Firefox resistFingerprinting vs. Cloudflare challenge

Since yesterday I am unable to pass the Cloudflare JS challenge on abuseipdb.com and spigotmc.org with firefox resistFingerprinting enabled.

While it may be more secure to be able to fingerprint the browser, in my opinion it is not acceptable to force this setting to be off for cloudflare.

A browser which resists fingerprinting is not a bot!

3 Likes

A browser which resists fingerprinting is not a bot!

You don’t know, and because you don’t know and its abnormal behavior on a normal browser its likely to be used by attackers.

TLS fingerprinting is one very good technique to track bots, it’s not as efficient with humans, consider modifying your privacy setup if tracking is what concerns you.

This is also true when spoofing the timezone with an extension (I assume against DDoS?).

What is causing this issue specifically? Which part of resist fingerprinting is suspect to cloudflare?

In general, I don’t think cutting off TOR users (and more) is a good idea for obvious reasons, especially when a large part of the internet is protected by cloudflare. I think you should be a bit more aware of why some people need to use TOR or why they have a certain threat model, instead of suggesting something along the lines of:

consider modifying your privacy setup

Bot protection shouldn’t lock users out of the internet because of their threat model.

1 Like

This is also true when spoofing the timezone with an extension (I assume against DDoS?).

Potentially, could be part of the bot protection likewise.

What is causing this issue specifically? Which part of resist fingerprinting is suspect to cloudflare?

I doubt you will get information on this, obscurity of information is part of the security approach in any bot/ddos protection vendor.
If you are wondering why TLS/Canvas fingerprinting is a required feature, it’s due to how complicated those parameters are to spoof and how easy it’s to fingerprint a BOT or a DDoS attack.
Modern bots run on browsers that are almost indistinguishable from real browsers, in fact, many of them run on top of browsers in the shape of extensions.
Fingerprinting those devices is far easier and more effective than attempting to add hooks or tricks to catch on the bots.
Only when the bot successfully spoofs their fingerprint the vendor needs to move on to adding tricks or challenges to catch the most complex bot attacks.
While I understand your security concerns, I’m more concerned about a laxed security solution that allows this kind of device to navigate freely through their solution, a solid BOT or HTTP DDoS protection has to reach those levels of intrusion to be effective against modern attack vectors.
Mouse movement analysis, inspection of installed extensions, device fingerprinting, and session behavior are all slightly invasive approaches that all vendors are required to enforce in order to provide a proper solution to these modern attacks. Attempting to spoof your browser in any way is likely going to trigger any of the detections, resulting in more frequent challenges.

I don’t think cutting off TOR users (and more) is a good idea for obvious reasons, especially when a large part of the internet is protected by cloudflare

TOR nodes are involved in many activities, many of which are criminal. If you happen to land in those nodes, you are likely going to trigger multiple reactions from Cloudflare, hCaptcha, ReCaptcha and most cloud security vendors.
Cloudflare understands that not all actions in those nodes are criminal, that’s why most sites will present you with a challenge instead of a hard-block. If you spoof any of the headers or browser behavior after the challenge then you are likely to be presented with new challenges that get progressively harder or just are slower to solve (fade in and out animations).

Well it’s just firefox cause I’m using chrome and I don’t get challenged!

Well, Chrome most certainly won’t even try to resist any fingerprinting, so there we go.

you mean how easy it is to use them to detect a ddos attack?

Attempting to spoof your browser in any way is likely going to trigger any of the detections, resulting in more frequent challenges.

Cloudflare understands that not all actions in those nodes are criminal, that’s why most sites will present you with a challenge instead of a hard-block.

there’s a line between challenges and infinite loops, especially because it seems to happen on a number of websites and not simply on a selected few. don’t get me wrong I understand your concerns about being able to protect cloudflare’s customers but I think I have a valid point when I raise my concerns on this blocking approach. Really there’s no better solution than this super conservative approach?

TOR nodes are involved in many activities, many of which are criminal.

the same could be said about icmp, dns, network devices, iot devices, computers in general, cars. I won’t get into this argument because I understand where you’re coming from and it’s not the right place, but imo bot detection should not trump all the valid use cases and personal security concerns that TOR users might have.
given the large impact that cloudflare has on the internet I find this concerning.

Well it’s just firefox cause I’m using chrome and I don’t get challenged!

yes it is just firefox and tor (and forks), which still means millions of people with rather particular threat models and use cases. Should we all just switch to chrome in order to be able to access websites?

1 Like

you mean how easy it is to use them to detect a ddos attack?

Correct

there’s a line between challenges and infinite loops, especially because it seems to happen on a number of websites and not simply on a selected few

Taking a blind guess here, it could be that different CF challenges are delivered depending on the package that the customer has and for some reason, one or a set of the challenges are entering on an infinite loop because they don’t consider the challenge passage to be valid or your browser modified its headers before and after solving the challenge.

You’d need to provide a dump of the subsequent requests that are being challenged and then somebody from CF would need to determine if it’s a false positive or just a trigger of what they consider to be potentially malicious.

I’ve just ran into this issue myself. I do hope this gets some awareness from CF devs as I doubt the intention for the DDoS protection is to cause an infinite loop resulting in further requests/traffic.

For what it’s worth.

Same issue here.

there’s a line between challenges and infinite loops, especially because it seems to happen on a number of websites and not simply on a selected few

I agree, an infinite loop is a bug if experienced by a legitimate end user, no matter how you frame it. If resistfingerprinting = True means higher frequency of captchas then (sigh) so be it. Being blocked from accessing the website at all is unacceptable.

1 Like

even with RFP off, disabling the Resource Timing API causes the infinite loop, so this is not related to canvas or tls.

2 Likes

Same issue here, an infinite loop locking legitimate users out of many websites is definitely a major bug that should be fixed.