Since this seems to be an on-going problem at this time, this topic aims to provide a summary and “current status” regarding CloudFlare and its promise they “aren’t in the business of claiming any browser is more legitimate than another” handling of their Captcha/turnstile pages.
Start of the issue
On Jan 31st, users reported that, similar to an occurrence in 2022, CloudFlare’s captcha/”i’m under attack” mode had started failing and looping instead of passing and letting browser users through. It soon became clear that this time, any UXP browser wasn’t the only being denied access to the sites being “protected” by CloudFlare. Even Firefox ESR 115 was affected.
The community was quick to respond, opening a CloudFlare community thread explaining the problem (which is the only communications channel available to end users, see below) and reporting the issue.
Assuming Mozilla applied corporate pressure for Firefox ESR, CloudFlare changed its captcha scripting soon after which, in turn, exposed a crash issue in UXP by triggering a situation that was not initially accounted for in JavaScript and would not normally
11 Comments
twisteriffic
Every interaction I've ever had with CloudFlare has left me feeling like I needed a bath. The vertical desperately needs some competition but I don't know how that could happen at this point.
pshc
https://archive.is/xa218
donnachangstein
It's difficult to empathize with all the histrionics here – including the editorialized title.
sabellito
Hope someone from cloudflare chimes in. If even part of this is true I'll make sure to never do business with cloudflare, they sound like a massive liability.
do_not_redeem
Since the title mentions the NDA, I have to say that sending an NDA in this situation does not sound malicious to me, it's just bureaucratic incompetence from the legal department. It's the Cloudflare engineers that are being malicious.
brian-armstrong
This feels like email all over again. In the early days of email, everyone had their own IMAP server, and it was good. Then spam happened. Slowly it got harder and harder to jump through all the hoops needed to ensure your email was delivered to users of gmail and other large email hosts. Even if you were willing to filter all the spam out from your own inbox, it became practically impossible to get delivered to most other users.
I wonder if we will see something similar happen with browsers now. Cloudflare and other proxies will rely on increasing levels of fingerprinting to sift out scrapers and bots. Already it's not uncommon to get false positives on Linux+Firefox. Maybe if our overlords are feeling particularly benevolent, Firefox might make the cut for browsers allowed to access the vast majority of sites behind CF, but anything smaller will be blocked. Effectively this will kill rolling your own browser.
johnklos
Pretty much every story posted to Hacker News related to Cloudflare has some people making excuses for Cloudflare – how they couldn't possibly have the development resources to test, much less "fix" access for less popular browsers, how the supposed good they do outweighs the bad, and therefore the marginalized people should just accept things, et cetera.
It's easy to handwave about how costly / difficult a thing is when you're ignorant, and you're preaching to others who are also ignorant about the subject matter, but people who actually understand programming can read the bug reports, the read about debugging methods and results, about the tests, et cetera, and can deduce when an action really can't be anything but monumental ignorance or, more likely, deliberately chosen. The ignorance of the apologists isn't equal to the actual experience of the people doing the work.
"triggering script hang/out-of-memory issues through what seems to be deliberate behaviour when the script does not pass a collection of Web API checks (since the same behaviour was observed on their "officially supported browsers" as well if the user-agent was spoofed to Pale Moon!)"
I'd love to see how those people try to spin this.
Also, this is a perfect example of how large companies can both try to create the illusion of being open – several high profile Cloudflare people post on this site regularly – yet there's no way to actually communicate with a human who can do more than copy and paste from a script, unless you're a paying customer. No company should get to operate as a gatekeeper for much of the world yet have zero methods of communication unless you pay them.
koakuma-chan
Are they blaming Cloudflare’s code for triggering a situation that they did not account for thereby causing the browser to crash? Sounds like a browser problem.
derf_
One of the things I really appreciated when I worked for Mozilla was their legal department's policy that Mozilla employees not sign over-reaching NDAs [0]. Some of the points they insisted on:
* It has to be limited in scope. It cannot just be "everything we give or tell you is confidential information."
* Confidential information has to be clearly marked or indicated.
* It has to be limited in duration. Not, "You are required to take this information to your grave."
If your project does not have lawyers backing you up, you might not know to ask for these things, or might not think you have the negotiating leverage to get them. But I think they make a real difference to a developer working on an open-source project, and I encourage anyone presented with an NDA to insist on them.
[0] https://wiki.mozilla.org/Legal/Confidential_Information
donnachangstein
> Consequentially, our project is currently losing daily active users, and we're being damaged with our traffic-based income being undermined as a result.
I'd like to know more about this "traffic based income". Does PaleMoon show ads? Or are they saying this somehow affects traffic to their download site?
imcritic
CloudFlare sucks ass, they are the cancer of the modern internet. They block users for no good reasons with their captchas. There's no way to get any feedback. Fuck them. I started to stop visiting the sites that have this idiotic gatekeeping bullshit.
CloudFlare, eat shit and die.