Captcha loop


I first posted this in the “Say Hello” topic. Then i read, in “Community Content Moderation Policy” : “No complaints about “Cloudflare blocking site access” to certain browsers or users (talk to site operator)”. So now, i put this question in the meta realm.

So for several days now, my Firefox is prevented to access approximately 25% of the internet because, everytime i encounter a Cloudflare captcha page, even if i prove that i am not a robot, the browser will redirect to the same captcha page, in a perpetual loop. This appears only in Firefox, not in other browsers. In this present case, i cannot “talk to site operator”, because it concerns 25% of the internet. So, who can i talk to ?

I understand the validity of ur service, and being myself a webdesigner, i might become one of ur clients in the future. But we know that one of the problem of the anti-spam systems is the optimalisation of the threshold, and the prevention of false positives. If i am a false positive case, is it not a part of ur responsibility to address my personal problem as being a part of ur problem as a public service ?

Then, considering that i might be a non-intentional true positive case, aren’t we in the same “team”? I mean, maybe i am just the ignorant victim of an evil spammer using my computer to spread toxic content, but ignorance is not a crime, and i am a victim, right ? So, if ur intention is “to make internet a better place”, shouldn’t u do ur best to help me ? Considering by the way that i might be a future client of urs, or actually, a client of one of ur clients. But if i come here, this forum tells me that i cannot even address the existence of my problem, and that i should ask someone else. Can you imagine my frustration?

So i have a suggestion. Your captcha page being the access point to the problem (the point where the problem appears to the user), couldn’t it also be the access point to the solution ? Couldn’t you design a useful diagnostic tool on the same page, giving to the user the true description of the causes, and a comprehensive description of the solution(s) ?

For instance, i did scan my system with AVG and Malwarebytes, i did clean my browser history and my cookies, and i did install the addon Privacy Pass, but nothing changed. So the generic solutions are not working. I need a more specific solution, and a more specific diagnostic. Am i blacklisted somewhere ? If it is so, what can i do ? Where should i ask my questions ? How can i clean my system ? What is the exact nature of the problem ? etc…

Sorry for my slighly angry tone, i really tried not to project my frustration on you.
Thanks for ur attention.


Are you using a VPS or Tor network? Are you running Firefox in Privacy mode?

I frequently check my sites using Firefox’s Privacy mode, but don’t get the CAPTCHAs on my site, but it does happen frequently on other sites. Though I don’t end up in a CAPTCHA loop.

It’s interesting to see you added Privacy Pass. So did I, but I’ve yet to use it. Does the Cloudflare CAPTCHA page respond to your Privacy Pass?

EDIT: Here’s a link to Cloudflare’s Privacy Pass page which included an email address you might try for assistance.

1 Like

So first I’d like to address the notion that we’re a public service. We’re not. We service our customers who look to protect and/or enhance their properties by using our services. Our goal is to make the internet faster, safer and more secure for everyone., but I’d argue that is not the same thing.

That doesn’t mean that we want to intentionally torture visitors to a website because a. that’s just not cool and b. our customers probably wouldn’t appreciate it if we did that to their visitors/customers.

As to your concerns there are a couple of reasons that a user could be subjected to captchas. One is due to their country of origin, ASN, P range or IP address being one that customers choose to challenge. There’s not anything we can do about that as it is the Cloudflare customer’ s choice to place an additional bar on your visit. So if you’re browsing from North Korea or from a VM at Digital Ocean I wouldn’t be surprised if the reason you were seeing a captcha was a geographical decision by a Cloudflare customer.

The other reason is one of IP reputation. I understand that you might want insight into why a given IP address is considered disreputable, but the how and why are a complicated answer wrapped in multiple algorithms and sources of data. So it’s not easy for us to cite a specific reason and even if we could I’m not sure we’d want to as it could be used as a vector by unscrupulous parties to try to find weaknesses in our approach.

What we have considered doing (and I was actually having a conversation with someone around this last week regarding the potential rules logic) is allowing a visitor a way to request removal of an the IP of the machine they use to connect to a request page from Cloudflare’s IP reputation DB (or a downgrade of badness) for a short time and/or the ability to request the removal of a limited number of other IP addresses.

There are some challenges with this approach (especially with shared IP address/ NAT scenarios) but I think we agree that some mechanism for trying to clean an IPs rep would be a good thing. In general if an IP is no longer acting poorly it will also fall off the naughty list after nn days as well. So it’s something we’re actively discussing internally and the desire is to provide a mechanism for users with IP reputation issues an avenue to try to reset their reputation… but the exact parameters and method are still TBD.

Beyond that however the captcha loop sounds like a separate problem from the reputation of the IP address itself. Have you tried using a different browser/ rebooting/ other goole captcha loop troubleshooting steps?

1 Like

The OP said it only happens in Firefox.

Regarding my Privacy Pass link, the article doesn’t say how to use it. Does it run completely in background, so after you solve one CAPTCHA, it automatically takes the place of the next thirty CAPTCHAs?

That is how it works, and you should see a count of the number of remaining passes before you will have to re-up.

I have to disable the WAF to login to my site because I have a rule set up to captcha on wp-login.php but in firefox I get a captcha loop.

I’m sure the privacy pass extension works great on desktop.

Problem is I’m primarily on mobile and firefox on android doesn’t support that extension (yet?).

This issue is not tied to a device or IP: firefox on my laptop and firefox on my phone, tested on mobile data, local library, my college, and my work all get a captcha loop only in firefox based browsers. Chromium based ones work fine

Sorry for bumping an old issue but it’s the exact same issue I’m having here in 2020

Have changed the captcha in use since OP and no other reports of same. I’d recommend contacting support with a HAR file and/or Ray IDs to reproduce. You might also take a look at Cloudflare Access to protect a wp-login endpoint vs you r current security settings.

Problem with cloudflare access is I don’t login from a static ip (mostly login while on mobile data) and I don’t want locked out.

But as I said multiple machines, no extensions, only similarity is firefox. Everything chromium based works okay

It’s also an additional fee in addition to my Pro plan