So many privacy nuts use Chrome and don't realize this:<p>> What about Google Chrome?<p>> I tried all of the above in Firefox. So I naturally tried to access the same page in Google Chrome to see if I’d still be blocked. Thankfully, I wasn’t.<p>> But of course I wasn’t because Chrome doesn’t have the same privacy- and security-enhancing designs that Firefox does. Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed. It also doesn’t resist fingerprinting or let me modify settings to the same degree that Firefox does because Chrome relies on those fingerprinting technologies to ensure that I am targeted by ads it deems necessary for me to see.<p>> Being blocked on Firefox and not blocked on Chrome also tells me that Cloudflare is blocking me based on the fingerprint (or lackthereof) of my browser. Everything about my connection is identical between the two requests, aside from the browser being used. It’s the same security certificates, same corporate VPN, same machine, even the same timeframe when I try to access the site.<p>If you care about <i>anything</i> these days, don't use Chrome.
Hi there, I'm the PM for Cloudflare's challenge platform. I'd love to look into what the cause of the problem is, so you don't see these difficulties.<p>> Cloudflare detected the high frequency of requests and denials (but not their faulty loop that caused this pattern of requests, of course), and tagged my browser as suspicious.<p>I can tell you at least that we don't penalize users for this looping behavior, so this wouldn't cause us to see your browser as suspicious. I hope we can dig into this more and uncover the cause of the problem.<p>Personally, I'm a big Firefox user, and this isn't behavior I see. If there were a widespread Firefox wide issue, automated alerts would trigger and we'd consider this a critical incident.<p>You can drop me an email at amartinetti at cloudflare if you're interested in troubleshooting.
I've had the exact same problem for a while. Here are some of the sites I've been unable to access (found by searching for "just a moment" in my browser history):<p>- <a href="https://gitlab.com/users/sign_in" rel="nofollow noreferrer">https://gitlab.com/users/sign_in</a><p>- <a href="https://steamdb.info/login/" rel="nofollow noreferrer">https://steamdb.info/login/</a><p>- <a href="https://www.zabbix.com/forum/" rel="nofollow noreferrer">https://www.zabbix.com/forum/</a><p>- <a href="https://casetext.com/" rel="nofollow noreferrer">https://casetext.com/</a><p>- <a href="https://namemc.com/login" rel="nofollow noreferrer">https://namemc.com/login</a><p>- <a href="https://spinroot.com/" rel="nofollow noreferrer">https://spinroot.com/</a><p>- <a href="https://camelcamelcamel.com/" rel="nofollow noreferrer">https://camelcamelcamel.com/</a><p>It's really annoying and Cloudflare is apparently doing nothing to fix it as this has been going on for months if not years. I guess Cloudflare just hates the open web and really wants to enforce Chrome/Chromium/Blink hegemony.
Any time a large portion of internet traffic is controlled by a single source it brings problems like this with it. All cloudflare has to do is arbitrarily decide who and who can't use the internet and effectively their word becomes law. Like most things it starts with an innocent premise (e.g. "an easy way to stop bad actors") and ends up extended to any number of arbitrary things. Worse, the argument from privacy advocates rings hollow because defending privacy means you have to allow Bad People (TM). The average drooler using the internet cannot understand the nuance. Even in the most innocent of cases, a bad commit getting merged, can bring down the internet. It has happened before with Cloudflare.<p>Companies like Cloudflare, Google, Meta, etc are the reason anti-trust law exists. Unfortunately, it appears there is no one with any power that is willing to use the laws for their purpose. The internet in 20 years will be nothing like we've seen before. That's not a good thing.
If you've ever tried to take apart Cloudflare's various session cookies, MITMed scripts sent for "high integrity" pages (or when in "super bot-fight" mode), etc., you'll have observed that it's basically running a web-worker to heuristically do browser-integrity checking. That is, Cloudflare is trying to run a series of tests that real browsers operated by users pass, but which headless browsers operated by bots will fail.<p>These range from pretty simple things that check that the browser is actually a browser rather than a raw HTML parser (e.g. "draw an image on a <canvas>, export it to PNG, hash the PNG, compare to an expected result"); to things that check for low-effort headless-browsing techniques like the one you get by default using Puppeteer in a Lambda/Cloud Function (e.g. "do we have the weirder fonts you'd expect to exist on a consumer OS, but which these default batteries-included container images don't bother to bake in"); to things that work really hard to detect the "scent of humanity" <i>through</i> the browser (e.g. "before the user activated the integrity-check prompt, did we record a sequence of 'extraneous' mouse movements and key events that look like a human making individualized mistakes on their way to completing the form, and <i>don't</i> look like a recorded capture of such similar to other ones we've seen recently.")<p>If you're getting caught in a verification loop, it's because you're using a browser or device or extension that obscures/disables enough of these heuristics that Cloudflare can't get <i>proof positive</i> that you're a person rather than a bot — and so, under whatever settings the site-owner has it set at, it will just keep trying to get that proof, rather than telling you you've failed and been blocked. (Why? Because telling a bot they've failed tells them that they should stop trying something that's not working and instead — in the words of Star Trek technobabble — "rotate their shield frequency" before trying again.)
One thing that sometimes gets lost is site owners that use cloudflare have sort of global options for how paranoid they want to be, then they can make specific WAF rules that can be as granular and aggressive as they want. So at least in some cases, cloudflare gets blamed for website owners setting really aggressive rules. The effect on the end user usually looks exactly the same.<p>Case in point, I set a waf rule that blocked all non verified bot traffic from several big datacenters (Google cloud, OVH, digital ocean, etc). That turned out to be a mistake because a lot of corporations were routing their traffic through those ASNs for some reason. Now they’re blocked. They could have gotten pissed out cloudflare, the error page looks the same, but it was really misconfiguring it.
Anecdote: For my programming classes, one example I use is a simple browser. It doesn't do CSS or Javacript, so display is primitive, but it works.<p>On some sites. Many sites, especially the big ones, see that it's an unknown browser, and refuse to send content. Probably they think it's a bot. But even if it were, what's wrong with bots, as long as they're well-behaved?<p>What kind of closed web have we let the megacorps build?
It's also annoying how that check page ends up breaking page reload in Firefox. When Cloudflare redirects you back to the page it will happen via POST. This initial POST gets captured by Cloudflare, but if you reload the page that POST will go to page itself and there's pretty good chance it doesn't know what to do with that and just shows error.<p>The only fix is to navigate back to page somehow, either by going to address bar and pressing enter (to navigate there again instead of reloading) or finding some link that points you back to the page.<p>I wouldn't be surprised if those POSTs will end up banning you from some website since they "know" you shouldn't POSTing to that page so clearly you are evil bot trying to hack them.
The amount of times Cloudflare is making me sit through their 15 to 30 second "checking your connection" page is insane.<p>For people going through life with ADHD such as myself, the impact of all these delays and disruptions throughout the day can be severe. Despite being properly medicated this measure is absolutely debilitating and makes for a dreadful and very taxing online experience.
Just yesterday I realized that I couldn't log into Paypal on Safari or Firefox, only a Chromium-based browser. We're getting deeper all the time into "this site is best viewed in Google Chrome".
> <i>The next day, I tried accessing a web page internal to my company… […] I couldn’t get past a security check page because of issues in Cloudflare’s software. […] The silliness of it all is that I was on my work device the whole time, which was behind my workplace VPN.</i><p>This seems more like an "IT department gone mad" problem than a Cloudflare problem. I'm surprised they'd rather switch to Chrome than submit a support ticket.<p>Having used passkeys for a month+ now via macOS/iOS/1Password betas, I don't understand how they're related or the author's concerns. Couldn't you just replace "passkey" with "password" in all of their questions?
This has been my experience for a handful of years but of course it's getting worse. In the past I'd just be getting blocked from access commercial websites or applications and things I didn't really need. But in the last few years many scientific publishers have put all their content behind cloudflare walls. Pretty much my only hope of being able to read a paper these days is that it came out long enough ago to be on sci-hub <i>or</i> they published the pre-print on arxiv/bioarxiv/etc. Once arxiv goes behind a cloudflare I don't know what I'll do.
Suing Cloudflare for interference with contract[1] might be an option. Cloudflare is not protected against lawsuits by some EULA, because the outside user has no contract with them. They're a third party in the middle. Talk to a lawyer.<p>Most contract law lawsuits are settled out of court. The great advantage of suing someone is that you get past the low-level customer support people and talk to someone who's authorized to settle.<p>[1] <a href="https://www.lodhs.com/blog/interference-with-contractual-or-advantageous-relationships/" rel="nofollow noreferrer">https://www.lodhs.com/blog/interference-with-contractual-or-...</a>
I've been getting stuck in the “browser integrity check” loop a lot on firefox lately. Not an issue in chrome, not using a vpn, etc. I assume it is some combination of extensions and/or settings in firefox.
Users in Egypt are unable to visit my Fitness website <a href="https://musclewiki.com" rel="nofollow noreferrer">https://musclewiki.com</a><p>Cloudflare is a huge part of the internet. Often they won't respond and it appears that for whatever reason, their IP range is blocked in Egypt.
We probably get 10 support emails per week. I contacted Cloudflare and they simply said there is nothing they can do.
I feel like this these days: the right to decide if I am free to choose to use or access a service or website is not based on whether I claim to be human (in captchas tests), but based on the data people collect about me - and decide on them - something that I don't know behind invisible doors.<p>I thought privacy was on the rise after the data leaks and irresponsibility of the big tech companies, and the public's involvement in the issue of individual privacy, but it seems like everything is still a step backwards.
The fact that this person thinks Cloudflare has their MAC address leads me to believe they shouldn't be speculating on the "implications for the web"
I cannot access flyertalk.com, which hosts lot of useful airline content from any IP from my country.
I tried reaching out via email as mentioned in the error page and admin does even have a valid email posted anywhere.<p>I know cloudflare is not to blame here, but they provide way easy access to blocking to bad admins.
Boils down to gatekeepers doesn't it.<p>Unfortunately there's also bad actors on the web (and the definition of bad varies). I understand reasons to try centralise the removal of that so called bad, but obviously a central group deciding on the 'bad' just isn't democratic.<p>Ironically when chatgpt mentioned their UA on a web page the other day, users were presented with an anti-bot challenge.
Increasingly more sites are getting stuck in a Cloudflare verification loop on my end. I use Firefox on the beta channel, and I do have a few privacy extensions and a heavily modified user.js. If you want to give in to the browser fingerprinting, I have found that enabling WebGL, enabling performance timing (wow), setting network.http.referer.XOriginTrimmingPolicy to 0, among other tweaks, helps me break out of the verification loop.<p>In other words, if Cloudflare can't reliably fingerprint your browser, you are treated as a "bot" and denied access to a huge chunk of the web. Well, in that case, I would rather be a bot than a human. Being a human seems to be increasingly annoying nowadays :)
The End of the Road for Cloudflare CAPTCHAs<p><a href="https://blog.cloudflare.com/end-cloudflare-captcha/" rel="nofollow noreferrer">https://blog.cloudflare.com/end-cloudflare-captcha/</a><p>Discriminate against all but "major browsers". Why.<p><a href="https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/" rel="nofollow noreferrer">https://developers.cloudflare.com/fundamentals/get-started/c...</a>
> Anyone who uses a de-Googled Android phone has to go to great lengths to ensure hardware attestation is working correctly [...] or else they can’t using banking apps.<p>I have a relatively Google'd Android running lineageOS. It passes SafteyNet on a fresh install, but even that isn't good enough for one of my banking apps (or netflix) - they both also perform a CTS Profile (Compatibility Test Suite) check and block me from using the app if they don't like what they see.<p>I ultimately had to root the phone to be able to use my bank's app. Rooting allowed me to use a fake CTS Profile, and then because it was rooted, SafteyNet started failing and I had to install a bypass to work around that.<p>Now everything works great, except OS updates un-root the phone and then "secure" apps stop working again.<p>(Oh, and if you mention that you're rooted, the LineageOS folks will refuse to provide any support, even for unrelated issues. Making you choose between friendly help and a usable phone is probably the only thing I don't like about LineageOS and, to my view, the biggest break from it's CyanogenMod roots.)
> I temporarily disabled extensions. I opened a private browsing window.<p>FYI When using Chrome, incognito window carries a lot of baggage. For issues like this use Guest profile as it doesn't include extensions, caches, storage, etc. Optionally do a Google search first to seed it with cookies.
I personally experience this loop all the time on different sites. I’ve completely given up - if a site loops I don’t use it and try again a few weeks later. If it’s something extremely urgent I use my mobile device which for some unknown reason never loops.
This is a bit tangential to the author's point but it does seem to indicate that IPv6 is mostly pointless for human users for exactly this reason.<p>Since it's so much easier to hide behind a new unique address, compared to IPv4, that any service such as Cloudflare would need to be extremely aggressive in blocking to meet their internal metrics and customer advertised minimum thresholds.<p>So much so that it actually costs more to use IPv6 then sticking with IPv4.<p>I imagine the scenario described by the author would become more and more common as time goes on as more of the world's internet users becomes harder to distinguish.
No problem for me accessing Gitlab without using a web browser. Moreover one can use Internet Archive, Archive.today, Google's cache, etc. to avoid SNI.<p>The author did not specify which project he was trying to access so I picked a random one to test from /explore/projects/topics/bioinformatics. No problem accessing it without a web browser. TLS1.3. No SNI.<p><a href="https://one-touch-pipeline.gitlab.io/otp/" rel="nofollow noreferrer">https://one-touch-pipeline.gitlab.io/otp/</a>
Some comments I have on this post:<p>> Worse yet, I know that Cloudflare knows I have those certificates. Why? Because it asked for them!<p>Not really. Cloudflare notices your browser has TLS authentication available and asks you for it. That's really annoying, but part of the protocol spec. Your browser won't send this information unless you pick a certificate and hit OK.<p>Disable your ad blocker and you'll find that many trackers will also ask you to identify yourself this way. It's really annoying, browsers need to design better UX for this type of authentication.<p>> · MAC address of my machine that I have previously used to access this site<p>How does it gather your MAC address? Did you disable IPv6 Privacy Extensions? Unless the website is sitting behind the same switch as your computer or you run some kind of native application that sends the MAC address, websites can't read the MAC of your network interface. Enable the MAC randomisation that's present (sometimes even turned on by default!) in every modern OS if you consider the local switch or WiFi network to be a privacy risk.<p>> Will I be able to create and sync these passkeys myself?<p>Yes, assuming they follow the standard<p>> Can only certain types of software use passkeys? If so, who decides what software meets this standard?<p>I don't really understand the question. Any software supporting passkeys will be able to prompt you for generating or using a passkey.<p>> Will I only be able to generate passkeys on a device with specific hardware/software requirements like a TPM, DeviceCheck, or Integrity API?<p>According to the spec, keys can be stored in software no trouble. Websites and apps can ask for securely generated keys, but I don't think those are all that common. Hardware can also be faked relatively easily in most circumstances.<p>> Can I, at any time, export my passkeys from one service provider and switch to another provider?<p>Ask your service provider for export options. Most likely, you can't just dump the keys and import them elsewhere (that would defeat the point).<p>> If a passkey is invovled in a suspicious event, will that suspicious mark propogate to any other device that uses that same passkey? Do devices that contain suspicious passkeys also get marked as suspicious? If so, would that impact the ability of that device to access other independent websites?<p>That depends on the software using the key for authentication. Maybe?
The big problem I have with Cloudflare's integrity check is that all the spam domains use a fake version which mimics it, and tries to trick you into completing a captcha.
This happened to me just a few days ago. I tried to open a link in an app, which then tried to open it with an in-app WebView. Thus, the Cloudflare captcha loop of death. I could even see a "human verification failed" string appearing after clicking on an "I am human" checkbox. Alongside the annoyance of not being able to browse, this kind of language is awful! Literally being told to my face I am not a human.
I was going to assume that the corp VPN is the reason as maybe someone is abusing that connection for something else and it’s getting flagged, but the fact that the site worked using chrome says otherwise.<p>Will using chromium for such cases work while having Firefox for the rest of sites?<p>And what’s cloudflare alternative that provides similar services for free including traffic analysis?
Off topic - but how can Cloudflare block access to an internal website when accessed by via VPN? And if CF has some kind of request verification API that the internal server is using, why would you use it for an internal resource?
As a Firefox mobile user, I've never been able to go past that page for ~2 years.<p>And so I've stopped visiting websites that use that system (several per days).<p>There's no way to report that to Cloudflare so f*ck'em.
Anyone else find it odd that the author's company-internal work intranet, which requires a VPN to access, is deployed behind a Cloudflare CDN? Why would anyone do this?
On one of my machines I run OpenBSD with Firefox with "Strict" privacy settings and "privacy.resistFingerprinting" enabled. There are so many websites I can't access, I get a straight-up 403 Forbidden page because CloudFlare has decided I am not trustworthy. I mean like pretty big companies like DigiKey, Home Depot, Canadian Tire, etc. I simply cannot use their websites, or I can load the initial page but then the API calls that provide the functionality all fail with a 403. DigiKey did something to unblock me and I can use their site again, but I know it's just a matter of time before it happens again. It's also a frequent problem on smaller sites that are simply using CloudFlare , and I never know when I'm going to be blocked from a site arbitrarily. It's especially egregious when it's a plain old text-based site like hamuniverse.com , or a small independent vendor like digirig.net ...<p>This is one of the things that makes it so clear to me that the web is diverging into two, one that is the "clean walled-garden capitalism web" and the continuation of the original web that was open, freely-accessible and built around sharing and knowledge.
Fingerprinting is probably load-bearing for captchas and other anti-fraud stuff that many Internet services and businesses depend on:<p><a href="https://xkcd.com/2347/" rel="nofollow noreferrer">https://xkcd.com/2347/</a><p>It should be replaced with something better. Unfortunately all attempts to do something better get attacked by people who don’t realize that you can’t just get rid of it, or important things will break.
> Worse yet, I know that Cloudflare knows I have those certificates. Why? Because it asked for them!<p>It doesn’t make sense for Cloudflare to request any client certificates.<p>I think there are real bugs somewhere.
Is there something more going on here like you're using some kind of blocker and it's stopping the captcha/security 'widget' from loading?
The problem with Cloudflare is they purposely attempt to break user privacy by dangling websites as carrots. It's deception that they are attempting to determine if the person is human or not, because often they won't even show you the CAPTCHA. Even if you do get to the CAPTCHA, sucessfully doing it usually won't give you access to the website either. So, what is the point?<p>They want people to disable any privacy protections or push usage of browsers that have no to less privacy protections, in order to access the website they are blocking. This has nothing to do with if a user is an actual threat or bot, but is more a strategy to shape what browsers are used and destroy user privacy.<p>Cloudflare is also very aware of the numerous and constant complaints about what they are doing, coming from users and for years. They are ignored, because they have something else in mind.