Customers not notified of changes in browser support?

Hi, I’m a Cloudflare customer, and per recent threads it appears as though Cloudflare’s browser integrity check no longer allows Fireforks browsers (such as Waterfox Classic, Pale Moon, Basilisk, etc.) to visit sites using the highest level of security protection.

Although I did receive a notice about getting rid of captchas, this notice did not say that support was being dropped for these browsers or that we would need to choose between maximum bot protection and being able to allowing legitimate traffic from current browsers that don’t support the exact same feature set as Chromium, FF Quantum, and Safari.

(A common misconception is that Fireforks are outdated browsers; but they do in fact have current releases with both upstream and downstream bug fixes; they simply don’t include all of the features of their competitors, generally focusing on having better extension support and customizability rather than 100% feature parity or the latest Javascript language features.)

Given that Cloudflare normally notifies us when support for a certain audience is dropped, and usually includes the statistics for the expected effects on traffic, does this mean that this change was unintentional, rather than an explicitly-considered choice? And if so, will it be rolled back? I expect that this change is revenue-affecting for ad impressions on many of the sites using this feature.

Thanks!

2 Likes

As a site owner you can turn off Browser Integrity Check to solve that problem for your own users.

I do agree that as a site owner you should have been notified of possible loss of legitimate traffic and that this feature doesn’t work perfectly.

For apps and sites managed in the organisations I work for, we rarely use BIC or Bot Fight mode. We don’t use too much of the security features from Cloudflare, but rather make use of their massive global presence for Workers and CDN.

You may choose to do the same, being disable the security features, browser integrity check, and bot fight mode, and just use WAF or specific security rules you need, but that will depend on your site and you should consult with an expert first.

From the perspective of an end user theres nothing they can do but change to another browser, I understand the frustration. Although I personally use a main-stream browser (Microsoft Edge for Mac OS :joy:) I also run into Cloudflare protected sites often that I simply cannot access due to their websites Cloudflare security settings which are malfunctioning. It’s impossible to contact every single site owner to ask them to change their security settings so I just have to keep trying other sites in the search results until I find a site that opens.

I don’t have anything against Cloudflare, I do advocate for them. But I would think some more caution and information to the site owners could benefit both parties so that site owners don’t switch on something that might unknowingly impact their end-users. I also think Cloudflare could do a better job at reporting a fault on the BIC page itself so that if enough submissions get sent that Cloudflare can audit them for identifying legitimate issues.

Are you referring to when you set Cloudflare Security Level = High + enabling BIC https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level ?

Security Level Threat Scores Description
Off (Enterprise customers only) N/A Does not challenge IP addresses
Essentially off greater than 49 Only challenges IP addresses with the worst reputation
Low greater than 24 Challenges only the most threatening visitors
Medium greater than 14 Challenges both moderate threat visitors and the most threatening visitors
High greater than 0 Challenges all visitors that exhibit threatening behavior within the last 14 days
I’m Under Attack! N/A Only for use if your website is currently under a DDoS attack

So when you set it to Medium or below, then Browser Integrity Check enabled still works with these other web browsers ?

I think you just need to dial in different settings for your specific usage case. For me usually I set Cloudflare security level to low or medium and then dial in more finer grain controls via Cloudflare WAF/Firewall/Transform rules to secure my sites. Like the cf.thread_score https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#field-cf-threat_score that loosely corresponds with CF Security level in above table. And soon you’re have CF WAF ML too https://blog.cloudflare.com/waf-ml/. This allows much better granular control that you can tune for.

Indeed, though digging into Cloudflare Firewall Analytics on Pro and higher plans have a lot of insights you can dig into too.

1 Like

While I’m sure some users may find the settings info helpful, the actual question I’m asking is what Cloudflare intends to do about the compatibility breakage – will they be officially notifying customers of the change as is normally done for non-backward-compatible changes, will the change be rolled back, or something else altogether.

I only know the issue exists because I ran into it personally while using one of the relevant browsers, then discovered it affected many other sites besides the first one, and finally found discussion here regarding the specifics of the issue. But I have not seen an official response clarifying the decision to break compatibility, or if it was indeed an intentional decision at all.

Since CF is usually pretty good at notifying about such things, the situation suggests to me that the compatibility break was probably unintentional and therefore needs to be addressed through the normal policies and procedures for making backwards incompatible changes, or else rolled back or fixed forward in some fashion.

1 Like

You’d have to wait for a Cloudflare rep to answer this on the forums or contact CF support and ask if you have Pro or higher level plan. As who knows if it’s a bug or if it’s an intended change. I’d imagine if it was a wide spread issue, more CF customers would of contacted CF already too and it would of made it a higher priority issue too.

How many of those browser users are impacted percentage wise on your traffic? I just checked my CF Analytics for past 30 days, there’s literally 0 users with those browser user agents.

On Waterfox it appears it’s not even an issue with supported features, as simply spoofing the user agent to the latest Firefox makes all the pages load fine. It appears it is literally just blocking based on user agent, rather than what the browser can actually do.

1 Like

Waterfox isn’t one of the relevant browsers; it’s Waterfox Classic that ends up in a redirect loop, regardless of user agent. But certainly the part where CF doesn’t like Waterfox mainline’s unspoofed user agent is also a problem. The main issue though is that essentially all XUL-based browsers are now not allowed, even versions released literally last month.

Waterfox Classic absolutely works fine if the user agent is switched to Firefox, which is how I am able to access this page and reply to you without being blocked by the redirect loop:

What is the exact user agent string, and what user agent switch plugin are you using?

(Also, I don’t think this page is a suitable way to test, since it doesn’t display the browser integrity check to begin with.)

This page does show the browser integrity check when the user agent switcher is disabled:


This method also works for all the other sites I have been having Cloudflare issues with that I have been at so far.
For user agent string I am using Firefox 89:

The user agent switcher is this random one that I already had installed but had forgotten about until I needed to use it for this Cloudflare issue: User Agent Switcher and Manager :: add0n.com.

How odd. I do not see a browser check for this page regardless of user agent or browser (even using a fresh profile), but on other sites with the issue, I see nothing but the browser check, even with a changed user agent. (Again, even with a fresh profile except for the same UA switcher you’re using.)

I wonder if there’s a regional difference? Or a Linux vs. Windows one.

What other sites have you had issues with? None of the URLs listed in the Pale Moon thread seem to work for me even with a modified user agent.

CF challenges aren’t only using User Agents to trigger, there’s a lot of different criteria.

I’m curious what you folks experience using these browsers to visit my site at https://blog.centminmod.com/. I’d love to dig into the metrics on CF side from such visits.

1 Like
2 Likes

Nice find @KianNH

I’m a product manager at Cloudflare. Thanks very much for posting this here.
This looks like a bug with our “Managed Challenge” security action that’s causing the loop. This feature attempts to determine browser versus non-browser traffic and block non-browsers. The fact that the challenge is currently not working for Waterfox Classic and Pale Moon is not by intent, and we do not want to be in the business of saying one browser is more legitimate than another.

1 Like

I’m curious what you folks experience using these browsers to visit my site at https://blog.centminmod.com/. I’d love to dig into the metrics on CF side from such visits.

No problems at all.

I’m a product manager at Cloudflare…

Nice find! This is the sort of info I was hoping to get here.

I’ve marked this as resolved since the issue appears to be fixed now for multiple browsers and sites; adding this comment in case anybody watching this issue isn’t also constantly reloading the affected sites to see if it’s been fixed. :wink:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.