> Cloudflare detected the high frequency of requests and denials (but not their faulty loop that caused this pattern of requests, of course), and tagged my browser as suspicious.
I can tell you at least that we don't penalize users for this looping behavior, so this wouldn't cause us to see your browser as suspicious. I hope we can dig into this more and uncover the cause of the problem.
Personally, I'm a big Firefox user, and this isn't behavior I see. If there were a widespread Firefox wide issue, automated alerts would trigger and we'd consider this a critical incident.
You can drop me an email at amartinetti at cloudflare if you're interested in troubleshooting.
1. IP addresses are to be used for packet routing. Certainly not for assigning "behavior scores" to users in the background. IP addresses say nothing about your visitors, my IP address could have been a complete stranger's IP address yesterday.
2. Deciding who can access half the web based on their TLS signature achieves nothing in the long run except reinforce browser monopolies, and goes completely against the spirit of the open web.
I guess now I have to use Chrome for browsing the web from home. Yes, I do run a crawler-like bot as a hobby project, I got what I was asking for. (Funnily enough, it still works if I just emulate Chrome's TLS signature). But I also have friends who have done absolutely nothing of sorts (no technical skills), and still got caught up in this latest ban wave.
Let's be honest here. Your service has likely caused millions of people harm who one day to the other are suddenly blocked from half the WWW - not just nerds, who can get around that one way or the other, real users who just got unlucky and now are potentially blocked from accessing websites required for their daily lives (welcome to the 21th century). This is not a one time problem, it has been going on for years; this time it just came too suddenly for too many people. And this kind of harm is a logical conclusion to the heuristics you use for determining who can view a website.
Never mind that it's ridiculous how a single company from outside my country has the power to decide on whether I can use the web or not. That's kind of on website owners unconditionally giving this power to CF anyway.
Now, allow me to return to purchasing proxies from shady sources for myself, so I can keep using Firefox. Thanks and keep up the good work.
So there is no perfect solution. You can't use strong identity because a user can share their identity with a robot. You have to use a crapy heuristic that only works most of the time (or tell site owners it's an application layer problem and use this SASS solution to solve the problem).
I mean you admitted that you run a crawler. Cloudflare has detected that you run a crawler and has wants you to prove that you're human to access sites on their network. It actually sounds like their product worked.
In any event, there should probably be better regulation around how this blocking is handled so that users aren't being unjustly blocked. If you want to run a crawler, how do you do it ethically so that you aren't targeted and your traffic blocked? If Cloudflare blocks you from accessing one site should that block extend across their whole network? How long should it last? How do you appeal the block if Cloudflare's heuristics falsely block you? If you're in a life and death situation and need immediate access to medical information and Cloudflare unjustly blocks your access and it causes harm, who's at fault? Etc.
You know what else is harmful to the concept of the open internet? The enormous malicious botnets and other endemic problems that require a solution like CloudFlare.
If there's a place to start, it would be with eliminating the infinite challenge loops. Bad enough that IP blocks get outright blocked. Bad enough that I have to decide whether or not that blurred sliver of the edge of the wheel+shadow constitutes being part of the bicycle. Not to mention the humanitarian betrayal of the absolute highest form to farm the free human labor to train AI models when they are simply trying to browse the $#@%ing internet.
Every spec is a three-edged sword: the spec, the intent of the spec, and the use of the spec in the wild.
In practice, Cloudflare does a pretty good job on far-more-than average of gluing together some heuristics in an unspec'd way to filter traffic. It sucks because you can't plan around it, but that's rather the point because the malicious actors are trying to plan around it also.
(ETA: Hacker News rate-limited this post. In theory, I could have set up a sock-puppet to try and work around that, but then they would catch that too and I'd be out two accounts. So I just waited out the limit. Measure and counter-measure. ;) ).
If this was true, Cloudflare wouldn't be a good product used by a lot of sites.
It's probably third in the list of frustrating web behaviors in the past couple of years (behind GDPR popups and registration/paywalls that seem to have gotten much worse recently).
And somehow there are some sites that I get CF delay walls on every time I visit.
This feature is utterly broken for a good web experience; it pushes users away from sites which use it.
Every time that "checking your browser" page comes up for a legitimate user should be considered a failure. Sure, it can maybe happen a few times in a thousand, but the feature is utterly broken if it comes up every time I visit the same site from the same browser not in private mode.
But I'm pretty sure that millions of users aren't using stuff like w3m pager ( https://news.ycombinator.com/item?id=34175754 )
We're all technical here, we are the edge cases. We use exotic software / combos. Let's not get carried away here
The PM of cloudflare uses Firefox, I sometimes use Firefox and I don't notice any difference ( concerning this use-case at least).
If you want help, perhaps describe the actual use-case that is blocking you to him. He shared his email.
- country
- software ( VPN, ... )
- browser
- OS
- traceid
- ...
Either way, buying shady proxies as you mentioned is already a warning flag.
While using Firefox is not :)
2-3x per day i get some sort of "click here if you're a human" thing from cloudflare.
Could it have something to do with that ticket extension I'm using (Privacy Pass, looks like it's called)? I don't know if it does anything.
Troubleshooting done. If it's any consolation, I don't think Cloudflare is the only offender. Geolocation is a crappy idea to begin with, if you ask me.
It could be caused by someone else's bad behavior on the VPN but I'd hazard a guess that it's more than that.
No, you don't. Tor Browser is constantly blocked by Cloudflare and the captchas cannot be solved. And you know it.
You can either reply in the comments with the ID (no PII), or email me at amartinetti at cloudflare.com and I'd love to dig into it.
We're building Turnstile because we want to make challenges a better system than CAPTCHA. It sounds like for you it's worse, and we want to fix that.
My experience is that Firefox as a policy is not blocked, but if anything about my setup looks sketchy (I'm on a VPN, I have Javascript disabled, I'm blocking cookies, etc...) being on Firefox seems to make Cloudflare a lot less "tolerant" for lack of a better word.
I don't think Cloudflare has a policy against Firefox, but I do vaguely suspect that certain behaviors that wouldn't trigger blocks for Chrome do trigger blocks for Firefox (particularly if it's hardened). I don't have any hard data to back that up, maybe it's my imagination -- but it is what I personally notice.
But my biggest practical complaint at the moment with cloudflare is that it intermittently inserts captchas in the json responses sent from Roundcube webmail - pretty amazing.
(The webmail server in question is hosted on a uni network that paid for cloudflare between themselves and the internet, so being indirect cloudflare "customers" there's no support channel. Hooray for scale)
This somehow even persisted into the browser's incognito mode, and I had to use an entirely different browser. This wasn't on a small unknown site either.
(It looks like pinned CSPs are a dead standard, but did anyone implement it?)
What causes such loops? Just a challenge over and over.
It must be intentional. Not unlike the endless loop of frustratingly slow-fading reCAPTCHA challenges that don't go anywhere. The user gives up after some time, but doesn't see any explicit error or page blocking their access. I imagine it must be quite effective.
> What about Google Chrome?
> I tried all of the above in Firefox. So I naturally tried to access the same page in Google Chrome to see if I’d still be blocked. Thankfully, I wasn’t.
> But of course I wasn’t because Chrome doesn’t have the same privacy- and security-enhancing designs that Firefox does. Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed. It also doesn’t resist fingerprinting or let me modify settings to the same degree that Firefox does because Chrome relies on those fingerprinting technologies to ensure that I am targeted by ads it deems necessary for me to see.
> Being blocked on Firefox and not blocked on Chrome also tells me that Cloudflare is blocking me based on the fingerprint (or lackthereof) of my browser. Everything about my connection is identical between the two requests, aside from the browser being used. It’s the same security certificates, same corporate VPN, same machine, even the same timeframe when I try to access the site.
If you care about anything these days, don't use Chrome.
> Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed
What information does Chrome provide in this scenario that Firefox doesn’t? It feels like backward logic: it worked in Chrome therefore it must be because Chrome gave extra info. In reality it could be a whole bunch of things, something as mundane as Firefox being a rarer user agent so subject to more filtering.
It strikes me that all of this is an inexact science. I've run into rate limit messages with sites before now that go away when I switch browsers, no matter what the browser is. I assume it's because, with the limited information given, the DDOS protection software assumes that same IP + different UA = different computer.
I have no clue but I wasn’t persuaded that this specific scenario works with Chrome because it was giving away more information. At a bare minimum at least try a third browser!
My high-level understanding is that they're going to run an ML model over your browsing history (locally on your device) to build a list of "topics" that you care about. Sites you browse can use the Topics API to pull a set of these interests from the browser to show you "relevant" ads. Mozilla has taken a negative position against this standard.
Firefox on Android was still working, though, loathe as I am to put passwords of any significance on my phone. Doesn't directly address your question, which I'd like to know the answer to as well.
I have ublock, privacy badger, decentraleyes, canvas blocker, facebook disconnect, and duckduckgo privacy essentials installed.
I would go through and disable each extension in order to see if it was the cause of the issue, and so far, every single time it has been duckduckgo privacy essentials that is breaking websites for me.
I think I should remove it at this point, but who knows? Maybe it's protecting me from something that I don't see.
“The Chrome User Experience Report (CrUX) provides user experience metrics for how real-world Chrome users experience popular destinations on the web. This data is automatically collected by Chrome from users who have opted in, . . .”
Taken from https://web.dev/crux-and-rum-differences/
Using JS to "verify that this is not a bot" is a way to force users to enable JS and expose themselves to more advertising.
And if we're taking things to task for monopolizing a market and being a threat to the future of the open internet, I'd say Cloudfare is and will always be a bigger threat.
The moment the Cloudfare dictatorship becomes less benevolent, everyone is gonna feel it.
In my eyes they have already done that. ICYMI I highly suggest checking out their response and subsequent blog post around the Kiwifarms incident.
That whole debacle was enough to prove to me they learned nothing and are going to continue down this path. I migrated web services and closed my account with them shortly after that whole thing.
Cloudflare routinely ignores abuse reports for its network and takes no responsibility for the utter garbage being carried across their network. It’s almost comical how they so desperately cling to the claim that they are “just a dumb pipe” on one side of the house and on the other a “serious security vendor” who is “protecting the web” while blocking out users simply for the “crime” of trying to preserve their privacy.
If they wanted to convince me they had the web’s best interest at heart they wouldn’t host half the sites they do. They would actually respond to abuse reports and take abusive websites offline rather than wait for it to hurt their bottom line and reputation before taking action but they don’t.
Or Cloudflare.
Really? That's news to me.
Also, fingerprinting isn't always "bad" -- any business who takes credit cards online, wants to try to exclude people who will commit fraud (because they might have done it before.) Preventing fingerprinting, means you prevent certain anti-fraud, which means that you see higher prices and more friction doing commerce online, which also affects your experience. The connection is just much less direct.
By the same argument you could say it should be fine for a physical store to refuse service to anyone who they get a bad feeling about or don't want to serve. But if you permit that then you're immediately opening the door to racism etc., which we consider socially unacceptable. It should be the same for websites too - I bet all these browser fingerprinting techniques just happen to mean better service for people who can afford the latest iphone.
The price is the highest the market will pay. Increasing that price means few customers lower revenue. Fraud is a cost to the business they must pay out of profits because if they tried to increase prices demand would drop.
How bad is it nowadays? Can't you just enforce 3DS2?
I care about a lot of real world stuff - human rights, wars, the environment, friends etc. I don't care if Chrome knows who I am and tries to show me ads which uBlock then blocks. There are more important things to worry about than privacy geekery.
If you've read history (and maybe you have, or not) privacy is a human right. When privacy goes away, then everything else goes away. Ask anyone over 60 in Germany or Romania (that was not WITH the army or the Police/Security services) and they will tell you how nice life is without privacy.
But hey, sure, 1) privacy doesn't matter, 2) you got nothing to hide, etc etc.
Since Chrome is so common that it's basically guaranteed to have been tested against the site I'm trying to access, I use Chrome.
- https://gitlab.com/users/sign_in
- https://www.zabbix.com/forum/
- https://camelcamelcamel.com/
It's really annoying and Cloudflare is apparently doing nothing to fix it as this has been going on for months if not years. I guess Cloudflare just hates the open web and really wants to enforce Chrome/Chromium/Blink hegemony.
We'll also release a reporting mechanism soon, so in the future you can let us know when you see these issues and we can react to them quickly.
Incidentally, another Cloudflare PM for Pages asked me to do the same thing--I shared my account ID, the request, the problem, timestamps, etc...never heard back ever, request went straight into the void.
- Gitlab; Ray ID: 7f3961b4ec46c443
- Zabbix; Ray ID: 7f39624d982bc32e
- NameMC; Ray ID: 7f3962e68d251871
- Camelcamelcamel; Ray ID: 7f3962eb9cbb421f
Easily can recreate at least the never ending loop by flipping on ublock origin's 3rd party scripts and 3rd party frame blocking, which matches their recommended medium settings.
https://steamdb.info/login/ 7f3cc161bf85dbd9
https://www.zabbix.com/forum/ works
https://casetext.com/ works
https://namemc.com/login 7f3cc182b8c20ccf
https://spinroot.com/spin/whatispin.html works
https://camelcamelcamel.com/ 7f3cc171f96d2b9b
- 7f395b5ddfe43a54
- 7f395ca09bfa3a54
- 7f395d8afaf73a54
- 7f395f075e33690d
- 7f396102afef35fd
ray id 7f3a169d4e630306
I previously had the same problem with ungoogled-chromium as well (regular chromium worked), but I guess it works now after 2-3 loops.
- https://gitlab.com/users/sign_in 7f3e45c3cebfb90f
- https://steamdb.info/login/ 7f3e4a04bf7a0e39
- https://www.zabbix.com/forum/ 7f3e4b681f8f1cc6
7f3e4cab4af40b05
- https://namemc.com/login 7f3e4debdf6cb7f1
- https://spinroot.com/ loads normally, no delay or blocking
- https://camelcamelcamel.com/ loads normally, no delay or blocking
Adammartinetti, I appreciate your interest in doing this, but would love to hear that CF maintains a giant white board in the developer area with the name of every TLS 1.3 web browser known to mankind (the same data on a Group Policy-enforced internal home page would be even better), to reinforce the idea that it takes more than Google to make the world go round.
Personally, I'll add myself to the list of people who think you've created a game you can never win, and thus shouldn't be playing.
casetext 7f39762f693733e4
steam 7f397694995aa3b7
all over firefox
- Zabbix: 7f3970eabe8ff196
- SteamDB: 7f396f534b0400d2
- Casetext: (works)
- NameMC: 7f3971a01a22d5a8
- Spinroot: (works)
- Camelcamelcamel: (works)
These bot detection systems tend to use all manner of imprecise statistical heuristics and weird fingerprinting.
Perhaps AegirLeet has a graphics card that a popular web scraper pretends to have. Maybe they're in a suspicious timezone. Maybe they've installed a font usually only found on a different operating system. Maybe I'm never blocked because I have an excellent IP reputation, due to regular visits to approved websites.
We are gonna have to live in a slightly bot-rich society to keep this at bay.
It starts with browser control. And then, ends with needing human verification to ssh into a server that you own. Let’s just build better security.
There is no such thing as a reliable standard for browsers to verify that users are human that does not harm the open web or threaten user autonomy and accessibility. Every single accessibility standard and user choice about extensions and access is abusable by malicious actors, and every security measure to block abuse of automated scraping or access also blocks valid use cases.
Making it a web standard won't change that fact.
Companies like Cloudflare, Google, Meta, etc are the reason anti-trust law exists. Unfortunately, it appears there is no one with any power that is willing to use the laws for their purpose. The internet in 20 years will be nothing like we've seen before. That's not a good thing.
[0] https://community.cloudflare.com/t/statistically-speaking-wh...
legacy.com
Ray ID: 7f3e7bad3afbb731
That's the difference to me.
Website owners specifically choose for cloudflare to protect against this, it's not forced upon them by cloudflare.
Could anybody still create a new search engine nowadays?
No one "forgets" this because it isn't true.
There are all kinds of tools that you can easily deal with bots and the large DDOS your ISP can handle for you if you are willing to pay for it.
[0] https://community.cloudflare.com/t/statistically-speaking-wh...
Only if Cloudflare stops you moving to a competitor.
For people going through life with ADHD such as myself, the impact of all these delays and disruptions throughout the day can be severe. Despite being properly medicated this measure is absolutely debilitating and makes for a dreadful and very taxing online experience.
No one is forcing the website owners to sign up with Cloudflare to enable this service with these aggressive configurations, and yet I understand why they would even just pre-emptively. It's cheap and effective, there's no denying that.
It is Cloudflare Inc. (66,59USD, +23.57USD/54.79% YTD), however, that architected the solution, markets it as a service, and controls it as a core part of their (i.e. everyone's) internet architecture.
As a serviceprovider they could be better at informing their customers of these unintentional side-effects and how they impact otherwise innocent visitors, but whose mental disorders/impairments cause them to be flagged for and having to undergo additional verification steps disproportionately more than others, likely due to some atypical behavioural patterns they show and their often adjusted hardsoftware setups producing an unconventional signature.
Some modifications to the system could probably be made on the architectural level too. We can get people in wheelchairs to the top of the empire state building, surely we can also find a solution that allows us to enjoy the benefits of these protective measures without wrecking the web's inclusivity and accessibility this much every time the measures need to be stepped up.
Am I asking for too much, what do you think?
"There must be some way out of here," said the joker to the thief
"There’s too much confusion, I can’t get no relief"It should significantly reduce the amount of CAPTCHAs you see in a way that's not terrible for privacy.
For Safari, you can enable Private Access Tokens: https://blog.cloudflare.com/how-to-enable-private-access-tok...
Both of these mechanisms are similar to Google's web DRM proposal in that they rely on external issuers to generate tokens, but unlike Google's attempt they don't guarantee that ad blockers are disabled on pages that try to use tokens.
Which is honestly surprising in this area where it feels like privacy, anonymity and human verification are incompatible with each other.
I am trying to minimise my time wasted by websites, which is hard to balance with privacy, one other one is the repetitive consent forms (if you don't retain cookies, it's a never ending process). I think consent forms and human verification are the 2 biggest human time wasters.
Besides, those solutions have far too much in common with blackmail/extortion to my liking. Either you continue to suffer this structural harassment, or hand over all your bits and maybe in specific cases suffer slightly less! :)
Since it's so much easier to hide behind a new unique address, compared to IPv4, that any service such as Cloudflare would need to be extremely aggressive in blocking to meet their internal metrics and customer advertised minimum thresholds.
So much so that it actually costs more to use IPv6 then sticking with IPv4.
I imagine the scenario described by the author would become more and more common as time goes on as more of the world's internet users becomes harder to distinguish.
IPv6 doesn't allow you to easily get a new completely random address. You get a subnet allocated by your ISP, and you can use any address within that subnet. Rather than blocking a single IPv6 address, a service like Cloudflare can just block the entire IPv6 subnet prefix and get the same result as blocking an IPv4 address.
If you think IPv6 is mostly pointless, I think you're unaware of the fact that a significant majority of phones already use IPv6 most of the time they're on cellular.
This breaks OpenVPN, which insists on both endpoints being one or the other.
Can you point to where I suggested that? Or did you misread the comment?
Cloudflare needs an algorithm to deduce the IPv6 prefix size controlled by a given entity, but the details of that algorithm are not obvious. You are jumping to the conclusion that they must be doing a bad job because the problem is challenging.
IPv4 abuse detection is also challenging because of (e.g.) the prevalence of CGNAT with multiple users sharing an IP address.
Which problem is harder? Which solution is better? I don't know, without a lot of proprietary data and analysis.
These range from pretty simple things that check that the browser is actually a browser rather than a raw HTML parser (e.g. "draw an image on a <canvas>, export it to PNG, hash the PNG, compare to an expected result"); to things that check for low-effort headless-browsing techniques like the one you get by default using Puppeteer in a Lambda/Cloud Function (e.g. "do we have the weirder fonts you'd expect to exist on a consumer OS, but which these default batteries-included container images don't bother to bake in"); to things that work really hard to detect the "scent of humanity" through the browser (e.g. "before the user activated the integrity-check prompt, did we record a sequence of 'extraneous' mouse movements and key events that look like a human making individualized mistakes on their way to completing the form, and don't look like a recorded capture of such similar to other ones we've seen recently.")
If you're getting caught in a verification loop, it's because you're using a browser or device or extension that obscures/disables enough of these heuristics that Cloudflare can't get proof positive that you're a person rather than a bot — and so, under whatever settings the site-owner has it set at, it will just keep trying to get that proof, rather than telling you you've failed and been blocked. (Why? Because telling a bot they've failed tells them that they should stop trying something that's not working and instead — in the words of Star Trek technobabble — "rotate their shield frequency" before trying again.)
In my humble opinion if your bot is stuck in a CloudFlare loop for 10 minutes that's a pretty strong signal that something's not working...
A "try again" just means "you haven't succeeded yet." If that's all you get, you're getting zero bits of new information — so you can't do anything other than to assume it was your timing that looked weird, and keep trying. (And you might be dealing with even more noise, e.g. trying to have the bot calibrate itself toward a very low human-tuned request rate limit, where above-rate-limit responses look no different than integrity-fail "try again" responses.)
Suddenly getting a (maybe permanent) hard-fail, meanwhile, means that you said something the integrity-checker really didn't like.
Presuming you have a lot of IP addresses to send requests from, you can then do many experiments to bisect the difference between a hard-fail and soft-fail, and use that to blacklist values from your UA+metrics library. It's free entropy!
(I yearn for a world where auth challenge failures give proper error messages so I can figure out why my regular, human-used authentication channels aren't working).
Many headless-browser stealth techniques involve rotating between the signatures and reflected metrics of real — but niche and/or ancient — User-Agents. (For some reason, the developers of these stealth systems think that variety beats commonality. Maybe it makes sense if they're specifically trying to overcome Apache mod_security's signature-based UA blocking or something.)
It turns out that when you actually see one of these UAs in your server logs, it's far more (99.99%) likely to be a stealthed bot that picked that UA out of a bag, than it is to be an actual niche/ancient UA.
In the case of the niche UAs, this is a tragedy of the commons.
In the case of the ancient UAs, though, there's no downside to blocking them entirely — because if the traffic is going through Cloudflare at all, then you're already requiring of the client a minimum version of TLS that the real old UAs can't even speak. So the only things actually saying they're that old device — but managing to get through an HTTP request at all — are stealthed bots.
On some sites. Many sites, especially the big ones, see that it's an unknown browser, and refuse to send content. Probably they think it's a bot. But even if it were, what's wrong with bots, as long as they're well-behaved?
What kind of closed web have we let the megacorps build?
But each person developing a web scrapping bot realizes at most after a week that being honest with User-agent has negative impact on how well it works, and changing it to existing browser takes literally seconds.
Cloudflare is a huge part of the internet. Often they won't respond and it appears that for whatever reason, their IP range is blocked in Egypt. We probably get 10 support emails per week. I contacted Cloudflare and they simply said there is nothing they can do.
Blocking cloudflare ip addresses means that half of the internet wouldn't be accessible from Egypt. its closw to blocking port 443 because some people use DNS over https.
disclaimer: I'm Egyptian living in the US.
I just stopped watching Twitch streams.
This seems more like an "IT department gone mad" problem than a Cloudflare problem. I'm surprised they'd rather switch to Chrome than submit a support ticket.
Having used passkeys for a month+ now via macOS/iOS/1Password betas, I don't understand how they're related or the author's concerns. Couldn't you just replace "passkey" with "password" in all of their questions?
FYI When using Chrome, incognito window carries a lot of baggage. For issues like this use Guest profile as it doesn't include extensions, caches, storage, etc. Optionally do a Google search first to seed it with cookies.
Especially since Apple has partnered with Cloudflare on PAT.
[0] https://jrhawley.ca/2023/08/07/blocked-by-cloudflare#implica...
https://blog.cloudflare.com/how-to-enable-private-access-tok...
For a while I did notice that when using certain IP blocks, they would show me more captchas when using Firefox than when using Chrome, but I haven't had that problem in a while.
It doesn’t make sense for Cloudflare to request any client certificates.
I think there are real bugs somewhere.
https://developers.cloudflare.com/ssl/client-certificates/en...
https://developers.cloudflare.com/cloudflare-one/identity/de...
This would then require Cloudflare to request a client certificate. This is great for securing websites using corporate identity that is derived from AD certs for example to make sure the device being used has a valid cert on it.
Alongside MDM for example forcing the certificate to have a short lifespan (my $CORP uses 7 days) you can validate that the device has the correct security posture to access the resources.
If for example I let my device not update the version of macOS often enough my cert expires and I can't access internal resources until I update my OS and MDM software checks that and provisions me a new device certificate.
Most contract law lawsuits are settled out of court. The great advantage of suing someone is that you get past the low-level customer support people and talk to someone who's authorized to settle.
[1] https://www.lodhs.com/blog/interference-with-contractual-or-...
I also have maxed out anti fingerprinting etc on FF, so it comes with the territory. I have to slowly enable JS on some sites to see if the loop will break, or i just navigate away.
I use all browsers except chrome, but i only navigate the web with FF
> Worse yet, I know that Cloudflare knows I have those certificates. Why? Because it asked for them!
Not really. Cloudflare notices your browser has TLS authentication available and asks you for it. That's really annoying, but part of the protocol spec. Your browser won't send this information unless you pick a certificate and hit OK.
Disable your ad blocker and you'll find that many trackers will also ask you to identify yourself this way. It's really annoying, browsers need to design better UX for this type of authentication.
> · MAC address of my machine that I have previously used to access this site
How does it gather your MAC address? Did you disable IPv6 Privacy Extensions? Unless the website is sitting behind the same switch as your computer or you run some kind of native application that sends the MAC address, websites can't read the MAC of your network interface. Enable the MAC randomisation that's present (sometimes even turned on by default!) in every modern OS if you consider the local switch or WiFi network to be a privacy risk.
> Will I be able to create and sync these passkeys myself?
Yes, assuming they follow the standard
> Can only certain types of software use passkeys? If so, who decides what software meets this standard?
I don't really understand the question. Any software supporting passkeys will be able to prompt you for generating or using a passkey.
> Will I only be able to generate passkeys on a device with specific hardware/software requirements like a TPM, DeviceCheck, or Integrity API?
According to the spec, keys can be stored in software no trouble. Websites and apps can ask for securely generated keys, but I don't think those are all that common. Hardware can also be faked relatively easily in most circumstances.
> Can I, at any time, export my passkeys from one service provider and switch to another provider?
Ask your service provider for export options. Most likely, you can't just dump the keys and import them elsewhere (that would defeat the point).
> If a passkey is invovled in a suspicious event, will that suspicious mark propogate to any other device that uses that same passkey? Do devices that contain suspicious passkeys also get marked as suspicious? If so, would that impact the ability of that device to access other independent websites?
That depends on the software using the key for authentication. Maybe?
That's interesting.
Case in point, I set a waf rule that blocked all non verified bot traffic from several big datacenters (Google cloud, OVH, digital ocean, etc). That turned out to be a mistake because a lot of corporations were routing their traffic through those ASNs for some reason. Now they’re blocked. They could have gotten pissed out cloudflare, the error page looks the same, but it was really misconfiguring it.
The only fix is to navigate back to page somehow, either by going to address bar and pressing enter (to navigate there again instead of reloading) or finding some link that points you back to the page.
I wouldn't be surprised if those POSTs will end up banning you from some website since they "know" you shouldn't POSTing to that page so clearly you are evil bot trying to hack them.
I thought privacy was on the rise after the data leaks and irresponsibility of the big tech companies, and the public's involvement in the issue of individual privacy, but it seems like everything is still a step backwards.
I know cloudflare is not to blame here, but they provide way easy access to blocking to bad admins.
Unfortunately there's also bad actors on the web (and the definition of bad varies). I understand reasons to try centralise the removal of that so called bad, but obviously a central group deciding on the 'bad' just isn't democratic.
Ironically when chatgpt mentioned their UA on a web page the other day, users were presented with an anti-bot challenge.
In other words, if Cloudflare can't reliably fingerprint your browser, you are treated as a "bot" and denied access to a huge chunk of the web. Well, in that case, I would rather be a bot than a human. Being a human seems to be increasingly annoying nowadays :)
https://blog.cloudflare.com/end-cloudflare-captcha/
Discriminate against all but "major browsers". Why.
https://developers.cloudflare.com/fundamentals/get-started/c...
I have a relatively Google'd Android running lineageOS. It passes SafteyNet on a fresh install, but even that isn't good enough for one of my banking apps (or netflix) - they both also perform a CTS Profile (Compatibility Test Suite) check and block me from using the app if they don't like what they see.
I ultimately had to root the phone to be able to use my bank's app. Rooting allowed me to use a fake CTS Profile, and then because it was rooted, SafteyNet started failing and I had to install a bypass to work around that.
Now everything works great, except OS updates un-root the phone and then "secure" apps stop working again.
(Oh, and if you mention that you're rooted, the LineageOS folks will refuse to provide any support, even for unrelated issues. Making you choose between friendly help and a usable phone is probably the only thing I don't like about LineageOS and, to my view, the biggest break from it's CyanogenMod roots.)
The author did not specify which project he was trying to access so I picked a random one to test from /explore/projects/topics/bioinformatics. No problem accessing it without a web browser. TLS1.3. No SNI.
Will using chromium for such cases work while having Firefox for the rest of sites?
And what’s cloudflare alternative that provides similar services for free including traffic analysis?
And so I've stopped visiting websites that use that system (several per days).
There's no way to report that to Cloudflare so f*ck'em.
This is one of the things that makes it so clear to me that the web is diverging into two, one that is the "clean walled-garden capitalism web" and the continuation of the original web that was open, freely-accessible and built around sharing and knowledge.
It should be replaced with something better. Unfortunately all attempts to do something better get attacked by people who don’t realize that you can’t just get rid of it, or important things will break.
They want people to disable any privacy protections or push usage of browsers that have no to less privacy protections, in order to access the website they are blocking. This has nothing to do with if a user is an actual threat or bot, but is more a strategy to shape what browsers are used and destroy user privacy.
Cloudflare is also very aware of the numerous and constant complaints about what they are doing, coming from users and for years. They are ignored, because they have something else in mind.