1. "Verify you are a human"
2. Check the box or perform some other type of rain dance
3. "Please stand by, while we are checking your browser..."
4. Repeat step 1
I'm on Fedora Linux 37 using Firefox 110.
The workaround is to use Chrome.
After experiencing this dozens of times and getting annoyed of needing to use Chrome, I finally went and deleted all my cookies and cache which I had been dreading to do.
It did not help.
I don't have a CloudFlare account so I wrote up a detailed post on their community forums. I offered a HAR file and was willing to do diagnostics. It received no responses and it was auto-closed.
It's unacceptable that CloudFlare is breaking the internet while offering no community support.
Edit: I'm in Texas. I'm not using a VPN or Tor, just AT&T Fiber. I don't have ad-blockers. No weird extensions. Nothing special (besides being on Linux).
Edit2: Since this got traction, I opened a new community post: https://community.cloudflare.com/t/infinite-verify-you-are-a-human-loop/503065
To be clear, I'm not against CloudFlare doing DDoS protection, etc., but it can't be breaking the internet while ignoring community posts on it.
Edit3: The CloudFlare team has engaged. Thank you HN!
Even if you were doing any, or all of these things, you are no less a legitimate internet user than anyone else. This whole "rain dance" supplication to show you are worthy of browsing a web site has got to go. Stop visiting sites who treat their users this badly!
We are trying to frame people who are trying to protect their privacy as "suspicious" rather than saying that we want to track them better.
When not in a vehicle and there are no cops around, I do the New Yorker thing: I completely ignore signals and focus on traffic. The prima facie and prime directive is safety over conformance. I will not waste my life at the behest of some Christmas lights.
there's no way to solve this problem without having some sort of tracking system to determine who's a legitmate user.
My preferred solution would be domain validated identities with long lived, global reputation alongside some type of attestation. For example, if I have a GitHub account with 'example.com' as a verified domain, GitHub could attest 'example.com seems to be a real user or organization that behaves well'. It would be similar to the web of trust concept in GPG, but technology is to the point where it could actually be built in a way that makes it usable. Money that you're spending, or the way you interact in well known communities, could have the side effect of bolstering your reputation everywhere.
My most feared solution would be a similar system of attestation, but using Passkey since it would solidify the role of the current big tech companies as the arbiters of everything online. For example:
You look like a bot. How do you want to prove you're human?
Microsoft
Google
Apple
Facebook
I think Apple would be the company that could sell that kind of change to normal users. It could be done in a way that's anonymous because all you really need is an attestation that says 'Apple certifies this user is in good standing'. Apple is very good at selling those kinds of changes as being privacy focused and I think their user base would go for it if it were framed as 'good people' (aka Apple device owners) getting a superior experience that isn't available to the 'bad people' (aka bots, bad actors, and outliers).
If it worked, Google would follow with Android. Anyone else large enough for their opinion of you to count (Microsoft, Facebook, etc.) could probably compete, but it doesn't work for startups or small, less known providers.
In my opinion, as soon as authentication moves to something like domains or digital signatures where 3rd party attestations become simple, we could see a lot of new ideas that focus on reputation and related solutions / services.
The problem is the individual sites aren’t making these highly technical decisions, people are using what seems to them an innocuous security product.
Not visiting a random website places no pressure on CloudFlare to change, since there’s no way to correlate your choice with the decision to use CloudFlare.
Too bad that basically means you can't surf the internet anymore as a majority of websites use Cloudflare. One of my Firefox installations on Linux are also plagued by this. I can't use Firefox to browse the web.
CloudFlare blocks me from a part of the internet when I use anonymizing tools like Tor. I assumed they just do that to fingerprint and track you. Even the crypto thing to get a dozen or so passes after solving a riddle never worked.
So I have just moved on to websites protected by Akamai, or virtually anything but CloudFlare. It's not just a political decision btw. It's just easier to move on than to try to fight CloudFlare or to become viral on HN to get support.
It shouldn't be up to the user to adapt, but to the website.
This is just whining. I don't necessarily like it either, but you conveniently ignore all the reasons why that rain dance supplication exists in the first place. All ears if you have a better solution for DDoS attacks, malicious bot traffic, etc.
Some related issues:
- https://forum.gitlab.com/t/cant-open-the-signin-page-it-keep...
- https://gitlab.com/librewolf-community/browser/linux/-/issue...
The Cloudflare verification has become a sick or sadistic joke now. It's often just used to annoy people, and no matter if they pass the tests, denies access anyway. If the test is not going to determine access, then don't provide it, and just wholesale be up front on mindlessly or frivolously blocking people and entire IP ranges.
For security, an actor needs to be tested and marked as secure, or else tested again before every interaction.
For privacy, an actor must not be marked, lest observers could correlate several interactions and make conclusions undesirable for the actor.
It does not make the infinite loop produced by CLoudflare any more reasonable though.
I see them using some VPNs and using Tor, but that makes sense, because that's super close to the type of traffic that these filters were designed to block.
I suspect people behind CGNAT and other such technologies may be flagged as bots because one of their peers is tainting their IP address' reputation, or maybe something else is going on on a network level (i.e. the ISP doesn't filter traffic properly and botnets are spoofing source IPs from within the ISPs network?).
This is a thing that is absolutely happening, I got temporarily shadowbanned for spam on Reddit the day I switched to T-Mobile Home Internet which is CGNAT'd, and I didn't post a single thing
I'm actually kind of glad more people are becoming aware of this problem, and hope it finally spurs more interest in mechanisms that divorce network identity from IP addresses -- including the work Cloudflare is doing on Privacy Pass!
Maybe it is just per use case. Or they think I'm a bot as I keep looking at sites every couple hours... Which might be actually common with these sites.
When I change the protocol and get the redirect back to https there's another "/" which is added after the domain such that "domain/path" becomes "domain//path". This repeats if I continue to change the protocol and hit the redirect such that "domain//path" will become "domain///path" (I noticed this because there was like 6 of them).
Apologies if this is indeed caused by my browser settings; I've been unable to find the cause if that's the case.
"Cloudflare is not happy with anything that is not Cloudflare"
ftfy :)
I've got a Firefox extension that tells me if a site appears to be using Cloudflare - and I avoid all the ones I can
But I'm stuck with that stupid Cloudflare slowdown screen for the portal to my dr's office
CAPCHA/RECAPCHA is the internet version of the infamous "regatta" question on SAT [1].
[1] https://www.clearchoiceprep.com/sat-act-prep-blog/the-most-i...
It wants to do a bit of cryptography, which means that if scripts/WASM/etc are disabled, you can be out of luck.
(Comment written from memory, I may have details wrong.)
Speaking of bullshit restrictions designed to encourage compliance with surveillance, have imgur links just straight up stopped working for anyone else recently? I'm coming from a datacenter IP. I assume it's just some heavy handed part of the cost cutting push they announced.
There are too many bots out there that are very inconsiderate and do not limit or throttle themselves.
We have one right now that crawls every single webpage (and we have 10's of thousands) every couple days, without any throttle or limit. It's likely somebody's toy scraper, and currently it's doing no harm, but not everyone has the server resources we have.
The point is - if you are dealing with inconsiderate bots, a captcha of some type is pretty nearly a bullet proof way to stop them.
With that said, Cloudflare usually is smart enough to detect unusual patterns, and present a challenge to only those who they believe are bots or up to no good. If every person gets a challenge, then the website operator is either experiencing an active attack, or has accidentally set their security configuration too high.
CloudFlare is merely the symptom of a greater set of problems, which it attempts to mitigate.
If you want to be angry about something, be angry that bruteforce attacks are common, guzzle resources and usually yield zero legal repercussions in most cases.
Even if they did, I'd still avoid imgur since they censor even worse than reddit.
You can thank abusers and spammers for ruining the internet for you, not website operators trying to deal with spam/bots.
I've had my most inconsequential service taken offline with a $5 booter because the user wanted to brag on Discord. You can bet I default to Cloudflare now.
It's not just for the website operator either. All of my users suffer when $5 botnets take down my server too. And it's cheaper and cheaper to do that every year thanks to the internet of shit.
So I'm not sure who this "Tell HN" PSA is for. Are the baddies going to read about your inconvenience and stop being baddies so we don't need to use captchas anymore?
And yes, it's annoying that we live in that world. In 1999 you could probably assume a request was human with a User-Agent regex.
In 2024, your smart toaster could be saturating your AT&T Fiber uplink without you even knowing while you're rage-posting in Cloudflare's forums about HAR files and how you're not a bot.
No, definitely not. I'm completely incapable of logging into several different services that have Cloudflare's protection (including their own website) if I use Chrome on my iPad. If I try on mobile Safari on the same device (which has basically an empty history), it goes through just fine.
Something is broken.
depressing you got stuck in such a mess
If you get locked out of your hotel room, do you call Assa Abloy to complain?
Complain to the site that their site doesn't work. They are the ones that install and configure their security software.
Now that CloudFlare has engaged with this problem, I'll give them some time to try to fix it, and if they don't, I'll start complaining to every website that uses this CloudFlare feature.
Website operators can override Cloudflare the same way.
https://developers.cloudflare.com/waf/tools/ip-access-rules/...
An increasing numnber of shops on the street have locks that silently open if you look like the right kind of person, but lock if you don't look right.
And most people look right, so they don't even realise the lock is there.
but not a single one has the false positive rate that cloudflare has
cloudflare only accepts the very standart users, and locks a lot of others out. and then they offer no convenient way to prove you're a legitimate user, to access the website.
and they have to fix it, because they sell their protection to admins who don't want to set it up themselves. They have the knowledge and are tasked to do that
Fixed that for you. Cloudflare is a dark force of centralization operating under the threat of "but what if my forum with 10 users gets DDoSed?!" or "I'm too busy to set up Let's Encrypt so I let some random third party who leaks secrets all over the open internet terminate TLS on my behalf."
And bonus now we all have to jump through 15 captcha hoops to load some stupid website barely worth visiting anyway. Who gives a flying fuck if bots look at your ugly website anyway?
My general experience is, if you host a popular site, it will be DDOS'd.
If you host a site in a 'competitive' space, you will get DDOS'd.
I've seen it all personally, forums, image upload sites, NFT galleries, and SAAS health tech even, people will spend a couple hundred dollars to make you miserable.
If you don't have protection, they can literally see how you are falling and it only encourages further spend.
I do, it's a buzzword. Cloudflare, you don't have that? Your not cool unless you do.
With young apprentices learning the ropes of SRE/SysAdmin, DDoS protection has been painted as a #101 of the web when realistically you don't need it.
People use CloudFlare to solve a multitude of problems, some of which include automated attacks by bots, which would make the website unavailable in the first place.
If you're going to use a non-mainstream browser then you're going to compromise in some way. If people are going to defend their website against attackers then there's compromise.
CloudFlare isn't the problem, it's a symptom of other problems left unsolved. Is it a compromise? Yup. What's the alternative? Not using it and thus having constant downtime?
Small browsers (like mine) are basically unusable now because of this. Theyre significantly squeezing everyone into chrome/safari. Ours is even chromium based, so super annoying.
Obviously most small sites are not actively targeted by bots and using reCAPTCHA is a waste of money and people's time. But if you are, reCAPTCHA is a godsend.
It's not so much that "people … are opposed to reCAPTCHA", but that for some they can't make it work.
The other day I stopped the Cloudflare CAPTCHA for a day just to see what would happen and the next day I saw fake orders with disputes and credit card testing which costed my business thousands.
I don't think this is a major problem for consumers, but for merchants, without CAPTCHA it is even worse for merchants.
I think I'll keep the CAPTCHA turned on, not sure if there is an alternative though.
All of this comes from there being no universal way to prove you are a human on the Internet. If somebody were to invent a physical device (think YubiKey) that atttested that your activity is human without it being usable to identify/track you, we might have a shot at solving this without CAPTCHAs.
The device would be issued to you as an individual and any signs of it being abused could be reported to deactivate it. I have no idea how such a device would work, but I'm sure it's possible. With machine learning becoming more powerful, this is going to be needed one day.
And before somebody makes the argument of "but that's centralised, big brother, blah blah whatever bullshit", let me remind you that every payment you make goes through either Mastercard or Visa.
Which is good. That's a desirable property. The distinction isn't available without also allowing fingerprinting. Further, the line between bot and user-agent is not perfectly clear. Something like cost-based attestation where humans and bots are treated equally is ideal.
> And before somebody makes the argument of "but that's centralised, big brother, blah blah whatever bullshit", let me remind you that every payment you make goes through either Mastercard or Visa.
That's an even bigger problem!
Is it? That's Cloudflare's whole selling point - keep the bots out. I can understand from a hacker perspective wanting bots to be able to roam the Internet as freely as people but that causes massive headaches for sysadmins, SREs, and DevOps. robots.txt is no good because it's opt-in.
Ladies and gentlemen start your conspiracy theories.
Cloudflare skews towards a monopolistic monoculture. (Fastly and Akamai also exist, but present more friction.)
The issue is that with one transparent proxy and application firewall for a large fraction of web traffic, it has to cover uncountable edge-cases to not leave out nonzero users from a large number of sites. It's unlikely to be malicious intention here, but more likely accidents, oversights, and lack of alternatives.
You could had just try it in the porn mode. Another option is to use a different profile or a portable version.
https://support.mozilla.org/en-US/kb/profile-manager-create-...
https://portableapps.com/apps/internet/firefox_portable (Windows only, I guess)
There are some things around local storage which isn't cleard even if you clear cookies.
I am also in Texas. Also using Mozilla Firefox on Fedora, on Spectrum / Road runner / Charter.
https://support.mozilla.org/en-US/kb/profile-manager-create-...
I personally don't mess with profiles. I download firefox developer binaries and put them in ~/bin folder which uses a different profile by default (no extensions for web dev test).
Not sure what issues people have that they need CF in front. Obligatory in 25 years of running my own servers I never needed ddos protection or w/e it is CF is offering.
All it takes is pissing off the wrong person on the internet; knocking a server offline is surprisingly easy.
https://rasbora.dev/blog/I-ran-the-worlds-largest-ddos-for-h...
It was also discussed previously via https://news.ycombinator.com/item?id=32709329
> "Without CloudFlare's "neutral" security service offerings I couldn't have facilitated millions of DDoS attacks."
For those of you who are blaming website operators;
> "As someone who has previously justified their actions by saying "I am not directly causing harm, the responsibility flows downstream to my end users" I can tell you it is a shaky defense at best. "
The crux of the issue is this:
> "CloudFlare is a fire department that prides itself on putting out fires at any house regardless of the individual that lives there, what they forget to mention is they are actively lighting these fires and making money by putting them out!"
The crooks and the ilk of the internet get a free ride to do their 'shark infestations' everywhere online thanks to CF. However the real humans are the ones harmed here. One person complaining loudly got a ticket addressed. The other 10000 affected won't.
This doesn’t seem like a fair analogy. When I read the quote I expected to dig into the article and find that Cloudflare was somehow intentionally optimizing their network for carrying out DDoS attacks against non-customers in some sort of shady under the table dealings.
In this case the fire department is not lighting fires. They are not committing arson. They are saving all houses including the houses of arsonists.
It doesn’t seem like this kid used Cloudflare to carry out DDoS attacks (burn down houses). It seems like they used Cloudflare to keep their own house from burning down and then went and committed arson on their own.
If it was the latter, I'm sorry to CloudFlare as this was user error.
However, I do think the two meta points still stand:
1. Better diagnostics: perhaps a FAQ page that lists common issues such as an overridden general.useragent.override, etc. (obviously without giving anything away to bad people, but I'm sure certain things such as this can be pointed out)
2. Better responsiveness in the community forum particularly to this category of errors which blocks public internet activity.
The fuck it was. None of user agent, stale cache or cookies should have any bearing on you being allowed to view websites.
I get the reason for these pages. But there needs to be an escape hatch in there somewhere. After N cycles of poor fingerprinting, give me some way of asserting I'm human-ish or even slow me down sufficiently where bots are stifled. I'm happy to pay a tax of some sort as long as there is an escape hatch.
As of now, the page keeps looping. For the sake of curiosity I've let it do it's thing for a few hours and it never stops. I'd even take logic games or math problem at this point if captchas are too easy to break. Give me an escape hatch that isn't "use chrome".
Maybe time for a boycott of sites using cloudflare /s :)
I also wonder how hart this is for people who are blind, I think they would have a very hard time. Seems to me blind people in the US could use cloudflare using the American Disability Act.
Pull the "/s" off, and you've already got one person (me) on your side :)
> I don't have a CloudFlare account so I wrote up a detailed post on their community forums. I offered a HAR file and was willing to do diagnostics. It received no responses and it was auto-closed.
I used Google because I got a quick result for what I'm looking for. Now I can't get that I'm better off using a marginally worse search that doesn't force me to spend 2 minutes passing recaptchas to use their service.
I'm probably in a minority of people who use fresh incoginto windows frequently, disable fingerprinting, and always behind a VPN though.
If captchas are so important - serious point, perhaps different ones are the way to go?
I apologize in advance if this is more of a setting of difficulty from Cloudflare on Recaptcha, and Hcaptcha potentially being able to be set just as difficult/cost you as much time to get past/etc
That isn't just a reCaptcha thing. HCaptcha will definitely do that as well -- and if anything it's worse, because some of the "identify this AI-generated image" challenges are pretty awful. (At one point, I recall it asking me to "select the ladybugs" with nine images all containing round spotted bugs in slightly different shades of red and orange.)
Sucks if your website is unique.
If you can’t meet A&B they don’t want you traversing their network.
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
In the same way that Google breaks email by blocking any small servers, Cloudflare breaks internet by blocking people randomly, not supporting firefox on linux, etc...
Both are cancers that makes the world a worse place
The incentives are unfortunate; bandwidth is not free but it's cheap enough that individual owners don't really care if their hosts are part of a botnet until their ISP starts complaining or disconnects them. Individuals also don't really have good choices available to them; consumer devices rarely get patched for very long compared to their useful lifetime.
I think the current compromise is better than some alternatives like an Internet Passport or harsh penalties for making mistakes on the Internet or FDA/FCC levels of scrutiny on Internet-connected devices.
Google asked me to verify I'm a not a robot, so I did. Then it said I "couldn't be verified" anyway so I did it again, but it gave me like 20 questions in a row.
It said I once again "couldn't be verified" at the end of it (I clearly didn't fail) and I would need to verify my phone number and email. So ha! Got you there.
...But I did that, I verified both which was clicking links or entering authentication codes from multiple devices and multiple linked accounts. After running out of excuses it just eventually said something like "You cannot log in at this time," despite having completed every security challenge.
I absolutely didn't fail any, and if I had, it would have immediately kicked me out and stated so which has happened before on other computers in previous years for different accounts. I wasn't on any VPN and didn't have any abnormal operating system or other settings. This was either main stream, up to date Firefox or Chrome or both. It was on my main regular computer in the USA in a popular tech professional city.
I never got the password wrong while it asked me to log in or anything, which it did about 10 times. I got everything and all security questions correct on the first try without any level of failure in regular human time.
Absolutely nothing should be setting off major red flags... If they're not going to approve my login, they shouldn't have me dancing through hoops for hours. I passed every test and verified registered devices associated with my account and verified security emails sent to other accounts that it was indeed me. If I pass every security check, why do they get to still decide no after wasting hours of my time? Why not just reject me straight away?
It's like winning the lottery and jumping through every hoop to verify that I legitimately bought the ticket in a legitimate circumstance with absolutely my money and they keep going through a checklist of loopholes to not pay out. When I don't meet any of the loophole conditions that they're trying to stretch to meet, they just give up and say "No, you didn't win." Actually, that sounds like a recurring real major problem that actually happens in the US now that I think about it.
I literally have implemented custom logic to deal with sites returning the "Server: Cloudflare" header.
- https://www.google.com/search?q=%22is+breaking+the+internet%22
" Tell HN: Cloudflare verification is breaking the internet "
- https://www.google.com/search?q=%22is+breaking+the+internet%22&tbs=cdr%3A1%2Ccd_min%3A2021%2Ccd_max%3A2022&tbm=
" Why Billie Eilish is breaking the internet ? "
- https://www.google.com/search?q=%22is+breaking+the+internet%22&tbs=cdr%3A1%2Ccd_min%3A2020%2Ccd_max%3A2021&tbm=
" The coronavirus pandemic is breaking the internet "
- https://www.google.com/search?q=%22is+breaking+the+internet%22&tbs=cdr%3A1%2Ccd_min%3A2019%2Ccd_max%3A2020&tbm=
" This Basic Math Problem Is Breaking the Internet "
And yet, miraculously, the internet seem to have survived. It has even survived underwater cable cuts, DNS black holes rouge countries and plain stupid BGP by plainly stupid admins, firewalls - great and less-than-great ones, internal networks with more or less surveillance, more or less hostility towards VPNs, TOR and other anonymizing services.
Cloudflare is large, yet it's not "the Internet". Firefox community is also large, yet there are other browsers and tools to browse "the Internet".
I wish "breaking the internet" would stop being thrown around in such a cavalier manner. </rant>
On Firefox it hasn’t worked for a long time.
This is exactly the problem I face.
Check -> wait -> check -> wait -> check...
https://i.imgur.com/FzCIzep.png
So... it's fixed as in it is still very much broken.
I would be so happy to see this BS finally get traction and fixed properly.
"Your browser is obsolete. Go shoot yourself. Have a nice day."
Using Linux shouldn't be considered a special thing
I wish to stress, it should not be said as "firefox breaks aliexpress". It doesn't. aliexpress is broken.
look theres lots of linux bots. and theres just no efficient way to really tell em apart from humans on linux. thats fine right? sort of like when the cops pull over a black dude
