Browser Integrity Check broken

The Browser Integrity Check is currently broken. Trying to load a site behind Cloudflare constantly redirects and does not load the site. This has been confirmed to affect multiple people and multiple sites.

See the forum post here: Cloudflare "Checking your browser" infinite redirect on multiple sites - Pale Moon forum

I tried to report this to someone at Cloudflare but they have gone out of their way to prevent the general public from reporting outages with their services. If someone has contact information for them please respond with it so I can properly report this issue.

Thanks.

I checked the sites discussed in the thread
steamdb.info - no check
dodi-repacks.site - checked and then site loaded no issue
board4all.biz - checked and then site loaded no issue

Thank you for letting us know here, you can also let the site owners know you are encountering issues.


If the site owner contacts Support and shares a ray ID, the Support team can investigate. If they can share their ticket number here I can track to understand the issue better, atm I cannot recreate it.

1 Like

Browser integrity check is completely broken using waterfox or palemoon. Also disabling this for my test site yields no results right now or Cloudflare is lagging behind, its been 3 minutes since i disabled all securty for the site and it is still being challenged. Are you having big issues?

waterfox not passing the check since today: Ray ID: 70637144eaa6abce

This is a Cloudflare issue as it affects multiple sites. Contacting the site owners is not the proper course of action. (Unless, of course, you’re saying the proper course of action is “stop using Cloudflare” in which case I personally couldn’t agree more.) So far this has affected ALL sites that I have encountered that use Cloudflare with the Browser Integrity Check enabled.

What browser did you use when testing? The check is currently broken with browsers that aren’t one of the main 3 (Edge/Google Chrome, Firefox, or Safari).

I just checked the three sites you did, using Pale Moon 29.4.6:
steamdb.info: redirect loop, ray id:70637de8d94f86ea
dodi-repacks.site: redirect loop, ray id: 70637fd4a8402c38
board4all.biz: redirect loop, ray id: 7063814f2b112c88

For what it’s worth I started having this issue on 05/02/2022. A site that I can’t access now due to the broken Browser Integrity Check was accessible on 05/01/2022.

If you see this error, as reported on the thread, (Reason: CORS header 'Access-Control-Allow-Origin' missing), that means features like always use https or automatic https rewrites are enabled and the browser chose not to load the resource based on the missing CORS policy.

1 Like

In that case Cloudflare needs to add the missing CORS policy headers. Do you by chance have an ETA on that fix?

The browser behavior you’re describing sounds to me like properly-secure operation. Any browser that loads insecure resources from a secure page is either broken or misconfigured. Any system that requires such behavior is defective and needs to be fixed. Mixed-content may have been acceptable a decade ago, but it is very much NOT acceptable now.

In any case, I don’t have anything like what you’ve described enabled in the clean testing profile that is getting blocked.

I’m not entirely sure I agree with your stance on this - at a glance, the User-Agent suggests that this browser is using a Firefox build from 2019 but from using it and what I can see on the release notes, there’s multiple updates in the past that fake the User-Agent or Firefox version to get around compatibility issues.

This seems very much like an issue with the browser not keeping up-to-date with the way that the internet, and the vast majority of websites, are working nowadays. Intentionally reducing the complexity of the Managed Challenges means making Cloudflare weaker against automated traffic, and that isn’t an objective they should pursue.

The maintainer of the browser should reach out and see what part of the browser is failing the checks that every modern browser is handling just fine. If the vast majority of the web works fine but edge-case browsers that are intentionally not supporting the modern internet & using ancient browser bases don’t, I think it’s clear who the onus is on to fix that issue.

Hmm, I wouldn’t be quite so sure.
It’s not only about Pale Moon. Not even latest Firefox ESR (fork) is passing their “browser check”.
Wonder which three-letter agency they are also working for.

The latest ESR download from Firefox’s website supports these checks just fine and has no issues loading the website.

I haven’t been able to observe any CORS errors when looping on the managed challenges.

I don’t see where @cloonan is indicating that should be the case? CORS and Mixed Content are not one and the same.

And as an off-topic aside, please refrain from making comments like this - the community is a social platform where you’re receiving free support and advice, negative comments make this topic feel like a hostile environment where people won’t want to help you since they’ll probably be the subject of unfriendly replies.

2 Likes

Please provide me the contact details for someone at Cloudflare technical support so I can report this outage in a more appropriate place. It seems this was not the proper place to try to report this outage.

Thank you for your time.

The options depend on your plan - https://support.cloudflare.com/hc/en-us/articles/200172476-Contacting-Cloudflare-Support

However, I suspect that you won’t get the reply that you’re hoping for from them.

Your user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Goanna/4.8 Firefox/68.0 PaleMoon/29.4.6

Firefox ESR 68.0 is more than End of Life and was superseded by ESR 78.0, which is also End of Life - only ESR 91.0 and beyond is actually supported nowadays.

Cloudflare provide the tools to owners of websites - such as https://support.cloudflare.com/hc/en-us/articles/200170086-Understanding-the-Cloudflare-Browser-Integrity-Check - and they won’t overrule a customer’s settings in any scenarios.

One of the main points of the Browser Integrity Check is to prevent User-Agent spoofing, which the browser in question seems to be a big fan of.

Updated several site-specific user-agent overrides for web compatibility.
Updated some site-specific user-agent overrides for web compatibility.
Updated several site-specific user-agent overrides for web compatibility.
Updated the included site-specific user-agent overrides for a number of websites that need them.
Improved reporting of the operating system in site-specific user-agent overrides.
Updated the WhatsApp Web site-specific user-agent override to respond to Google refusing access based on the old string.
Updated the DropBox useragent override to solve login issues.
Updated the useragent for addons.mozilla.org to work around their “Only with Firefox” discrimination preventing users from downloading themes, old versions of extensions, and other files with Pale Moon.

The list could go on but we’d quickly get bored of reading through it - as far as browser integrity check goes, it’s doing it’s job.

As far as all of these patches to overwrite specific incompatibilities with a User-Agent string, I’d advise the maintainer to fix the issues at hand since these incompatibilities don’t spring out of nowhere - ESR 68.0 is extremely out of date and can’t be expected to work.

It’s up to the site owner if they think losing traffic from old/incompatible browsers is enough to disable Browser Integrity Check - Cloudflare will not make that decision for them.

3 Likes

To be clearl @KianNH seems to imply the browser is misleading as to its version and it is failing a Browser Integrity Check as a result. Is that actually true? If so there doesn’t seem to be a reason to report BIC is working as designed.

3 Likes

As requested I changed the option that sends an (old) Firefox version string in the user agent from the default “Firefox compatibility” mode to “native” mode. I tried to load steamdb.info and still got the redirect loop. Ray ID: 70647064fe3f8134

The user agent from the browser is as follows:
Mozilla/5.0 (X11; Linux x86_64; rv:4.8) Goanna/20220410 PaleMoon/29.4.6

No reference to the old Firefox version and it still doesn’t work. The only reason the developer added that was because may sites make the questionable decision to rely on information in the user agent string to decide just how badly they can violate proper web standards. More sites fail to work properly with the UA set to native mode than with it set to Firefox compatibility.

Again, I ask, please provide me with a way to contact someone in Cloudflare technical support who is willing and able to fix this outage. It’s clear from your constant negative posts you only want to try to blame someone else.

This topic has NOT been solved. Please remove the solved status, and please refrain from marking a post which is very clearly not a solution as a solution.

Thanks.

1 Like

Intentionally, this should not work. As referred to before, spoofed and fake User-Agents can and should be challenged by Browser Integrity Check.

Browser Integrity Check has methods to make sure that your browser is actually what you’re saying it is - and if it decides that you’re lying, you should fully expect to receive a challenge page.

Edit: to clarify, here is an example. It is fully expected that I will be stuck here (and I am) since my User-Agent isn’t truthful.

Be that as it may, the supposedly improper web standards are supported by all mainstream browsers and hence don’t have any issues.

Whilst we might have differing opinions on what should and shouldn’t be a standard, that isn’t a decision that can be made by a single browser. We wouldn’t break the internet for the minority of internet users, would we?

As per Browser Version Market Share Worldwide | Statcounter Global Stats, Samsung Internet 16.2 is vastly more popular yet makes up 1.94% of the collected user agents. This is without going into the specifics of how often this ‘Pale Moon’ browser will be seen on the internet.

A browser that is intentionally deviating from how the rest of the common browsers works cannot expect to receive the same level as support - especially when delving into years and years of patching an EoL base (ESR 68.0) that was created by someone else (Mozilla).

The browser is saying it’s Firefox - and it isn’t - and should expect to be challenged on that.

We should agree to disagree - but there is no arguing that if an edge-case browser is having issues due to their own development philosophy, they should be the ones who get up-to-date with almost 3 years of changes in Firefox.

https://support.cloudflare.com/hc/en-us/articles/200172476-Contacting-Cloudflare-Support is the only way to contact Cloudflare support - if you do not have a zone then you are not a customer of Cloudflare, so there is no obligation of support being available to you.

The site owners whose websites you are having issues with however are a customer of Cloudflare - that’s why it’s recommended you report it to them and they can go through the proper channels.

There is no way for you to get in direct contact with technical support without a paid plan, so please defer that task to the site owners who will be able to do that for you.

1 Like

In “native” mode the user agent is not spoofed or faked. The problem isn’t the challenge, it’s the fact that completing the challenge doesn’t allow access to the website. Also, isn’t it rather asinine to rely on something that, as you’ve made crystal clear, is so very easily faked? It’s sad that I could more easily code a script that could walk through the Browser Integrity Check than get my real web browser to pass the check.

So “less popular” browsers should be actively blocked? If everyone had that mindset we’d only have three browsers right now: Edge, Safari, and Samsung Internet. I’ll pass on the walled garden that would turn in to, thank you very much.

Great. So my options are either use browsers that can’t be set not to hemorrhage private information to the likes of Cloudflare, or get maliciously blocked by Cloudflare. I’ve always believed Cloudflare is the single most toxic thing on the internet today (even including social media and the assorted nastiness on Tor) and this thread really serves to drive my point home.

1 Like

Precisely - it is very easy to fake, so the browser integrity check exists to make sure it isn’t. That is the purpose of the security feature, no?

In that case, if you are not satisfied with the response you’ve got from Cloudflare, advise the Pale Moon maintainer to add this in.

Never said this - Pale Moon is impersonating a 3 year old version of Firefox when it isn’t Firefox. That is the issue and what I am saying is that Pale Moon does not warrant an exclusion or any special workarounds.

Use Chromium? It’s Google Chrome, without the Google, and is fully open-source for you to audit yourself whilst actually keeping up-to-date with the internet standards.

These are the negative comments that are unlikely to get anyone from Cloudflare to go out of their way to help you - when the entire thread can be summarized as you bashing the company and their livelihoods.

The Browser Integrity Check makes sure a browser is who it says it is - Pale Moon reports it is Firefox 68, and Pale Moon is not Firefox. It should be challenged, and is being challenged.

I don’t think we’re going to get anywhere with this discussion and it’s quickly devolving into more negativity so I think it’s best we leave it here. The issues at hand with this browser have been explained and the onus is on the maintainers of that browser to fix the issue.

5 Likes

Since very recently,users of Pale Moon (and several other browsers) have reported that the “Browser integrity check” ends up in a reload loop.
This was already reported here in Browser Integrity Check broken but that topic was unfortunately locked before I (the Pale Moon lead dev) was even made aware of it, let alone could reply to it. The logic there is incorrect as regards user agents, user agent sniffing and how we can (not!) mitigate this on the browser side for many thousands of websites that use Cloudflare and may have activated this check in the Cloudflare dashboard.

I also contacted Cloudflare support about this but was basically sent on my way unless I “display the problem under my own account” or “own domains”, meaning I would not be able to have Cloudflare even acknowledge the issue unless and until I deliberately break access to my own sites to demonstrate the point… what weird demand is that !?..

Pale Moon always identifies with a PaleMoon/{version} in its user-agent string, unless a website specifically breaks due to its own UA sniffing practices and being discriminatory against any browser not exactly identifying itself in a specific way as a mainstream browser/vendor; the Firefox/xx.xx part is there for compatibility reasons only, as without it, many more sites will cause problems by not recognizing the UA and often even just flat-out refusing access from independent browsers or sending broken fallback code (for e.g. ancient Internet Explorer quirks). Pale Moon has 3 modes for its UA, all of which identify with PaleMoon/{version} and vary other parts for various levels of webcompat.

Just because we indicate a lower version of Firefox as compatibility (to try and avoid broken feature detection since our feature set is different and we’re forced to try and find a “lowest common denominator” here) does not mean we base the browser on an old Firefox version and are just a rebuild. Pale Moon uses the UXP platform and Goanna engine, both hard forks (of mozilla-central and Gecko, respectively) from Mozilla for years with individual development, updated security, and enhanced feature sets that are much more modern than what the UA sniffing “dumb check” thinks. There are many articles out there indicating why UA sniffing is a bad idea, including this article on Mozilla’s own site: Browser detection using the user agent - HTTP | MDN

I’ve also long since had a post up on our forum detailing how our UA string is generally built up if not site-specifically overridden. Developers: What do I need to know about Goanna? - Pale Moon forum

It’s obviously not possible for us to make site-specific UA overrides for every website that uses Cloudflare and enables the browser integrity check function. Something as easily spoofed as a UA should also never be used to check integrity, that’s just folly. It’s already bad enough that it’s being used for feature detection instead of, you know, feature detection itself.

Spoofing a user-agent to something that passes your “integrity check” is trivial, also for genuinely bad clients and if you insist on using it as an integrity check then you must at all times keep a full and updated list of all “valid” clients; this is one of the big pitfalls using UA checks and even then won’t do anything against “perfect spoofers” (bad clients presenting a perfect matching UA) – this has been one of the main issues with sniffing the user agent as a practice… for decades already. Please don’t turn back the clock.

Bottom line is: your approach is now breaking use of Cloudflare-backed websites based on an arbitrary UA check for many websites, and it feels like flat out discrimination and trying to enforce a full monoculture on all Cloudflare users.

3 Likes

I have to agree with @awz3oefwdrxnog2 on this matter. BIC needs to support compatibility modes used by numerous browsers and shouldn’t rely entirely on the user agent.

I also request that the MVP stop marking topics as solved when they are not solved, I’ve had this happen many times before too. Please don’t lock this discussion either as I wrote up a big response earlier today and then suddenly I couldn’t post it. Time wasted

First, can a mod please remove the solved status from this thread? It is very much not solved and the “solution” is anything but that.

I think you overlooked my post where I set it to native mode, which turns off the “impersonating,” and it still didn’t work:

While we’re on the subject of “impersonating another browser” let’s take a look at Chromium, a browser you specifically mentioned. Here’s the user agent it’s sending:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

Oh, look, it’s impersonating Safari. Chromium is not Safari, so it should be blocked for forging a user agent, right? NOPE! It goes right through the check on steamdb.info and even does so with JavaScript disabled! So this is absolute proof that Cloudflare is favoring browsers with a Chrome engine and discriminating against smaller and more privacy-friendly browser projects.

Before you bring up “just use Chromium” again, I don’t use Chromium because there are things I can control in Pale Moon that, by design, can’t be controlled in Chrome/Chromium. Fine-grained script blocking, for example, is prone to failure in Chrome/Chromium whereas Firefox and Pale Moon can do that without issue. Ad blockers are also less effective on Chrome/Chromium than on Firefox/Pale Moon.

I’ll end with this: how can you possibly verify that the user agent string sent by a browser is not forged without omniscience? Does Cloudflare really claim to know the inner workings of EVERY web browser ever developed? The user agent is, as you’ve said, very easily modified. It’s also the first thing a bot developer will forge. Therefore, anyone relying on it for any reason whatsoever is a fool at best and malicious at worst. The only proper thing to do with the user agent is discard it as untrustworthy, not use it as a test to foolishly try to determine if a connection comes from a “legitimate browser.”

1 Like

So, rather than digging deeper into the browser integrity thing per se, wouldn’t it be possible for cases like these (uncommon/older browsers) to just trigger a captcha instead? I wouldn’t mind solving some captchas to be able to get to all my sites in my “non standard” browser that started having this problem recently. I have no desire to switch to a more popular browser if it lacks the power-user features of my preferred browser.

(Meanwhile, I’m an actual human browsing to the site, so not sure how the site owner will benefit from me visiting it less and thus getting fewer ad impressions, and this was clearly a CF change affecting multiple sites, rather than multiple sites coincidentally deciding to change their settings all at once.)

1 Like