Unexpected Challenge and Captcha behaviour

Good afternoon,
I need to report a few similar bugs that affect accessibility of my website and ALL other websites protected by Cloudflare, and as the result breaches the general principle of equality and nondiscrimination as one of the fundamental Human Rights, national and international laws.

All reported problems except one revealed during recent 1-2 months and never happened before. It affects all users of the some web browser versions regargless of the geographical location and the website their visit.

First bug happens when page rule “Managed challenge” or “JS Challenge” or “Legacy Captcha” is triggered both when specific page rule was created or Under Attack mode is active. It is reproduced in the following way:

  1. Open the web page.
  2. see the animation “Checking if the connection is secure”
  3. See the message “Connection is secure” with “checked” icon
  4. Again the animation “Checking if the connection is secure” (see 2, and infinite loop).
    Sometimes this infinite loop was ended in 1-5 minutes but it must not work like this. This started to happen about 2 month ago at few websites accesed from few IP addresses, sometimes bypassed accessing from different country or VPN.

Video: Download 1_MyPal_InfiniteLoop.webm from Sendspace.com - send big files the easy way

The bug that was noticed during January 2023. Using both Firefox 52 (original ESR) and Firefox 71 (MyPal / PaleMoon forks) as the latest web browsers available for Windows XP and 2003 users it’s impossible to open any page protected by Cloudflare’s Managed challenge or JS Challenge, it shows “browser is out of date” message. In case of changing user-agent to “supported” browser, the bug #I happens like it was some time before. Developers must take into account there is no technical possibility to install ANY newer browser version under Windows XP since all of them are not compatible with this operating system. I did not find any way to bypass this bug.
Video: Free large file hosting. Send big files the easy way!

Cloudflare Captcha, that is integrated into some websites or services as replacement of Google ReCaptcha or hCaptcha also shows “browser not supported” message preventing legitimate users accessing websites or services. This includes different governmental services also, that is a critical problem for many users. Simple replacement of User-Agent string in the web browser config (e.g. Firefox 52.0 to Firefox 152.0) solves this problem, so it’s artifically created and must be solved with highest priority. The video contains one random governmental website that has this problem.
Video: Free large file hosting. Send big files the easy way!

ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Google Chrome. Contrary to the bugs described above, this problem is actual for years. SSLLABS online test confirms the website is not accessible from Google Chrome regardless of security level or page rules. I thought there is no solution, but I’ve seen at least one website hosted at (lets say proxied with) Cloudflare IP address, that had Let’s Encrypt issued certificate, and it was loaded in Google Chrome withoud this problem. So, the solution really exists?
Video: Download 4_Chrome49_cipher_mismatch.webm from Sendspace.com - send big files the easy way

The general principle of equality and non-discrimination is a fundamental element of international human rights law. I expect Cloudflare developers will review the reported problems and make some action to stop inequality and discrimination because of factors such as the operating system or web browser.

If your visitors are using an up-to-date version of a major browser — such as Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they will receive the challenge correctly.

Challenges are not supported by Microsoft Internet Explorer.

If your visitors encounter issues using a major browser besides Internet Explorer, they should upgrade their browser.

Do you have any issues that are impacting supported operating systems & browsers? Software that isn’t supported by the developer themselves is unlikely to be supported by the wider internet.

You did not understand the volume of the problem.

First is technical - users CAN NOT update their web browsers ever. Due to some idiots bla bla bla but the reasons why update is not available is outside this discussion. This is a fact that update is not available and there is a web browser version that is last for each operating system.

Second part of the problem is LEGAL, so if you provide different possibilities or limit possibilities of people because of different operating systems or web browsers this is a kind of inequality and discrimination that is prohibited by national and international laws. You should take into account there is not only USA where user can buy new computer each year, in some countries it’s too expensive and users must not waste their money just because some website begin to function incorrectly.

One more point is that the opinion of one or few Cloudflare developers who made some changes that brake browser support impact thousands of websites and millions of users. Websites (including governmental services) that use Cloudflare protection do not want to discriminate users limiting access but they actually do it because of wrong js challenge that worked for years but something happened.

And yes, Firefox ESR (extended support release) is a supported browser.
This thread requires an attention of Cloudflare developers.

ESR 102 is the oldest supported release by Mozilla - I’m not able to reproduce any issues on that browser.

It seems that the reported “”“bugs”“” are related to the use of outdated software, specifically Windows XP and Firefox 52.

These are both ancient and no longer supported by their respective developers, (potentially) including Cloudflare.

Cloudflare is not responsible for the technical limitations of outdated software or the lack of support for them. Therefore, the reported bugs are not Cloudflare’s fault, and it is not a case of discrimination as the limitations are due to technical factors.

While the general principle of equality and non-discrimination is fundamental, it does not apply in this case, as users must update their software to access the latest technologies and features.

It’s important to note that the number of users still running Windows XP and Firefox 52 is a very small minority of overall web traffic.
While it’s understandable that these users may face difficulties accessing certain websites, including those protected by Cloudflare, the reality is that the vast majority of web users have access to modern software and should not be held back by technical limitations that affect a incredibly small minority. Therefore, it would not be practical or feasible for Cloudflare to prioritize these outdated technologies over the vast majority of users who have access to modern software.

It’s important to approach this issue with a constructive mindset and to understand that playing the victim or involving legal processes may not be the most effective approach to resolving these issues.

If there were a problem impacting millions of customers, it’s probable that Cloudflare developers would already have knowledge of the issue and be taking the necessary steps to address it in the most efficient manner possible.

Use of software that you have called “outdated” on the old hardware that can not run “not outdated” software due to technical characteristics e.g. memory limits, cpu frequency or absense of some particular CPU instruction sets is not in violation of any laws. People (and me particularly) are NOT ABLE TO UPDATE the software in some cases.

Cloudflare decides WHOM to allow access to protected websites and WHOM to deny. 2 months ago this decision making piece of software was functioning correctly allowing all human users to visit website, now it’s not. This is where the bug happened. This is exactly the discrimination due to technical factors.

Please post the link to any national law that orders users to run only latest software. I don’t know any. At the same time, forcing people to buy new equipment when making old equipment artifically inoperational is against some laws. This is not about “supported” or “not supported”, this is about equal possibilities to all users to visit websites protected by Cloudflare.

Maybe “a very small minority of overall web traffic” in generic worldwide statistics, but can you look to any data from third world countries? No? Third world country citizens are no more humans?

This issue is related not to one OS but to the approach. Tomorrow you will call Google Chrome 100 an “outdated” software and Windows 7 users will not be able to update it, so when JS challenge will fail in this browser and it will affect millions of visitors it would be too late for the reputation of websites using CF protection.

I’ve just reported few bugs that must be solved (e.g. recent changes to be reverted) to restore all users an access to the protected websites.

would already have knowledge of the issue

So here is the first bug report of this issue. Waiting for the second and third? Many people will just leave a CF-protected website and visit another one, they will not understand this problem is due to Cloudflare js challenge bugs. Another do not know how and where to report these bugs. Finally, a user that will report a bug will be rejected by CF support because only the owner of the website may report such problems with his own website, not with some random site in the Internet. I’m exactly that owner of the website and I’m the user of the browsers that you call “outdated”, so these issues affect me and it’s important for me that these bugs to be solved.

No-one said it is, but the law really isn’t relevant to websites not supporting your preferred browser or operating system.

Yes, you can - there’s plenty of websites that make this information available.

Pale Moon (29.4.6) passes the challenges fine.


As does the latest version, 31.1.0.

The words “preferred browser” may be used in case user have enough options to use on his device (and device term is wider then just desktop PC, e.g. smartphones where you can not physically re-install an operating system). In the case I’ve described there are not so big choice. Due to “SSL VERSION OR CIPHER MISMATCH” error all Chrome-based web browsers can’t be used. Opera (the real Opera) was discontinued and it’s on Chromium now. Internet Explorer and all remakes like Maxton had never been a good web browsers. Thus Firefox and it’s forks are not only the prefered browsers, but the only browsers that could be used at Windows XP computers to view Cloudflare-protected websites.

(In most other cases, like CF “bypass” mode, white unprotected IP or other protection solutions like ddos-guard / incapsula Chrome-based browsers are OK)

Pale Moon (29.4.6) passes the challenges fine.

Thank you for this information! I should check. Palemoon itself does not work with XP, I’ve checked it some time ago. Current version is 32th. MyPal (as a fork of Pale Moon) works fine. MyPal’s latest version was 29.3.0 that I’m using for few websites where original Firefox 52 ESR is not supported. Now I see MyPal 68.12.3 is released and I’m downloading it to test, also I’m going to find and download 29.4.6 you mentioned. But I would like websites (and generally SaaS / IaaS solutions) support all web browsers as a mainstream trend (like it was dozens of years before, when ALL javascript books tought in a bold font that cross-browser compatibility rules must be followed), not users to look for web browser that will view particular website.

Problem III from 1st post is probably resolved.

Problem IV could be solved by replacing CA Let’s Encrypt to Google. Any other hosts with Let’s Encrypt certificates (directly obtained by various hosting panels or via ddos-guard, Cloudflare’s direct competitor) works fine. Could you just fix it globally at Cloudflare?