from Hacker News

Tell HN: Cloudflare verification is breaking the internet

by statquontrarian on 4/28/23, 3:38 PM with 334 comments

• by imalerba on 4/28/23, 4:26 PM

  This is because Cloudflare is not happy with Firefox 'resist fingerprint' feature.

  Some related issues:

  - https://forum.gitlab.com/t/cant-open-the-signin-page-it-keep...

  - https://gitlab.com/librewolf-community/browser/linux/-/issue...

  - https://github.com/arkenfox/user.js/issues/1253

• by ryandrake on 4/28/23, 4:12 PM

  > I'm not using a VPN or Tor, just AT&T Fiber. I don't have ad-blockers. No weird extensions. Nothing special (besides being on Linux).

  Even if you were doing any, or all of these things, you are no less a legitimate internet user than anyone else. This whole "rain dance" supplication to show you are worthy of browsing a web site has got to go. Stop visiting sites who treat their users this badly!

• by pierat on 4/28/23, 7:22 PM

  Even though they will engage on your ticket, the problem is a business level problem they help create and solve at the same time.

  https://rasbora.dev/blog/I-ran-the-worlds-largest-ddos-for-h...

  It was also discussed previously via https://news.ycombinator.com/item?id=32709329

  > "Without CloudFlare's "neutral" security service offerings I couldn't have facilitated millions of DDoS attacks."

  For those of you who are blaming website operators;

  > "As someone who has previously justified their actions by saying "I am not directly causing harm, the responsibility flows downstream to my end users" I can tell you it is a shaky defense at best. "

  The crux of the issue is this:

  > "CloudFlare is a fire department that prides itself on putting out fires at any house regardless of the individual that lives there, what they forget to mention is they are actively lighting these fires and making money by putting them out!"

  The crooks and the ilk of the internet get a free ride to do their 'shark infestations' everywhere online thanks to CF. However the real humans are the ones harmed here. One person complaining loudly got a ticket addressed. The other 10000 affected won't.

• by parhamn on 4/28/23, 6:30 PM

  I emailed John Graham-Cumming about this on March 15th and was told he was looping in the right people.

  Small browsers (like mine) are basically unusable now because of this. Theyre significantly squeezing everyone into chrome/safari. Ours is even chromium based, so super annoying.

• by statquontrarian on 4/28/23, 11:11 PM

  Update: The problem has been resolved. I can no longer reproduce the issue. I'm not sure if there was a fix on CloudFlare's side or if it was because I cleared cookies and cache and restarted my browser after resetting general.useragent.override.

  If it was the latter, I'm sorry to CloudFlare as this was user error.

  However, I do think the two meta points still stand:

  1. Better diagnostics: perhaps a FAQ page that lists common issues such as an overridden general.useragent.override, etc. (obviously without giving anything away to bad people, but I'm sure certain things such as this can be pointed out)

  2. Better responsiveness in the community forum particularly to this category of errors which blocks public internet activity.

• by butz on 4/28/23, 6:48 PM

  This is even worse for RSS. Website admin enables Cloudflare for DDoS protection, and RSS clients start getting errors, because they cannot prove their humanity. Would be great if some workaround would be built into Cloudflare, as contacting website admin probably won't do any good.

• by hombre_fatal on 4/28/23, 4:21 PM

  You're kinda railing against locks on doors ("I just want them all to easily open for me!") without realizing why they are there.

  You can thank abusers and spammers for ruining the internet for you, not website operators trying to deal with spam/bots.

  I've had my most inconsequential service taken offline with a $5 booter because the user wanted to brag on Discord. You can bet I default to Cloudflare now.

  It's not just for the website operator either. All of my users suffer when $5 botnets take down my server too. And it's cheaper and cheaper to do that every year thanks to the internet of shit.

  So I'm not sure who this "Tell HN" PSA is for. Are the baddies going to read about your inconvenience and stop being baddies so we don't need to use captchas anymore?

• by version_five on 4/28/23, 3:45 PM

  I haven't really had bad luck with Cloudflare, but for reCaptcha, I make it a point of contacting orgs that use it and telling them they've lost a sale as a result of their choice. The replies I've gotten are usually along the lines of "we have to use it for securit" and I know they don't really care, but all I really see that I can do is complain, and if they get enough complaints hopefully they try something else

• by danwee on 4/28/23, 3:52 PM

  Even if the loop is just one iteration, it's already breaking the internet. I cannot stand web sites that show the CloudFlare verification page before you can access. It's just ridiculous.

• by parhamn on 4/28/23, 8:23 PM

  Adding another comment in general response to folks saying "spam/bots sucks, internet is broken"

  I get the reason for these pages. But there needs to be an escape hatch in there somewhere. After N cycles of poor fingerprinting, give me some way of asserting I'm human-ish or even slow me down sufficiently where bots are stifled. I'm happy to pay a tax of some sort as long as there is an escape hatch.

  As of now, the page keeps looping. For the sake of curiosity I've let it do it's thing for a few hours and it never stops. I'd even take logic games or math problem at this point if captchas are too easy to break. Give me an escape hatch that isn't "use chrome".

• by clowd on 4/28/23, 5:23 PM

  Yes, this is annoying as hell. It's gotten to the point where I just close out of a site when I see that interstitial come up.

• by jmclnx on 4/28/23, 4:12 PM

  No kidding, these days if I get prompted from cloudflare bail. I also noticed if using a VPN, cloudflare will block your access in some cases.

  Maybe time for a boycott of sites using cloudflare /s :)

  I also wonder how hart this is for people who are blind, I think they would have a very hard time. Seems to me blind people in the US could use cloudflare using the American Disability Act.

• by sersi on 4/28/23, 7:36 PM

  Cloudflare's verification and blocking means that I regularly have to use a VPN to access sites because having an HK ip address is reason enough to get those verifications or be outright blocked.

  In the same way that Google breaks email by blocking any small servers, Cloudflare breaks internet by blocking people randomly, not supporting firefox on linux, etc...

  Both are cancers that makes the world a worse place

• by eis on 4/28/23, 8:19 PM

     > I don't have a CloudFlare account so I wrote up a detailed post on their community forums. I offered a HAR file and was willing to do diagnostics. It received no responses and it was auto-closed.
  

  Cloudflare has some weird thing going on there if you want to report bugs. If you try to open a support request to report the bug it'll be auto-closed stating only paid accounts can submit support tickets. Then it says if you really are sure then post it in the community. Did that but the post was auto deleted as spam. All I was trying to do was report a bug in their dashboard. Did someone internally game the KPI for open support issues? :)

• by kypro on 4/28/23, 11:25 PM

  I'm not kidding, I've basically stopped using Google Search at this point because I refuse to disable my VPN or log in, and under these conditions I've been unable to do a Google search without passing several purposefully slowed recaptchas.

  I used Google because I got a quick result for what I'm looking for. Now I can't get that I'm better off using a marginally worse search that doesn't force me to spend 2 minutes passing recaptchas to use their service.

  I'm probably in a minority of people who use fresh incoginto windows frequently, disable fingerprinting, and always behind a VPN though.

• by jgrahamc on 4/28/23, 4:36 PM

  You can email me (jgc@cloudflare.com) the HAR file and I'll get people to look at it.

• by orthecreedence on 4/28/23, 8:47 PM

  > Tell HN: Cloudflare is breaking the internet

  Fixed that for you. Cloudflare is a dark force of centralization operating under the threat of "but what if my forum with 10 users gets DDoSed?!" or "I'm too busy to set up Let's Encrypt so I let some random third party who leaks secrets all over the open internet terminate TLS on my behalf."

  And bonus now we all have to jump through 15 captcha hoops to load some stupid website barely worth visiting anyway. Who gives a flying fuck if bots look at your ugly website anyway?

• by benlivengood on 4/28/23, 10:10 PM

  Put blame where blame is due. Poor security practices in operating systems of Internet-connected devices are breaking the Internet. Bandwidth is not cheap and only botnets can afford to DDoS major Internet sites. Cloudflare is the mitigation to terrible security practices in software development and system administration that allows botnets to persist. Cloudflare is simply the Schelling point people have arrived at to minimize harm until we have better-secured peers on the Internet (if ever).

  The incentives are unfortunate; bandwidth is not free but it's cheap enough that individual owners don't really care if their hosts are part of a botnet until their ISP starts complaining or disconnects them. Individuals also don't really have good choices available to them; consumer devices rarely get patched for very long compared to their useful lifetime.

  I think the current compromise is better than some alternatives like an Internet Passport or harsh penalties for making mistakes on the Internet or FDA/FCC levels of scrutiny on Internet-connected devices.

• by warrenm on 4/28/23, 3:40 PM

  CloudFlare's been "breaking the internet" for years

• by colesantiago on 4/28/23, 4:24 PM

  My service uses Cloudflare and we get hundreds of millions of bots trying to abuse our service.

  The other day I stopped the Cloudflare CAPTCHA for a day just to see what would happen and the next day I saw fake orders with disputes and credit card testing which costed my business thousands.

  I don't think this is a major problem for consumers, but for merchants, without CAPTCHA it is even worse for merchants.

  I think I'll keep the CAPTCHA turned on, not sure if there is an alternative though.

• by bmilleare on 4/28/23, 4:36 PM

  I also hit the CloudFlare verification merry-go-round several times per day using Ubuntu / Chrome.

• by bgro on 4/29/23, 3:45 AM

  Reminds me of when I logged into a gmail account I forgot about for like 13 years.

  Google asked me to verify I'm a not a robot, so I did. Then it said I "couldn't be verified" anyway so I did it again, but it gave me like 20 questions in a row.

  It said I once again "couldn't be verified" at the end of it (I clearly didn't fail) and I would need to verify my phone number and email. So ha! Got you there.

  ...But I did that, I verified both which was clicking links or entering authentication codes from multiple devices and multiple linked accounts. After running out of excuses it just eventually said something like "You cannot log in at this time," despite having completed every security challenge.

  I absolutely didn't fail any, and if I had, it would have immediately kicked me out and stated so which has happened before on other computers in previous years for different accounts. I wasn't on any VPN and didn't have any abnormal operating system or other settings. This was either main stream, up to date Firefox or Chrome or both. It was on my main regular computer in the USA in a popular tech professional city.

  I never got the password wrong while it asked me to log in or anything, which it did about 10 times. I got everything and all security questions correct on the first try without any level of failure in regular human time.

  Absolutely nothing should be setting off major red flags... If they're not going to approve my login, they shouldn't have me dancing through hoops for hours. I passed every test and verified registered devices associated with my account and verified security emails sent to other accounts that it was indeed me. If I pass every security check, why do they get to still decide no after wasting hours of my time? Why not just reject me straight away?

  It's like winning the lottery and jumping through every hoop to verify that I legitimately bought the ticket in a legitimate circumstance with absolutely my money and they keep going through a checklist of loopholes to not pay out. When I don't meet any of the loophole conditions that they're trying to stretch to meet, they just give up and say "No, you didn't win." Actually, that sounds like a recurring real major problem that actually happens in the US now that I think about it.

• by lordofgibbons on 4/28/23, 10:39 PM

  There are entire websites that simply will not work for me on Linux+Firefox because of Cloudflare. Never before have I wished for a company to go out of business, until now.

• by karaterobot on 4/28/23, 8:14 PM

  I assumed it was due to me being on a VPN and/or having privacy.resistFingerprinting turned on in Firefox, but I encounter this several times a day. Agreed that it sucks. I know Cloudflare is probably damned if they do, and damned if they don't, because they're warring with bots, and some of us are collateral damage. It's that privacy vs. convenience tradeoff our bearded cyber prophets warned us about in the 90s.

• by sph on 4/28/23, 9:41 PM

  I'm working on a crawler and CloudFlare is the cause of 99% of all the headaches and random bugs I encounter doing simple HTTP requests.

  I literally have implemented custom logic to deal with sites returning the "Server: Cloudflare" header.

• by rhtgrg on 4/29/23, 4:22 AM

  I had the exact same issue for months, and I just checked and it is gone (on Firefox), which has to have happened in the last day, without me having changed a single thing on my end. I'm certain it's because you made some noise, so thank you. It was absolutely ridiculous how many websites Cloudflare was able to render unusable in Firefox. Truly a terrifying power for a company to wield.

• by neop1x on 4/29/23, 9:25 AM

  CloudFlare is as evil as Google if not more and people don't seem to realize that. Solving their captcha doesn't help; it requires solving about 15 captchas before granting access. I gave up and I always use Chrome when that happens. It wastes a lot of time, it slows humanity - not only by solving those captchas but also by this slow "checking your browser is secure" javascript, it adds up on a massive scale. As more services adopt CloudFlare, users are hostage. And they no longer decide which browser to use. At the same time all traffic goes through CF which acts like a massive surveillance hub. Very depressing. It started as a DDOS protection (which could help some people) but ended up with all this WAF js "browser security" crap. I wish CF never existed.

• by c7DJTLrn on 4/28/23, 11:02 PM

  Cloudflare are just selling a tool to solve a problem in the best way they can conjure.

  All of this comes from there being no universal way to prove you are a human on the Internet. If somebody were to invent a physical device (think YubiKey) that atttested that your activity is human without it being usable to identify/track you, we might have a shot at solving this without CAPTCHAs.

  The device would be issued to you as an individual and any signs of it being abused could be reported to deactivate it. I have no idea how such a device would work, but I'm sure it's possible. With machine learning becoming more powerful, this is going to be needed one day.

  And before somebody makes the argument of "but that's centralised, big brother, blah blah whatever bullshit", let me remind you that every payment you make goes through either Mastercard or Visa.

• by harry8 on 4/28/23, 9:27 PM

  Let's all note just how much market share cloudflare got before throwing this switch. While they took over a huge part of the web this sort of thing never happened. Now it seems very much harder to even attempt to browse with slightly more anonymity.

  Ladies and gentlemen start your conspiracy theories.

• by justsomehnguy on 4/28/23, 4:17 PM

  > I finally went and deleted all my cookies and cache which I had been dreading to do.

  You could had just try it in the porn mode. Another option is to use a different profile or a portable version.

  https://support.mozilla.org/en-US/kb/profile-manager-create-...

  https://portableapps.com/apps/internet/firefox_portable (Windows only, I guess)

• by LWIRVoltage on 4/28/23, 4:28 PM

  I noticed, when you browse with Linux or a VPN and sites go crazy- that HCaptcha seems far friendlier than Recaptcha in that i never get stuck in a loop like Recaptcha does where it glitches out, or bugs out and makes it so you'll spend 5+ minutes going through 5 or 6 rounds of matching images because it oddly fails.

  If captchas are so important - serious point, perhaps different ones are the way to go?

  I apologize in advance if this is more of a setting of difficulty from Cloudflare on Recaptcha, and Hcaptcha potentially being able to be set just as difficult/cost you as much time to get past/etc

• by pooper on 4/28/23, 4:25 PM

  Just for debugging, can you please create a fresh Firefox profile and try again?

  I am also in Texas. Also using Mozilla Firefox on Fedora, on Spectrum / Road runner / Charter.

  https://support.mozilla.org/en-US/kb/profile-manager-create-...

  I personally don't mess with profiles. I download firefox developer binaries and put them in ~/bin folder which uses a different profile by default (no extensions for web dev test).

• by iFire on 4/28/23, 4:14 PM

  I am going to presume that CloudFlare wants an id on the person or it rejects the request. Even through vpns.

• by bironran on 4/28/23, 10:35 PM

    - https://www.google.com/search?q=%22is+breaking+the+internet%22
    " Tell HN: Cloudflare verification is breaking the internet "
    - https://www.google.com/search?q=%22is+breaking+the+internet%22&tbs=cdr%3A1%2Ccd_min%3A2021%2Ccd_max%3A2022&tbm=
    " Why Billie Eilish is breaking the internet ? "
    - https://www.google.com/search?q=%22is+breaking+the+internet%22&tbs=cdr%3A1%2Ccd_min%3A2020%2Ccd_max%3A2021&tbm=
    " The coronavirus pandemic is breaking the internet "
    - https://www.google.com/search?q=%22is+breaking+the+internet%22&tbs=cdr%3A1%2Ccd_min%3A2019%2Ccd_max%3A2020&tbm=
    " This Basic Math Problem Is Breaking the Internet "
  

  ...

  And yet, miraculously, the internet seem to have survived. It has even survived underwater cable cuts, DNS black holes rouge countries and plain stupid BGP by plainly stupid admins, firewalls - great and less-than-great ones, internal networks with more or less surveillance, more or less hostility towards VPNs, TOR and other anonymizing services.

  Cloudflare is large, yet it's not "the Internet". Firefox community is also large, yet there are other browsers and tools to browse "the Internet".

  I wish "breaking the internet" would stop being thrown around in such a cavalier manner. </rant>

• by nicce on 4/28/23, 4:13 PM

  It does and we can’t do much but avoid using it for our services.

  On Firefox it hasn’t worked for a long time.

• by causality0 on 4/28/23, 6:25 PM

  I have become quite tired of disabling my VPN extension every time I visit a Cloudflare site. If I don't it just reloads the verification page over and over.

• by casenmgreen on 4/28/23, 7:17 PM

  It's not just me then - I thought it was because I was using Tor.

  This is exactly the problem I face.

  Check -> wait -> check -> wait -> check...

• by archon810 on 5/5/23, 8:56 PM

  Now when testing with an older browser, I'm straight up getting a message: "Your browser is out of date! Update your browser to view this website correctly."

  https://i.imgur.com/FzCIzep.png

  So... it's fixed as in it is still very much broken.

• by archon810 on 4/29/23, 5:44 PM

  I've been getting angry emails about this from our visitors for years. As an enterprise Cloudflare customer, I tried engaging support, but they refused to fix the issue saying it's working as intended.

  I would be so happy to see this BS finally get traction and fixed properly.

• by foobarian on 4/28/23, 4:28 PM

  To be fair, this is not breaking the "internet," it is just breaking access to a subset of popular "websites" which are free to choose this. The Internet itself is much more than this in quality, if not quantity.

• by gobengo on 4/29/23, 3:54 AM

  I want the internet to be free/open to all as much as anyone. But specific websites aren’t the internet work itself. You aren’t entitled to them. many websites, most startup websites, are maintained by individuals or small businesses which aren’t inherently profitable. They can’t afford to deal with spambots, ad click through fraud, etc. It’s reasonable for them to deny-by-default and only spend time (money) dealing with user-agents that can pass this proof-of-personhood test (until there are better zip proof of personhoods, a huge opportunity atm)

• by berkle4455 on 4/28/23, 6:49 PM

  Cloudfare gets paid when they can deliver session traffic to their clients that A) uniquely identifies users and B) has all the traffic decrypted.

  If you can’t meet A&B they don’t want you traversing their network.

• by kylehotchkiss on 4/28/23, 6:31 PM

  I use Safari with 1Blocker, while on private relay. I see surprisingly almost no Cloudflare verifications at all. I can't tell if it's their private access tokens implementation going live yet or just higher levels of trust for traffic for Private Relay since it requires a paid iCloud+ account

  https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

• by tinglymintyfrsh on 4/28/23, 10:10 PM

  Fastly's CAPTCHAs refuse to accept from my work's network.

• by spxd on 4/28/23, 8:30 PM

  I'm using only FF on Ubuntu and Win10. Sometimes I receive the Verify window (2x per week) mostly on Win10. I'm from Europe. This started less than a month ago.

• by csomar on 4/29/23, 4:50 AM

  It's okay. These days I close every website that has a cookies banner, a CAPTCHA or a popup. Do the same and let the market take care of the rest.

• by mikequinlan on 4/28/23, 7:20 PM

  If you can't pass the captcha test, you need to ask yourself: Are you really a human being, or have you just been programed to believe that you are?

• by lta on 4/28/23, 10:42 PM

  These very annoying behaviors with Firefox/Linux are the reason why I'm trying to avoid having my customers using cloudflare at all.

• by hatsune on 5/6/23, 3:20 AM

  Yep, using Librewolf with letterboxing to resist fingerprint, I have encountered basically all type of captcha at all sites.

• by smcleod on 4/28/23, 4:15 PM

  I find it less annoying than having to fill out captchas - but yes - it's annoying and it makes me not want to visit the website.

• by johanvts on 4/28/23, 4:13 PM

  I can’t use phind on one of my machines thanks to this. It’s Just stuck trying to load the checkbox. Windows machine.

• by lakomen on 4/29/23, 12:54 AM

  Let me say that any website that wants to verify my humanity is an auto backbutton press.

  Not sure what issues people have that they need CF in front. Obligatory in 25 years of running my own servers I never needed ddos protection or w/e it is CF is offering.

• by IYasha on 4/28/23, 6:31 PM

  It's been breaking by life.

  "Your browser is obsolete. Go shoot yourself. Have a nice day."

• by bjourne on 5/1/23, 4:57 PM

  I've noticed it too. Pretty fucking annoying bug that breaks half the internet. Very bad that so many sites are dependent on the same service provider.

• by lwansbrough on 4/28/23, 7:21 PM

  I really hope Privacy Pass Device Attestation can solve this once and for all.

• by hn_version_0023 on 4/29/23, 12:47 AM

  Pathetic that this is what it takes for a company to do the right thing.

• by andersa on 4/28/23, 10:27 PM

  There is no other viable solution for hosts. Once we can finally have properly authenticated traffic that verifiably comes from a human all this nonsense with captchas can end.

• by hammyhavoc on 4/28/23, 4:17 PM

  Use Privacy Pass then if you don't want to use Chrome. https://privacypass.github.io/

• by datadeft on 4/28/23, 10:02 PM

  I seriously interested: what would happen if Firefox did allow fingerprinting using random() and it would generate a new fingerprint for each tab. Would it violate anything?

• by poopsmithe on 4/28/23, 11:35 PM

  I'm starting to believe that CAPTCHAs are anti-human.

• by traveler01 on 4/28/23, 4:37 PM

  Must be some of the filters Firefox has in place. Same already happened me with Brave. Solution might be disabling those Firefox filters...

• by iorrus on 4/28/23, 7:17 PM

  I’m having the same issue using chatgpt with brave

• by nathants on 4/28/23, 7:13 PM

  waiting for someone to solve trust/reputation on the internet like colbert eating popcorn.

• by rmbyrro on 4/28/23, 11:09 PM

  > Nothing special (besides being on Linux).

  Using Linux shouldn't be considered a special thing

• by Brian_K_White on 4/28/23, 11:48 PM

  aliexpress is also broken under firefox anti-fingerprinting, except amuzingly, in a private window, aliexpress works again.

  I wish to stress, it should not be said as "firefox breaks aliexpress". It doesn't. aliexpress is broken.

• by modzu on 4/28/23, 10:34 PM

  you're using linux.. you baddie

  look theres lots of linux bots. and theres just no efficient way to really tell em apart from humans on linux. thats fine right? sort of like when the cops pull over a black dude

• by timwaagh on 4/28/23, 7:54 PM

  I have the same issue on Chrome on my corporate laptop.

• by tinglymintyfrsh on 4/28/23, 10:15 PM

  Offtopic: Quit the rain dances and batten down the hatches for tonight's weather rolling through. Some mighty dark clouds are rolling through these parts as of writing.

• by human_error on 4/29/23, 1:31 AM

  Not surprising. Cloudflare is cancer.

• by dfsl on 4/28/23, 6:32 PM

  Hello, We burnt our hands with Cloudflare! This is our experience with Cloudflare in detail: https://freesoftware.life/how-using-cloudflare-free-plan-des...

• by kube-system on 4/28/23, 4:26 PM

  Why is this Cloudflare's problem to fix?

  If you get locked out of your hotel room, do you call Assa Abloy to complain?

  Complain to the site that their site doesn't work. They are the ones that install and configure their security software.