Tell HN: Cloudflare is blocking Pale Moon and other non-mainstream browsers

Yeah maybe if you somehow managed to email them without their email provider stopping that email from reaching them…

It is difficult to gauge the size of the Cloudflare effect.. if the usage statistics the site owner is collecting.. are also not collected for those undesirables.

You don't think the people actually running the shops, whose income depends on the shop, have thought of that and thus there exists a downside that more than offsets the upside?

Then you get burglars in your shop instead of legitimate customers.

User Agents look the way they do because this is a recurring issue.

A browser without network effects gets blocked, they look for a way to bypass the blocking, then they become mainstream and now the de-facto UA is larger than before.

If you were running a shop, you would realize that nearly 100% of the fraud is "not chrome, edge, safari, or firefox"

It's unfortunate yes but that's what drives the threat signatures

Why would you assume that the 10% of non standard browsers are going to buy anything?

Demographic is important here. If I was running a shop that sold software for Linux users, sure. If I'm running a store that sells pretty much anything else? I'm not caring.

>That door is getting replaced.

Sure. If there was another place to buy a better door at. But if that door manufacturer's the only one that makes doors, if the door installer and door technicians all tell you that they can't or won't make another door for you, then you just deal. Maybe crank up the prices a bit to try to mitigate your 10% shortfalls.

The place where a business looks at that problem and sees money being left on the table that it can't live without and that it has no other way of making up for... that is a very narrow stretch, and only very marginal businesses live there.

And if they did violate the ADA, do you seriously expect this administration's anti-DEI Department of Justice to pursue legal action?

In my experience, screen reader users stick to the mainstream browsers to preserve compatibility. https://webaim.org/projects/screenreadersurvey10/

I don't use iCloud Relay but it seems Apple's ASN would be 'reputable'.

Blocking based on ASN has never and should never be the frontline. It's the illusion of increased security with little actual impact. The bad guys are everywhere and if blocking an ASN has an improvement on your actual breaches then your security is total crap and always will be until you start doing the right things.

I believe your parent comment means when the target website blocks, not Cloudflare.

YouTube is a perfect example. Using iCloud Private Relay can now frequently label you as a bot, which stops you from watching videos until you login.

I don't think that's weird. That's what I would want from an honest vendor who is involved in both services - block anonymization/obfuscation users if I'm paying you to block them. Apple/Cloudflare don't sell/support iCloud Relay as a service that is guaranteed to get you treated nicely by the parties on the other end, so they're not being deceptive with that part either.

What I'd worry about is Cloudflare using their knowledge of their VPN clients to allow services behind their attack protection to treat those clients better, because maybe they're leaking client info to the protected services.

Not that I think Cloudflare/Apple/etc. are supremely noble/honest/moral, or that it's good that semi-anonymous connections are treated so badly by default; this juxtaposition just doesn't seem like a problem to me.

EDIT: OK, I back off of this position somewhat. Apple's marketing of iCloud Relay might allow users to believe it's more prestigious and reputable than a VPN/Tor. They do have fine print explaining that you might be treated badly by the remote services, but it's, you know, fine print, and Apple knows that they have a reputation for class and legitimacy.

You can use iCloud Relay without even noticing that you are using it, this is not true with Tor as you'll spend most of your time waiting for reconnecting circuits.

Because it is 1. Not Tor and 2. Fast

It’s more like a VPN instead of Tor

> So your option as a security professional is to express to your risk management team we allow "hacking tools" or lose iCloud Relay customers

a professional would explain how the vendor is being lazy and making a mistake there because they don't understand your business.

depending on the flavor of security professional (hacker) they might also subtly suggest that this vendor is dumb and should be embarrassed they've made this mistake, thus creating the implication that if you still want to block these users you would also have to be an idiot

under so circumstance is what I ever allow anyone to get the mistaken impression that some vendor understands my job better than I do. As a "security professional" it's literally your job to identify hostile traffic, better than a vendor could.

Oh I think we all know that the Endgame is only allowing the approved webbrowser from the approved hardware. And getting on those lists will be made very expensive indeed...

Wait till you see how M365 does management around iCloud relay makes it real fun troubleshooting suspicious login parameters...

No, only thing i have is dns-over-https.

But i should turn that on.

To trivialize totalitarian regimes that carry out terror against their own citizens, that can outright kill you and whole your family, by comparing them to capitalistic corporate world where, in the worst case, you can simply choose another, less fancy option, is the height of madness.

It's definitely a niche browser. I think I heard of it once on HN over the past few years, and I'd be surprised if there was actually more than a few thousands of people using it.

It is a niche browser with no hype going for it.

I presume this was not intentional.

Definitely not EOL; https://resources.arc.net/hc/en-us/articles/20498293324823-A...

Whoa, really. So it is even back to 3GS/4 days then.

When you click OK it lets you in regardless ;)

To echo further, they may be leaning on something like the [ja4 fingerprint](https://www.google.com/url?sa=t&source=web&rct=j&opi=8997844...) (which you'd need to rebuild curl to emulate that chromium version to try and trick).

I don't know if they still do it, but the Apple Silicon Macs also lied about their architecture and said they're Intel. Truth is not the guiding principle of the User-Agent (or all the JS navigator properties, or anything else easy to use to check this kind of thing).

How would you do DDoS protection without having something in path?

> 50 mbps has been enough to host various websites,

Bandwidth hasn't been a limiting factor for years for me.

But generating dynamic pages can bring just enough load for it to get painful. Just this week I had to blacklist Meta's ridiculously overactive bot sending me more requests per second than all my real users do in an hour. Meta and ClaudeBot have been causing intermittent overloads for weeks now.

They now get 403s because I'm done trying to slow them down.

What bit do you mean specifically? As a fellow web hoster, who also hosted kids before (from a game making forum), I can fully corroborate what they're saying

You're focusing on the wrong kind of pedantry.

"Marginalized" has a specific connotation, sure, but people can be marginalized for reasons other than, or in addition to, those that fit the connotation.

What the hell is wrong with people? Honestly the lack of substantive human interaction in a lot of folks' lives, except via the Internet, is a real problem.

Take that story for instance. Here's how that goes in the physical world, just to show how unbelievably ridiculous it is.

So you didn't get the job? What's your next step?

I'll stop by their office and keep people from entering the front doors by running around in front of them. That'll show those bastards.

Not the same poster, but the first "D" in "DDoS" is why rate-limiting doesn't work - attackers these days usually have a _huge_ (tens of thousands) pool of residential ip4 addresses to work with.

We had rate limiting with Istio/Envoy but Envoy was using 4-8x normal memory processing that much traffic and crashing.

The attacker was using residential proxies and making about 8 requests before cycling to a new IP.

Challenges work much better since they use cookies or other metadata to establish a client is trusted then let requests pass. This stops bad clients at the first request but you need something more sophisticated than a webserver with basic rate limiting.

That might have been good for preventing someone from spamming your HotScripts guestbook in 2005, but not much else.

Why not just ignore the bots? I have a Linode VPS, cheapest tier, and I get 1TB of network transfer a month. The bots that you're concerned about use a tiny fraction of that (<1%). I'm not behind a CDN and I've never put effort into banning at the IP level or setting up fail2ban.

I get that there might be some feeling of righteous justice that comes from removing these entries from your Nginx logs, but it also seems like there's a lot of self-induced stress that comes from monitoring failed Nginx and ssh logs.

Honestly, it should just come down to rate limiting and what you’re willing to serve and to whom. If you’re a free information idealist like me, I’m OK with bots accessing public web-serving servers, but not OK with allowing them to consume all my bandwidth and compute cycles. Furthermore, I’m also not OK with legitimate users consuming all my resources. So I should employ strategies that prevent individual clients or groups of clients from endlessly submitting requests, whether the format of the requests make sense or are “junk.”

Sounds like a problem easily solved with fail2ban. Which keeps legitimate folks in, and offenders out - and also unbans after a set amount of time, to avoid dynamic IPs screwing over legitimate users permanently.

I'd settle for some kind of "proof of investment" in a bot-identity, so that I know blocking that identity is impactful, and it's not just one of a billion tiny throwaways.

In other words, knowing who someone is isn't strictly necessary, provided they have "skin the game" to encourage proper behavior.

Originally I was excited to see that kroger had an API, until just about the first thing that the ToS said was "you can't use this for price comparison".

And yea, I imagine dynamic pricing will make things even more complicated.

That being said, that's why this feature isn't built into the billion shopping list apps that are out there. Because it's a pain.

So you put something in your cart and by the time you reach the cashier the price doubled? Sounds like someone is about to patent price locking when you add an item to your pysical shopping cart.

Best Buy will also sell identical hardware with a slightly modified SKU and negligible changes to avoid comparison.

It’s difficult to compare when BB is the “only” company that sells a particular item.

I mean, it wasn't even that security wasn't a thing: the earliest incarnations of the Internet were defense projects, and after that, connections between university networks. Abuse was nonexistent because you knew everyone on your given network. Bob up the hall wouldn't try to steal your credit card or whatever, because you'd call the police.

I think a decent idea is, we need to bring personal accountability back into the equation. That's how an open-trust network works, and we know that, because that's how society works. You don't "trust" that someone walking by your car won't take a shit in your open window: they could. But there are consequences for that. We need rock solid data security policies that apply to anyone who does business, hosts content, handles user data online, and people need to use their actual names, actual addresses, actual phone numbers, etc. etc. in order to interact with it. I get that there are many boons to be had with the anonymity the Internet offers, but it also enables all of the horseshit we all hate. A spammer can spam explicitly because their ISP doesn't care that they do, email servers don't have their actual information, and in the odd event they are caught and are penalized, it's fucking trivial to circumvent it. Buy a new AWS instance, run a script to setup your spam box, upload your database of potential victims, and boom, you're off.

A lot of tech is already drifting this way. What is HTTPS at it's core if not a way to verify you are visiting the real Chase.com? How many social networking sites now demand all kinds of information, up to and including a photo of your driver's license? Why are we basically forbidden now by good practice from opening links in texts and emails? Because too many people online are anonymous, can't be trusted, and are acting maliciously. Imagine how much BETTER the Internet would be if when you fucked around, you could be banned entirely? No more ban evasion, ever.

I get that this is a controversial opinion, but fundamentally, I don't think the Internet can function for much longer while being this free. It's too free, and we have too many opportunistic assholes in it for it to remain so.

Me too.

Federation is indeed a good start, but DeFi helps spur adoption by having a broader scope.

What other choice do we have?

Countries, whether it be Ukraine or Taiwan, can't risk other countries harvesting their social media platforms for the mother of all purges. I never assume that anything that happened historically can never happen again - no Polish Jew would have survived the Nazis with this kind of information theft. Add AI into the mix, and wiping out any population is as easy as baking pie.

Countries are tired of bad behavior. Just ask my grandmother, who has had her designs stolen and mass produced from China. Not just companies - many free and open source companies cannot survive with such reckless competition. Can Prusa survive a world where China takes, but never gives? How many grandmothers does it take being scammed? How many educational systems containing data on minors need to be stolen? The MPAA and RIAA has been whining for years about the copyright problem, and while we laugh at them, never underestimate them. The list goes on and on.

Startups are tired of paying Cloudflare or AWS protection money, and trying to evade the endless sea of SEO spam. How can a startup compete with Google with so much trash and no recourse? Who can build a new web browser, and be widely accepted as being a friendly visitor? Who can build a new social media platform, without the experience and scale to know who is friend or foe?

Now we have AI, gasoline and soon to be dynamite on the fire. For the first time ever, a malicious country can VPN into the internet of a friendly nation, track down all critics on their social media, and destroy their lives in a real world attack (physical or virtual). We are only beginning to see this in Ukraine - are we delusional enough to believe that the world is past warfare? For the first time, anyone in the world could make nudes of women and share them online, from a location where they'll probably never be taken down. If a Russian company offered nudes as a service to American customers with cryptocurrency payments and a slick website that went viral, do you think tolerance is a winning political position?

When the government actually cares, they're able to track these things down. But they don't except in high profile cases.

America does have laws against this kind of thing.

So instead of banning America, report the IP addresses to their American hosts for spam and malicious intent. If the host refuses to do anything, report it to law enforcement. If law enforcement doesn't do anything... then you're proving my point.

And that assumes that the Western owners of those systems have any reason to listen to you, the one raising the complaint. How would they check that you are not lying?

A wild opinion only valid if you have a defeatist attitude.

Why would 2FA cause lose sales? One would imagine it’s because people are being auto charged for shit they don’t want but haven’t noticed or forgot to cancel.

I’m not actually sure since I never had issues, but I’ve heard it’s not much since they’re basically just an API for transferring money between banks. Each bank app still needs to integrate with the network separately. [1]

I guess you get some security since each party that you transfer to must have their identity verified with a bank, so you could always get the police involved fairly easily

The iDeal website page on security [2] is in Dutch, but it translates to roughly:

> Before you make a purchase, make sure that the webshop or business is a reliable party. For example, you can read experiences of other consumers about webshops on comparison sites. Or you can use a Google search to check what is said (in reviews) about a webshop on the internet. Also check the overview of the police with known rogue trading parties and the page check seller data. Before making a purchase, always use the following rule of thumb: if something is too good to be true, don't do it.

[1] https://en.m.wikipedia.org/wiki/IDEAL

[2] https://www.ideal.nl/veiligheid

Someone who steals money from thousands of individuals for a living won't hesitate to use a botnet either. Cloudflare isn't a payment provider (*shudders* yet), they can't verify transactions, they can only guess at who's "honest". I'm at the losing end of this guess so often as someone who frequently visits friends and family in the neighbouring country they come from, and someone who doesn't have tracking cookies anymore that were set only a few minutes ago, who uses a "non-standard" browser (Mozilla's Firefox), I don't feel like Cloudflare does a very good job at detecting when I'm trying to honestly use the site. At the same time, doing security testing as my job: the customer having Cloudflare enabled usually doesn't matter for us being able to reach and exploit vulnerable pages, it just decides to block you randomly the same way that it does in private time when I'm not trying to break anything. It doesn't properly do the job and it blocks legitimate people based on a gut feeling, and you have no recourse, you can suck it up. Whatcha gonna do, take Cloudflare to court for blocking your access to your bank? Under what law is that illegal? There is nothing you can do; your bank's customer support isn't going to disable Cloudflare for you.

Anyway, no, this guessing game isn't the solution to stolen bank details, the solution is for the payment provider to authenticate the account holder beyond merely entering a public number, especially if they suddenly see a flood of transactions from this one merchant as you describe. They can decide to ask for a second factor: send the person an SMS/email, ask to generate an authenticator code, whatever it is they've got on file beyond your card/account number. Anything else is just guesswork

On one hand, I'm okay with that. If Cloudflare or some other self-appointed Internet cop blocks me from a site, I just go somewhere else, and I hope the site goes out of business as a result...which happens to businesses everyday for a variety of reasons. But given Cloudflare's sheer size, having so many businesses crank the shields to maximum actually affects using the web, and that's where I draw the line.

that's not Cloudflare, they stopped doing pictures years ago. You can tell because Cloudflare always puths their brand name on their page.

Cloudflare just blocks you without recourse nowdays.

I guess it’s time to update our user agent strings like I did with konquerer 20 years ago.

Looks like there’s a plugin for that https://chromewebstore.google.com/detail/user-agent-switcher...

You don't even need to use a different browser - Firefox has an official "Multi-account containers" extension that lets you assign certain sites to open in their own sandbox so you can have a sandbox for Google, another for Facebook, etc.

Managed challenges actually come from the same "challenges" platform, which includes Turnstile; the only difference being that Turnstile is something that you can embed yourself on a webpage, and managed challenge is Cloudflare serving the same "challenge" on an interstitial web page.

Also, Turnstile is definitely not a simple proof of work check, and performs browser fingerprinting and checks for web APIs. You can easily check this by changing your browser's user-agent at the header level and leave it as-is at the header level; this puts Turnstile into an infinite loop.

Putting a CAPTCHA in front of robots.txt in particular is harmful. If a web crawler fetches robots.txt and receives an HTML response that isn’t a valid robots.txt file, then it will continue to crawl the website when the real robots.txt might’ve forbidden it from doing so.

I agree, but I also somewhat understand. Some people will actually pay more per month for Cloudflare than their own hosting. The Cloudflare Pro plan is $20/month USD. Some sites wouldn't be able to handle the constant requests for robots.txt, just because bots don't necessarily respect cache headers (if they are even configured for robots.txt), and the sheer number of bots that look at robots.txt and will ignore a caching header are too numerous.

If you are writing some kind of malicious crawler that doesn't care about rate-limiting, and wants to scan as many sites as possible for the most vulnerable to get a list together to hack, you will scan robots.txt because that is the file that tells robots NOT to index these pages. I never use a robots.txt for some kind of security through obscurity. I've only ever bothered with robots.txt to make SEO easier when you can control a virtual subdirectory of a site, to block things like repeated content with alternative layouts (to avoid duplicate content issues), or to get a section of a website to drop out of SERPs for discontinued sections of a site.

> without access to mainstream security patches

They do have access to them. The lead developer and project owner has sec bug access in bugzilla.

But vulnerabilities in newer Mozilla have over time become less and less relevant in Pale Moon's codebase, which led to the latter dropping the tracking of how many Mozilla security patches have been applied in the release notes (starting with 33.0.1).

You deploy complex proprietary heuristics to identify whether incoming requests look more like an attack or more like something a user would legitimately send. If you find a new heuristic and try to deploy it, you'll immediately notice if it throws a bunch of false positives for Chrome, but you might not notice so quickly for Pale Moon or other non-mainstream browsers.

(And if I were doing this on my own, rather than trusting Cloudflare to do it, I would almost surely decide that I don't care enough about Pale Moon users to fix an otherwise good rule that's blocking them as a side effect.)

This is rather blunt, but if it is between 98% (CF-protected) versus near-0% (heavily-DDoSed site), then you hopefully you now see the dilemma that other people faced.

For companies that are just built around a marketing funnel to provide enough info to get you to fill out their contact form to sell you something, my guess is that Cloudflare is well worth the cost over increased hosting fees. I know it's not the answer anyone wants to hear, but I don't deal with too many companies selling anything more than around 5 or 6 figures, with products that you don't necessarily need very often.

I would like to know if there are alternatives somewhere close to the same cost, where I don't need to use Cloudflare. I don't enjoy annoying customers, or even dealing with sales and marketing, but I have built lots of software where I get to control the technology, and can get a new website up and running in 3 hours, with a ton of built-in functionality. I've spent about 12 years reducing the amount of memory the Umbraco CMS uses, compared to normal installs, and I love that aspect of my career. If I could get my clients to pay more and not use Cloudflare, I would happily go that route, believe me!