Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

Cloudflare blocking Pale Moon and other browsers with smaller user bases

⁨612⁩ ⁨likes⁩

Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ by ⁨dantheclamman@lemmy.world⁩ to ⁨technology@lemmy.world⁩

https://www.theregister.com/2025/03/04/cloudflare_blocking_niche_browsers/

source

Comments

Sort:hotnewtop
  • AnAmericanPotato@programming.dev ⁨2⁩ ⁨months⁩ ago

    Disgusting and unsurprising.

    Most web admins do not care. I’ve lost count of how many sites make me jump through CAPTCHAS or outright block me in private browsing or on VPN. Most of these sites have no sensitive information, or already know exactly who I am because I am already authenticating with my username and password. It’s not something the actual site admins even think about. They click the button, say “it works on my machine!” and will happily blame any user whose client is not dead-center average.

    Enter username, but first pass this CAPTCHA.

    Enter password, but first pass this second CAPTCHA.

    Here’s another CAPTCHA because lol why not?

    Some sites even have their RSS feed behind Cloudflare. And guess what that means? It means you can’t fucking load it in a typical RSS reader. Good job!

    The web is broken. JavaScript was a mistake. Return to monke gopher.

    Fuck Cloudflare.

    source
    • SerotoninSwells@lemmy.world ⁨2⁩ ⁨months⁩ ago

      I get why you’re frustrated and you have every right to be. I’m going to preface what I’m going to say next by saying I work in this industry. I’m not at Cloudflare but I am at a company that provides bot protection. I analyze and block bots for a living. Again, your frustrations are warranted.

      • Even if a site doesn’t have sensitive information, it likely serves a captcha because of the amount of bots that do make requests that are scraping related. The volume of these requests can effectively DDoS them. If they’re selling something, it can disrupt sales. So they lose money on sales and eat the load costs.

      • With more and more username and password leaks, credential stuffing is getting to be a bigger issue than anyone actually realizes. There aren’t really good ways of pinpointing you vs someone that has somehow stolen your credentials. Bots are increasingly more and more sophisticated. Meaning, we see bots using aged sessions which is more in line with human behavior. Most of the companies implementing captcha on login segments do so to try and protect your data and financials.

      • The rise in unique, privacy based browsers is great and it’s also hard to keep up with. It’s been more than six months, but I’ve fingerprinted Pale Moon and, if I recall correctly, it has just enough red flags to be hard to discern between a human and a poorly configured bot.

      Ok, enough apologetics. This is a cat and mouse game that the rest of us are being drug into. Sometimes I feel like this is a made up problem. Ultimately, I think this type of thing should be legislated. And before the bot bros jump in and say it’s their right to scrape and take data it’s not. Terms of use are plainly stated by these sites. They consider it stealing.

      Thank you for coming to my Tedx Talk on bots.

      source
      • AstralPath@lemmy.ca ⁨2⁩ ⁨months⁩ ago

        Dude, thank you for this context. I was already aware of these considerations but just wanted to thank you for sharing this with everyone. Its participation like this that makes the internet a better place. 🍻

        source
        • -> View More Comments
      • Tiger@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

        Thank you for that info, very helpful.

        source
        • -> View More Comments
      • MonkderVierte@lemmy.ml ⁨2⁩ ⁨months⁩ ago

        But captchas have now proven useless, since bots are better at solving them now than humans?

        source
        • -> View More Comments
      • Knossos@lemmy.world ⁨2⁩ ⁨months⁩ ago

        Also Cloudflare adds a caching layer, often physically closer to users. Increasing speed of delivery and reducing server costs. It’s a no-brainer for server admins.

        Also, I don’t work for Cloudflare either. The animosity is new to me, and certainly something I’ll look into.

        source
      • mac@lemm.ee ⁨2⁩ ⁨months⁩ ago

        Thanks for sharing!

        source
        • -> View More Comments
      • iopq@lemmy.world ⁨2⁩ ⁨months⁩ ago

        Ever heard of counting attempts? Log the IP, present a CAPTCHA after 100 requests in a minute.

        Besides, if I wrote a bot I would run a browser dialer from Chrome. It would request your site in a Chrome tab and appear completely legitimate to your stupid fingerprinting scripts

        source
        • -> View More Comments
      • roguetrick@lemmy.world ⁨2⁩ ⁨months⁩ ago

        Terms of use are plainly stated by these sites. They consider it stealing.

        I consider it more trespassing than stealing myself.

        source
      • girsaysdoom@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

        You’re definitely right that it’s a game of one-upping each other. Unfortunately, it’s now directed in a path that infringes on privacy of the users it aims to serve.

        Since you’re working in the internet security industry, what’s your take on something like Altcha as opposed to more invasive means of protecting against both attacks?

        source
        • -> View More Comments
    • singletona@lemmy.world ⁨2⁩ ⁨months⁩ ago

      tildeverse.org

      Tilde.teams and tilde.club even have outwardly facing email accounts.

      We have a newsgroup server.

      We have a dedicated irc server.

      Member gopher/https/gemini pages.

      And other services.

      And each tilde has it’s own focus.

      Be kind. Contribute as you can to discussions.

      What is gemini

      tilvids.com/…/e1d6ed23-315a-4fc6-8d5b-6d96d51e481…

      Rocking the web bloat.

      …ccc.de/…/mch2022-83-rocking-the-web-bloat-modern…

      Be Free.

      source
      • KeenFlame@feddit.nu ⁨2⁩ ⁨months⁩ ago

        So cute :)

        source
        • -> View More Comments
    • hansolo@lemm.ee ⁨2⁩ ⁨months⁩ ago

      LibreWolf is next, and it’s not exactly niche. In seeing it more and more, and LW defaults, even dropping resist settings, gets bounced by CloudFlare every time.

      source
      • Botzo@lemmy.world ⁨2⁩ ⁨months⁩ ago

        Fire dragon here and yeah, sometimes Google won’t even let me log in either.

        source
      • DFX4509B_2@lemmy.org ⁨2⁩ ⁨months⁩ ago

        Wouldn’t that also block Firefox by proxy?

        source
        • -> View More Comments
    • 0x0@programming.dev ⁨2⁩ ⁨months⁩ ago

      Ever been down the gemini rabbit hole? It’s not perfect, but quite interesting.

      source
  • 2xsaiko@discuss.tchncs.de ⁨2⁩ ⁨months⁩ ago

    These bastards haven’t MITMed half the internet for nothing. This isn’t the first time they abuse that either.

    I hate that I once fell for it too when I just started out hosting stuff and put it behind their proxy.

    source
    • Spaniard@lemmy.world ⁨2⁩ ⁨months⁩ ago

      What do you use now instead of cloudflare?

      source
    • Potatisen@lemmy.world ⁨2⁩ ⁨months⁩ ago

      What is MITMed?

      source
      • pogodem0n@lemmy.world ⁨2⁩ ⁨months⁩ ago

        “Man in the middle”. They are used by a lot of web services as a proxy, usually to prevent DDOS attacks.

        source
        • -> View More Comments
  • bigredcar@lemmy.world ⁨2⁩ ⁨months⁩ ago

    It is obvious that Cloudflare is being influenced to enforce browser monopolies. Imagine if Cloudflare existed in 2003 and stopped non Internet Explorer browsers. If you use cloudflare to “protect” your site you are discriminating against browser choice and are as bad as Microsoft in 1998.

    source
    • admin@lemmy.today ⁨2⁩ ⁨months⁩ ago

      If you use cloudflare to “protect” your site you are discriminating against browser choice and are as bad as Microsoft in 1998.

      😕

      source
    • sugar_in_your_tea@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

      Agreed. I use cloudflare for domain hosting because they’re cheap, but I have never liked their protections.

      source
  • orbituary@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago

    On librewolf, i get blocked. its a firefox fork and still it happens. had to set up a Firefox User Agent plugin.

    source
    • idunnololz@lemmy.world ⁨2⁩ ⁨months⁩ ago

      Its kind of funny but thats how user agents have been for a while. It’s historically just been browsers pretending to be one another.

      webaim.org/blog/user-agent-string-history/

      source
      • MonkderVierte@lemmy.ml ⁨2⁩ ⁨months⁩ ago

        Yeah and that’s why it’s one of the basics of the basics you learn as a software developer that you shouldn’t sniff the useragent, because it’s unreliable and causes issues. Yet all big webpages (especially those pretending to be a software) do it, causing issues.

        source
  • turnip@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

    I can’t use my Browser without it being created by a tech giant, cant use my new computer without having my software uefi signed by Microsoft, AI will soon have my GPU licensed and registered.

    The world is heading to crap.

    source
    • rottingleaf@lemmy.world ⁨2⁩ ⁨months⁩ ago

      You can, it’ll cost more and give you less, but you can.

      That’s the way this works.

      source
    • DFX4509B_2@lemmy.org ⁨2⁩ ⁨months⁩ ago

      You can always build a PC and not have to deal with that UEFI signing stuff as you’re expected to provide your own OS still, that option hasn’t been eliminated yet.

      source
  • Dsklnsadog@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago

    I would be very interested to know how they plan to resolve these issues with “Ladybird.” Using a new engine will likely clash with the FALSE “security measures” of many websites and harm the browsing experience. It’s often said that users should demand respect for web standards, but in the meantime, as usability declines, users will gradually drift away. Firefox learned this lesson the hard way.

    source
    • AdrianTheFrog@lemmy.world ⁨2⁩ ⁨months⁩ ago

      Servo is another wip web browser, managed by the Linux foundation’s European branch. It’s a little less far along but is making relatively quick progress now. Apparently discord already mostly works, with sending messages currently being a problem.

      source
  • JcbAzPx@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Need to start spoofing user agent strings again.

    source
    • Hupf@feddit.org ⁨2⁩ ⁨months⁩ ago

      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 3.0)

      source
  • rottingleaf@lemmy.world ⁨2⁩ ⁨months⁩ ago

    What doesn’t work with Lynx is a wrong website.

    source
    • sugar_in_your_tea@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

      Agree for static content like news and blogs. Disagree for dynamic content like games and video streaming.

      source
  • MonkderVierte@lemmy.ml ⁨2⁩ ⁨months⁩ ago

    So make useragent sniffing useless by all being Chrome?

    source
  • wordcraeft@lemm.ee ⁨2⁩ ⁨months⁩ ago

    I was planning on moving away from Cloudflare to European providers anyway, so this just adds fuel to the fire.

    I’m considering using BunnyDNS for DNS management, not using a CDN at all, and using Scaleway for serverless functions.

    source
    • admin@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

      Maybe is against the ToS but I’ve used github as CDN for free in the past… Might work for you.

      I never felt it was wrong, it was around the time of the Microsoft acquisition.

      source
      • wordcraeft@lemm.ee ⁨2⁩ ⁨months⁩ ago

        I appreciate the suggestion, but Github is also an American company. I’ve been moving my git repositories to Codeberg.

        My sites don’t get enough traffic to warrant a CDN really, but if necessary, BunnyCDN looks like it can fit the bill. Plus, my static sites are in Scaleway object storage.

        source
  • Lila_Uraraka@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago

    Pale Moon still exists? Huh

    source
  • ILikeBoobies@lemmy.ca ⁨2⁩ ⁨months⁩ ago

    Should change my user agent to sod off

    source
  • NocturnalMorning@lemmy.world ⁨2⁩ ⁨months⁩ ago

    I just won’t use cloud-based, that’s fine.

    source
    • tja@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

      But everyone else is

      source
      • GreenKnight23@lemmy.world ⁨2⁩ ⁨months⁩ ago
        [deleted]
        source
        • -> View More Comments
    • ragebutt@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago

      Then you won’t browse about 20% of the Internet, which doesn’t sound like a lot but it’s disproportionately impacting sites you would generally want to browse

      I posted to this effect in a Firefox alternatives thread: if you use an alternative low adoption rate FOSS browser you trade increased privacy via less/no data harvesting for decreased privacy via much higher susceptibility to browser fingerprinting by google/meta/etc. doesn’t matter if you resize your windows if your browser reports its one that only 5,000 people use. And something tells me the tech giants have a way around user agent spoofing

      And now even if you don’t care about that? Fuck you. Cloudflare locks you out of the modern internet because of course anyone not using chrome or safari is a bot

      I have pretty draconian privacy protections on my devices and home network. It makes the internet hostile. Captchas regularly fail and I have to try them many times. Embedded youtube videos always think I am a bot and refuse to play unless I sign in, I get weird interstitial pages with captchas on google search, yandex, etc (kagi and searx don’t so I use searx), etc.

      Advertisers have pushed companies to make the internet openly hostile to anyone who wants to maintain privacy. And to be clear google and meta are advertisers first and foremost. Fuck them

      source
      • Korhaka@sopuli.xyz ⁨2⁩ ⁨months⁩ ago

        I have given up hiding from the tracking. Instead flood them with a torrent of bullshit data. AdNauseam, click on all the adverts. If the internet is going to be hostile then I shall be actively malicious to it in response.

        source
    • dantheclamman@lemmy.world ⁨2⁩ ⁨months⁩ ago

      That’s analogous to saying you won’t call any numbers on certain carrier It’s possible, but your overall service is devalued if you can’t connect to a large group of people.

      source
  • recall519@lemm.ee ⁨2⁩ ⁨months⁩ ago
    [deleted]
    source
    • girsaysdoom@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

      That’s a shit take. What’s the point of having user-agents if it’s just a race to the bottom for only supporting a smaller list arbitrarily? It’s not like the bots aren’t going to just spoof as Chrome on Windows 11 anyways.

      source
    • ubergeek@lemmy.today ⁨2⁩ ⁨months⁩ ago

      Which bots use Palemoon as their UA string?

      source
      • llama@lemmy.zip ⁨2⁩ ⁨months⁩ ago

        Zero, it’s always outdated versions of Firefox or Chrome (if a UA is even provided at all)

        source
    • ILikeBoobies@lemmy.ca ⁨2⁩ ⁨months⁩ ago

      Yes

      source
    • hopesdead@startrek.website ⁨2⁩ ⁨months⁩ ago

      If I remember correctly, Cloudflare openly defended hosting a well known Neo-Nazi forum.

      source
    • JackbyDev@programming.dev ⁨2⁩ ⁨months⁩ ago

      YES!

      source
    • Diurnambule@jlai.lu ⁨2⁩ ⁨months⁩ ago

      Yes its should.

      source
  • zorro@lemmy.world ⁨2⁩ ⁨months⁩ ago

    I feel like I remember reading that the pale moon JavaScript engine was broken and causing the capcha to break repeatedly?

    Let me see if I can find sources

    source
  • ColdWater@lemmy.ca ⁨2⁩ ⁨months⁩ ago

    Yeah? I ddos websites with Pale Moon and ArcticFox so what?

    source
  • collapse_already@lemmy.ml ⁨2⁩ ⁨months⁩ ago

    I wonder what happens if you use Pale Moon but set the user agent to Firefox.

    source
    • dantheclamman@lemmy.world ⁨2⁩ ⁨months⁩ ago

      Another comment suggested that helped with LibreWolf, but that is a closer fork than Pale Moon, so not sure

      source
  • Limerance@piefed.social ⁨2⁩ ⁨months⁩ ago

    How can I test, if I get blocked? I just started using Waterfox and so far no issues.

    source
    • Jerry@feddit.online ⁨2⁩ ⁨months⁩ ago

      You can go to https://hear-me.social and click on the register button. This puts up a Cloudflare managed challenge screen which endlessly loops when using Pale Moon. It would be interesting to see if Waterfox has the same issue.

      source
      • Limerance@piefed.social ⁨2⁩ ⁨months⁩ ago

        Works fine with Waterfox.

        source
      • circledot@feddit.org ⁨2⁩ ⁨months⁩ ago

        Works with librewolf.

        source
      • AceFuzzLord@lemm.ee ⁨2⁩ ⁨months⁩ ago

        Took a minute and a refresh, but it worked on Ironfox on android.

        source