Unfortunately, I do not have an answer for that; the account holder who ran into this most recent issue did not share that level of detail with me, and I do not have access to these features to test for myself. I suspect it was Browser Integrity Check based on the conversations that I had with them.
Yes, this is exactly a MITM scenario, but one that is over 20 years in the making, and deeply entrenched. Without going too deeply into the world of academia, there are basically 5 choices available to academic libraries for authenticating users to publisher platforms:
Use an identity federation. This is an expensive proposition to join an identity federation, and available support for federated identity is hit-or-miss on the publisher platforms: some support only one specific identity platform, some support a small handful, many support none at all.
Use direct SAML authentication outside of an identity federation. This is even less well supported by the publisher platforms than identity federations are, though there is some very early work being done in this area. OIDC has not been an option that is generally supported by an academic publishing platform for external authentication purposes at all. Further, not all institutions have access to SAML IdPs to support this.
Use a campus VPN so that students appear to come from the campus IP range. While generally effective and secure, this can be a VERY expensive proposition due to the hardware and connection licensing requirements, as well as the IT user support load that VPNs can require.
Use LTI integrations, but those are only now starting to be supported by some publishers, and the LTI protocol has the limitation that all connections must originate from within the LMS environment, so sharing URLs is not available currently if using LTI.
Use a rewriting proxy (nay MITM) solution that sits in the middle of the conversation and presents a single IP address to the publisher platforms. This is the current solution used by literally thousands of libraries around the world to access academic content.
Options 1, 2, and 3 require a certain amount of budget allocation and technical sophistication in order to support, which are not always available, especially at the smaller end of the college spectrum.
Option 4 requires sacrificing certain key features and capabilities due to a lack of protocol support for external entry points.
Option 5 has been the defacto method for over 2 decades now, and as much as I would like to see it go away, sometimes we have to live in the world we are in while working towards the world we would like to be in.
The software vendors have designed their rewriting proxy software such that they can be installed and maintained by users with very little technical training and on very modest hardware, putting that capability within reach of practically any library. Until a few key technology pieces fall into place, and a few “layer 8” issues get resolved, the use of rewriting proxies in general is going to persist in academia for the foreseeable future.
So, returning back to the original issue, is Cloudflare willing work with proxy software publishers and proxy hosting providers to make it less likely that academic publishers using your service will unintentionally block traffic from legitimate users when activating the various defensive features available on your platform? How can this be achieved, and what information does Cloudflare need? Would mitmengine fingerprints be the best starting point, or is there a different place to begin?