. Your service has likely caused millions of people
harm who one day to the other are suddenly blocked from half the WWW -
not just nerds, who can get around that one way or the other, real users
who just got unlucky and now are potentially blocked from accessing websites
required for their daily lives (welcome to the 21th century). This is not
a one time problem, it has been going on for years; this time it just came
too suddenly for too many people. And this kind of harm is a logical conclusion
to the heuristics you use for determining who can view a website.
Never mind that it's ridiculous how a single company from outside my country
has the power to decide on whether I can use the web or not. That's kind of
on website owners unconditionally giving this power to CF anyway.
Now, allow me to return to purchasing proxies from shady sources for myself,
so I can keep using Firefox. Thanks and keep up the good work.
Anecdotaly... I use Firefox and have noticed the Cloudflare interception pages verifying I'm human appearing more often recently. Usually it is all automatic and isn't a big deal, but I have noticed a increase in how often I see these the past week.
Also anecdotally, I use Firefox and I haven't noticed an uptick in the amount of CAPTCHAs I need to solve. I don't even see the "connection secure" page.
Could it have something to do with that ticket extension I'm using (Privacy Pass, looks like it's called)? I don't know if it does anything.
Adam, the problem I'm running into is due to the IP proxy I normally use having been changed from ARIN to RIPE due to an ownership change at the hosting datacenter, which is still in NYC. Thus, nevertheless, I show up as coming from the UK, it looks like, when I access Cloudflare-protected sites in the US, and I'm running into more and more of them. The local newspaper, grocery store, credit card co's, etc., It seems that Cloudflare IPv6 geolocation is broken, and interferes even if you're coming from an IPv4. This is just asking for trouble if you ask me.
Troubleshooting done. If it's any consolation, I don't think Cloudflare is the only offender. Geolocation is a crappy idea to begin with, if you ask me.
I dont know which type of Firefox you use, but any reasonably tuned browser (in the privacy sense) fails your systems. I literally didnt have a single instance of passing them without handing over a pixel perfect fingerprint.
I can’t get through any cloudflare challenges on a standard iPhone when I use iCloud Relay. Your product is as anti-user as it gets. It’s obvious you avoid user testing and instead look the other way because claiming to have solved the bot problem is just too profitable.
Anecdotally I notice this same issue. In your Firefox install do you have `resistFingerprinting` turned on, and do you have Firefox's anti-tracking protections turned on? It's possible if you're using a default install and if you're not using VPNs that you might never see a difference between behaviors. But that's only a guess.
My experience is that Firefox as a policy is not blocked, but if anything about my setup looks sketchy (I'm on a VPN, I have Javascript disabled, I'm blocking cookies, etc...) being on Firefox seems to make Cloudflare a lot less "tolerant" for lack of a better word.
I don't think Cloudflare has a policy against Firefox, but I do vaguely suspect that certain behaviors that wouldn't trigger blocks for Chrome do trigger blocks for Firefox (particularly if it's hardened). I don't have any hard data to back that up, maybe it's my imagination -- but it is what I personally notice.
I think your automated alerts are probably too low sensitivity (understandably, because it's probably an impossible scale to handle if they're able to catch false positives). FWIW I've seen similar for a short period of time, and know people who've had it more persistently.
But my biggest practical complaint at the moment with cloudflare is that it intermittently inserts captchas in the json responses sent from Roundcube webmail - pretty amazing.
(The webmail server in question is hosted on a uni network that paid for cloudflare between themselves and the internet, so being indirect cloudflare "customers" there's no support channel. Hooray for scale)
I've seen this behavior on sites with CSPs that'd break the challenge, They somehow get loaded from cache and cause failed requests.
This somehow even persisted into the browser's incognito mode, and I had to use an entirely different browser. This wasn't on a small unknown site either.
(It looks like pinned CSPs are a dead standard, but did anyone implement it?)
I've had the exact same problem for a while. Here are some of the sites I've been unable to access (found by searching for "just a moment" in my browser history):
It's really annoying and Cloudflare is apparently doing nothing to fix it as this has been going on for months if not years. I guess Cloudflare just hates the open web and really wants to enforce Chrome/Chromium/Blink hegemony.
Would you be willing to share a rayID you see during one of these looping challenges? I'm the PM for Cloudflare's challenge platform, and we'd love to look into this. RayIDs contain no PII so you can share publicly, or feel free to drop me an email at amartinetti at cloudflare.
We'll also release a reporting mechanism soon, so in the future you can let us know when you see these issues and we can react to them quickly.
It happens to me all the time. And it has been going on for years, but it's getting noticeably worse over time. One way or another you have to pay to use the web, be it costing you loss of access because of your strict privacy settings or paying by giving away your privacy. There's no win here..
Yeah, gitlab also blocks me from logging in (via its cloudflare use). It did so even when we paid for it. We no longer do. (for other reasons, but anyway, good riddance)
Users want to chrome hegemony and don't care about the open web or Firefox. Its the number #1 browser on desktop even though it doesn't come with the OS. Windows comes with edge and macs come with safari. Users have to download Chrome.
Any time a large portion of internet traffic is controlled by a single source it brings problems like this with it. All cloudflare has to do is arbitrarily decide who and who can't use the internet and effectively their word becomes law. Like most things it starts with an innocent premise (e.g. "an easy way to stop bad actors") and ends up extended to any number of arbitrary things. Worse, the argument from privacy advocates rings hollow because defending privacy means you have to allow Bad People (TM). The average drooler using the internet cannot understand the nuance. Even in the most innocent of cases, a bad commit getting merged, can bring down the internet. It has happened before with Cloudflare.
Companies like Cloudflare, Google, Meta, etc are the reason anti-trust law exists. Unfortunately, it appears there is no one with any power that is willing to use the laws for their purpose. The internet in 20 years will be nothing like we've seen before. That's not a good thing.
If you've ever tried to take apart Cloudflare's various session cookies, MITMed scripts sent for "high integrity" pages (or when in "super bot-fight" mode), etc., you'll have observed that it's basically running a web-worker to heuristically do browser-integrity checking. That is, Cloudflare is trying to run a series of tests that real browsers operated by users pass, but which headless browsers operated by bots will fail.
These range from pretty simple things that check that the browser is actually a browser rather than a raw HTML parser (e.g. "draw an image on a <canvas>, export it to PNG, hash the PNG, compare to an expected result"); to things that check for low-effort headless-browsing techniques like the one you get by default using Puppeteer in a Lambda/Cloud Function (e.g. "do we have the weirder fonts you'd expect to exist on a consumer OS, but which these default batteries-included container images don't bother to bake in"); to things that work really hard to detect the "scent of humanity" through the browser (e.g. "before the user activated the integrity-check prompt, did we record a sequence of 'extraneous' mouse movements and key events that look like a human making individualized mistakes on their way to completing the form, and don't look like a recorded capture of such similar to other ones we've seen recently.")
If you're getting caught in a verification loop, it's because you're using a browser or device or extension that obscures/disables enough of these heuristics that Cloudflare can't get proof positive that you're a person rather than a bot — and so, under whatever settings the site-owner has it set at, it will just keep trying to get that proof, rather than telling you you've failed and been blocked. (Why? Because telling a bot they've failed tells them that they should stop trying something that's not working and instead — in the words of Star Trek technobabble — "rotate their shield frequency" before trying again.)
One thing that sometimes gets lost is site owners that use cloudflare have sort of global options for how paranoid they want to be, then they can make specific WAF rules that can be as granular and aggressive as they want. So at least in some cases, cloudflare gets blamed for website owners setting really aggressive rules. The effect on the end user usually looks exactly the same.
Case in point, I set a waf rule that blocked all non verified bot traffic from several big datacenters (Google cloud, OVH, digital ocean, etc). That turned out to be a mistake because a lot of corporations were routing their traffic through those ASNs for some reason. Now they’re blocked. They could have gotten pissed out cloudflare, the error page looks the same, but it was really misconfiguring it.
Anecdote: For my programming classes, one example I use is a simple browser. It doesn't do CSS or Javacript, so display is primitive, but it works.
On some sites. Many sites, especially the big ones, see that it's an unknown browser, and refuse to send content. Probably they think it's a bot. But even if it were, what's wrong with bots, as long as they're well-behaved?
What kind of closed web have we let the megacorps build?
It's also annoying how that check page ends up breaking page reload in Firefox. When Cloudflare redirects you back to the page it will happen via POST. This initial POST gets captured by Cloudflare, but if you reload the page that POST will go to page itself and there's pretty good chance it doesn't know what to do with that and just shows error.
The only fix is to navigate back to page somehow, either by going to address bar and pressing enter (to navigate there again instead of reloading) or finding some link that points you back to the page.
I wouldn't be surprised if those POSTs will end up banning you from some website since they "know" you shouldn't POSTing to that page so clearly you are evil bot trying to hack them.
The amount of times Cloudflare is making me sit through their 15 to 30 second "checking your connection" page is insane.
For people going through life with ADHD such as myself, the impact of all these delays and disruptions throughout the day can be severe. Despite being properly medicated this measure is absolutely debilitating and makes for a dreadful and very taxing online experience.
Just yesterday I realized that I couldn't log into Paypal on Safari or Firefox, only a Chromium-based browser. We're getting deeper all the time into "this site is best viewed in Google Chrome".
> The next day, I tried accessing a web page internal to my company… […] I couldn’t get past a security check page because of issues in Cloudflare’s software. […] The silliness of it all is that I was on my work device the whole time, which was behind my workplace VPN.
This seems more like an "IT department gone mad" problem than a Cloudflare problem. I'm surprised they'd rather switch to Chrome than submit a support ticket.
Having used passkeys for a month+ now via macOS/iOS/1Password betas, I don't understand how they're related or the author's concerns. Couldn't you just replace "passkey" with "password" in all of their questions?
This has been my experience for a handful of years but of course it's getting worse. In the past I'd just be getting blocked from access commercial websites or applications and things I didn't really need. But in the last few years many scientific publishers have put all their content behind cloudflare walls. Pretty much my only hope of being able to read a paper these days is that it came out long enough ago to be on sci-hub or they published the pre-print on arxiv/bioarxiv/etc. Once arxiv goes behind a cloudflare I don't know what I'll do.
Suing Cloudflare for interference with contract[1] might be an option. Cloudflare is not protected against lawsuits by some EULA, because the outside user has no contract with them. They're a third party in the middle. Talk to a lawyer.
Most contract law lawsuits are settled out of court. The great advantage of suing someone is that you get past the low-level customer support people and talk to someone who's authorized to settle.
I've been getting stuck in the “browser integrity check” loop a lot on firefox lately. Not an issue in chrome, not using a vpn, etc. I assume it is some combination of extensions and/or settings in firefox.
Cloudflare is a huge part of the internet. Often they won't respond and it appears that for whatever reason, their IP range is blocked in Egypt.
We probably get 10 support emails per week. I contacted Cloudflare and they simply said there is nothing they can do.
I feel like this these days: the right to decide if I am free to choose to use or access a service or website is not based on whether I claim to be human (in captchas tests), but based on the data people collect about me - and decide on them - something that I don't know behind invisible doors.
I thought privacy was on the rise after the data leaks and irresponsibility of the big tech companies, and the public's involvement in the issue of individual privacy, but it seems like everything is still a step backwards.
I cannot access flyertalk.com, which hosts lot of useful airline content from any IP from my country.
I tried reaching out via email as mentioned in the error page and admin does even have a valid email posted anywhere.
I know cloudflare is not to blame here, but they provide way easy access to blocking to bad admins.
[+] [-] dcow|2 years ago|reply
> What about Google Chrome?
> I tried all of the above in Firefox. So I naturally tried to access the same page in Google Chrome to see if I’d still be blocked. Thankfully, I wasn’t.
> But of course I wasn’t because Chrome doesn’t have the same privacy- and security-enhancing designs that Firefox does. Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed. It also doesn’t resist fingerprinting or let me modify settings to the same degree that Firefox does because Chrome relies on those fingerprinting technologies to ensure that I am targeted by ads it deems necessary for me to see.
> Being blocked on Firefox and not blocked on Chrome also tells me that Cloudflare is blocking me based on the fingerprint (or lackthereof) of my browser. Everything about my connection is identical between the two requests, aside from the browser being used. It’s the same security certificates, same corporate VPN, same machine, even the same timeframe when I try to access the site.
If you care about anything these days, don't use Chrome.
[+] [-] afavour|2 years ago|reply
> Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed
What information does Chrome provide in this scenario that Firefox doesn’t? It feels like backward logic: it worked in Chrome therefore it must be because Chrome gave extra info. In reality it could be a whole bunch of things, something as mundane as Firefox being a rarer user agent so subject to more filtering.
It strikes me that all of this is an inexact science. I've run into rate limit messages with sites before now that go away when I switch browsers, no matter what the browser is. I assume it's because, with the limited information given, the DDOS protection software assumes that same IP + different UA = different computer.
I have no clue but I wasn’t persuaded that this specific scenario works with Chrome because it was giving away more information. At a bare minimum at least try a third browser!
[+] [-] 1vuio0pswjnm7|2 years ago|reply
Using JS to "verify that this is not a bot" is a way to force users to enable JS and expose themselves to more advertising.
[+] [-] Andrex|2 years ago|reply
And if we're taking things to task for monopolizing a market and being a threat to the future of the open internet, I'd say Cloudfare is and will always be a bigger threat.
The moment the Cloudfare dictatorship becomes less benevolent, everyone is gonna feel it.
[+] [-] dmix|2 years ago|reply
Or Cloudflare.
[+] [-] executesorder66|2 years ago|reply
Really? That's news to me.
[+] [-] neop1x|2 years ago|reply
[+] [-] jwatte|2 years ago|reply
Also, fingerprinting isn't always "bad" -- any business who takes credit cards online, wants to try to exclude people who will commit fraud (because they might have done it before.) Preventing fingerprinting, means you prevent certain anti-fraud, which means that you see higher prices and more friction doing commerce online, which also affects your experience. The connection is just much less direct.
[+] [-] tim333|2 years ago|reply
I care about a lot of real world stuff - human rights, wars, the environment, friends etc. I don't care if Chrome knows who I am and tries to show me ads which uBlock then blocks. There are more important things to worry about than privacy geekery.
[+] [-] shadowgovt|2 years ago|reply
Since Chrome is so common that it's basically guaranteed to have been tested against the site I'm trying to access, I use Chrome.
[+] [-] adammartinetti|2 years ago|reply
> Cloudflare detected the high frequency of requests and denials (but not their faulty loop that caused this pattern of requests, of course), and tagged my browser as suspicious.
I can tell you at least that we don't penalize users for this looping behavior, so this wouldn't cause us to see your browser as suspicious. I hope we can dig into this more and uncover the cause of the problem.
Personally, I'm a big Firefox user, and this isn't behavior I see. If there were a widespread Firefox wide issue, automated alerts would trigger and we'd consider this a critical incident.
You can drop me an email at amartinetti at cloudflare if you're interested in troubleshooting.
[+] [-] shiomiru|2 years ago|reply
1. IP addresses are to be used for packet routing. Certainly not for assigning "behavior scores" to users in the background. IP addresses say nothing about your visitors, my IP address could have been a complete stranger's IP address yesterday.
2. Deciding who can access half the web based on their TLS signature achieves nothing in the long run except reinforce browser monopolies, and goes completely against the spirit of the open web.
I guess now I have to use Chrome for browsing the web from home. Yes, I do run a crawler-like bot as a hobby project, I got what I was asking for. (Funnily enough, it still works if I just emulate Chrome's TLS signature). But I also have friends who have done absolutely nothing of sorts (no technical skills), and still got caught up in this latest ban wave.
Let's be honest here. Your service has likely caused millions of people harm who one day to the other are suddenly blocked from half the WWW - not just nerds, who can get around that one way or the other, real users who just got unlucky and now are potentially blocked from accessing websites required for their daily lives (welcome to the 21th century). This is not a one time problem, it has been going on for years; this time it just came too suddenly for too many people. And this kind of harm is a logical conclusion to the heuristics you use for determining who can view a website.
Never mind that it's ridiculous how a single company from outside my country has the power to decide on whether I can use the web or not. That's kind of on website owners unconditionally giving this power to CF anyway.
Now, allow me to return to purchasing proxies from shady sources for myself, so I can keep using Firefox. Thanks and keep up the good work.
[+] [-] bradly|2 years ago|reply
[+] [-] stavros|2 years ago|reply
Could it have something to do with that ticket extension I'm using (Privacy Pass, looks like it's called)? I don't know if it does anything.
[+] [-] jbdigriz990|2 years ago|reply
Troubleshooting done. If it's any consolation, I don't think Cloudflare is the only offender. Geolocation is a crappy idea to begin with, if you ask me.
[+] [-] jacoblambda|2 years ago|reply
It could be caused by someone else's bad behavior on the VPN but I'd hazard a guess that it's more than that.
[+] [-] goodpoint|2 years ago|reply
No, you don't. Tor Browser is constantly blocked by Cloudflare and the captchas cannot be solved. And you know it.
[+] [-] waithuh|2 years ago|reply
[+] [-] callalex|2 years ago|reply
[+] [-] greggyb|2 years ago|reply
[+] [-] danShumway|2 years ago|reply
My experience is that Firefox as a policy is not blocked, but if anything about my setup looks sketchy (I'm on a VPN, I have Javascript disabled, I'm blocking cookies, etc...) being on Firefox seems to make Cloudflare a lot less "tolerant" for lack of a better word.
I don't think Cloudflare has a policy against Firefox, but I do vaguely suspect that certain behaviors that wouldn't trigger blocks for Chrome do trigger blocks for Firefox (particularly if it's hardened). I don't have any hard data to back that up, maybe it's my imagination -- but it is what I personally notice.
[+] [-] mkj|2 years ago|reply
But my biggest practical complaint at the moment with cloudflare is that it intermittently inserts captchas in the json responses sent from Roundcube webmail - pretty amazing.
(The webmail server in question is hosted on a uni network that paid for cloudflare between themselves and the internet, so being indirect cloudflare "customers" there's no support channel. Hooray for scale)
[+] [-] asmor|2 years ago|reply
This somehow even persisted into the browser's incognito mode, and I had to use an entirely different browser. This wasn't on a small unknown site either.
(It looks like pinned CSPs are a dead standard, but did anyone implement it?)
[+] [-] nprateem|2 years ago|reply
[+] [-] baq|2 years ago|reply
[+] [-] mikeravkine|2 years ago|reply
What causes such loops? Just a challenge over and over.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] AegirLeet|2 years ago|reply
- https://gitlab.com/users/sign_in
- https://steamdb.info/login/
- https://www.zabbix.com/forum/
- https://casetext.com/
- https://namemc.com/login
- https://spinroot.com/
- https://camelcamelcamel.com/
It's really annoying and Cloudflare is apparently doing nothing to fix it as this has been going on for months if not years. I guess Cloudflare just hates the open web and really wants to enforce Chrome/Chromium/Blink hegemony.
[+] [-] adammartinetti|2 years ago|reply
We'll also release a reporting mechanism soon, so in the future you can let us know when you see these issues and we can react to them quickly.
[+] [-] clsec|2 years ago|reply
[+] [-] zer8k|2 years ago|reply
[+] [-] megous|2 years ago|reply
[+] [-] adrr|2 years ago|reply
[+] [-] zer8k|2 years ago|reply
Companies like Cloudflare, Google, Meta, etc are the reason anti-trust law exists. Unfortunately, it appears there is no one with any power that is willing to use the laws for their purpose. The internet in 20 years will be nothing like we've seen before. That's not a good thing.
[+] [-] derefr|2 years ago|reply
These range from pretty simple things that check that the browser is actually a browser rather than a raw HTML parser (e.g. "draw an image on a <canvas>, export it to PNG, hash the PNG, compare to an expected result"); to things that check for low-effort headless-browsing techniques like the one you get by default using Puppeteer in a Lambda/Cloud Function (e.g. "do we have the weirder fonts you'd expect to exist on a consumer OS, but which these default batteries-included container images don't bother to bake in"); to things that work really hard to detect the "scent of humanity" through the browser (e.g. "before the user activated the integrity-check prompt, did we record a sequence of 'extraneous' mouse movements and key events that look like a human making individualized mistakes on their way to completing the form, and don't look like a recorded capture of such similar to other ones we've seen recently.")
If you're getting caught in a verification loop, it's because you're using a browser or device or extension that obscures/disables enough of these heuristics that Cloudflare can't get proof positive that you're a person rather than a bot — and so, under whatever settings the site-owner has it set at, it will just keep trying to get that proof, rather than telling you you've failed and been blocked. (Why? Because telling a bot they've failed tells them that they should stop trying something that's not working and instead — in the words of Star Trek technobabble — "rotate their shield frequency" before trying again.)
[+] [-] adamgamble|2 years ago|reply
Case in point, I set a waf rule that blocked all non verified bot traffic from several big datacenters (Google cloud, OVH, digital ocean, etc). That turned out to be a mistake because a lot of corporations were routing their traffic through those ASNs for some reason. Now they’re blocked. They could have gotten pissed out cloudflare, the error page looks the same, but it was really misconfiguring it.
[+] [-] bradley13|2 years ago|reply
On some sites. Many sites, especially the big ones, see that it's an unknown browser, and refuse to send content. Probably they think it's a bot. But even if it were, what's wrong with bots, as long as they're well-behaved?
What kind of closed web have we let the megacorps build?
[+] [-] buzer|2 years ago|reply
The only fix is to navigate back to page somehow, either by going to address bar and pressing enter (to navigate there again instead of reloading) or finding some link that points you back to the page.
I wouldn't be surprised if those POSTs will end up banning you from some website since they "know" you shouldn't POSTing to that page so clearly you are evil bot trying to hack them.
[+] [-] krono|2 years ago|reply
For people going through life with ADHD such as myself, the impact of all these delays and disruptions throughout the day can be severe. Despite being properly medicated this measure is absolutely debilitating and makes for a dreadful and very taxing online experience.
[+] [-] thedanbob|2 years ago|reply
[+] [-] CharlesW|2 years ago|reply
This seems more like an "IT department gone mad" problem than a Cloudflare problem. I'm surprised they'd rather switch to Chrome than submit a support ticket.
Having used passkeys for a month+ now via macOS/iOS/1Password betas, I don't understand how they're related or the author's concerns. Couldn't you just replace "passkey" with "password" in all of their questions?
[+] [-] superkuh|2 years ago|reply
[+] [-] Animats|2 years ago|reply
Most contract law lawsuits are settled out of court. The great advantage of suing someone is that you get past the low-level customer support people and talk to someone who's authorized to settle.
[1] https://www.lodhs.com/blog/interference-with-contractual-or-...
[+] [-] thedaly|2 years ago|reply
[+] [-] w0ts0n|2 years ago|reply
Cloudflare is a huge part of the internet. Often they won't respond and it appears that for whatever reason, their IP range is blocked in Egypt. We probably get 10 support emails per week. I contacted Cloudflare and they simply said there is nothing they can do.
[+] [-] nhanpq|2 years ago|reply
I thought privacy was on the rise after the data leaks and irresponsibility of the big tech companies, and the public's involvement in the issue of individual privacy, but it seems like everything is still a step backwards.
[+] [-] samcat116|2 years ago|reply
[+] [-] gsich|2 years ago|reply
[+] [-] alberth|2 years ago|reply
Especially since Apple has partnered with Cloudflare on PAT.
[+] [-] miyuru|2 years ago|reply
I know cloudflare is not to blame here, but they provide way easy access to blocking to bad admins.