Hi, I’m a Cloudflare customer, and per recent threads it appears as though Cloudflare’s browser integrity check no longer allows Fireforks browsers (such as Waterfox Classic, Pale Moon, Basilisk, etc.) to visit sites using the highest level of security protection.
Although I did receive a notice about getting rid of captchas, this notice did not say that support was being dropped for these browsers or that we would need to choose between maximum bot protection and being able to allowing legitimate traffic from current browsers that don’t support the exact same feature set as Chromium, FF Quantum, and Safari.
Given that Cloudflare normally notifies us when support for a certain audience is dropped, and usually includes the statistics for the expected effects on traffic, does this mean that this change was unintentional, rather than an explicitly-considered choice? And if so, will it be rolled back? I expect that this change is revenue-affecting for ad impressions on many of the sites using this feature.
I do agree that as a site owner you should have been notified of possible loss of legitimate traffic and that this feature doesn’t work perfectly.
For apps and sites managed in the organisations I work for, we rarely use BIC or Bot Fight mode. We don’t use too much of the security features from Cloudflare, but rather make use of their massive global presence for Workers and CDN.
You may choose to do the same, being disable the security features, browser integrity check, and bot fight mode, and just use WAF or specific security rules you need, but that will depend on your site and you should consult with an expert first.
From the perspective of an end user theres nothing they can do but change to another browser, I understand the frustration. Although I personally use a main-stream browser (Microsoft Edge for Mac OS ) I also run into Cloudflare protected sites often that I simply cannot access due to their websites Cloudflare security settings which are malfunctioning. It’s impossible to contact every single site owner to ask them to change their security settings so I just have to keep trying other sites in the search results until I find a site that opens.
I don’t have anything against Cloudflare, I do advocate for them. But I would think some more caution and information to the site owners could benefit both parties so that site owners don’t switch on something that might unknowingly impact their end-users. I also think Cloudflare could do a better job at reporting a fault on the BIC page itself so that if enough submissions get sent that Cloudflare can audit them for identifying legitimate issues.
While I’m sure some users may find the settings info helpful, the actual question I’m asking is what Cloudflare intends to do about the compatibility breakage – will they be officially notifying customers of the change as is normally done for non-backward-compatible changes, will the change be rolled back, or something else altogether.
I only know the issue exists because I ran into it personally while using one of the relevant browsers, then discovered it affected many other sites besides the first one, and finally found discussion here regarding the specifics of the issue. But I have not seen an official response clarifying the decision to break compatibility, or if it was indeed an intentional decision at all.
Since CF is usually pretty good at notifying about such things, the situation suggests to me that the compatibility break was probably unintentional and therefore needs to be addressed through the normal policies and procedures for making backwards incompatible changes, or else rolled back or fixed forward in some fashion.
You’d have to wait for a Cloudflare rep to answer this on the forums or contact CF support and ask if you have Pro or higher level plan. As who knows if it’s a bug or if it’s an intended change. I’d imagine if it was a wide spread issue, more CF customers would of contacted CF already too and it would of made it a higher priority issue too.
How many of those browser users are impacted percentage wise on your traffic? I just checked my CF Analytics for past 30 days, there’s literally 0 users with those browser user agents.
On Waterfox it appears it’s not even an issue with supported features, as simply spoofing the user agent to the latest Firefox makes all the pages load fine. It appears it is literally just blocking based on user agent, rather than what the browser can actually do.
Waterfox isn’t one of the relevant browsers; it’s Waterfox Classic that ends up in a redirect loop, regardless of user agent. But certainly the part where CF doesn’t like Waterfox mainline’s unspoofed user agent is also a problem. The main issue though is that essentially all XUL-based browsers are now not allowed, even versions released literally last month.
How odd. I do not see a browser check for this page regardless of user agent or browser (even using a fresh profile), but on other sites with the issue, I see nothing but the browser check, even with a changed user agent. (Again, even with a fresh profile except for the same UA switcher you’re using.)
I wonder if there’s a regional difference? Or a Linux vs. Windows one.
What other sites have you had issues with? None of the URLs listed in the Pale Moon thread seem to work for me even with a modified user agent.
I’m a product manager at Cloudflare. Thanks very much for posting this here.
This looks like a bug with our “Managed Challenge” security action that’s causing the loop. This feature attempts to determine browser versus non-browser traffic and block non-browsers. The fact that the challenge is currently not working for Waterfox Classic and Pale Moon is not by intent, and we do not want to be in the business of saying one browser is more legitimate than another.
I’ve marked this as resolved since the issue appears to be fixed now for multiple browsers and sites; adding this comment in case anybody watching this issue isn’t also constantly reloading the affected sites to see if it’s been fixed.