Firefox appears to be flagged as suspicious by Cloudflare (opens in new tab)

(lwthiker.com)

337 pointslwthiker3y ago168 comments

168 comments

(I’m responsible for Cloudflare’s L7 security products)

While we can’t comment on the specifics of any customer configuration, we do not block or challenge Firefox by default—either with our Bot Management products or with any other L7 security controls.

You can confirm this by signing up a free zone and making a request from Firefox.

tyingq3y ago

You're saying there's not a simplistic "block Firefox rule" right? But, the user agent is surely one of the weighted features going into your ML stew. So it's plausible the poster is seeing that Firefox sends some calculation over the edge and causes blocking for them.

That is, you're not saying "Firefox doesn't change the scoring at all", right?

judge20203y ago

To add, without knowing the homepage firewall rule g2 has set up, we won't know exactly what sort of rules is triggering this, although the most likely signals they're using are either bot scores[0] or threat scores[0].

0: https://developers.cloudflare.com/bots/concepts/bot-score/

1: https://support.cloudflare.com/hc/en-us/articles/200170056-U...

prdonahue3y ago

Appreciate the speculation, but using Firefox does not increase your likelihood of being flagged as a bot nor does it increase your threat score.

1 more reply

tomjen33y ago

Can customers configure Firefox as one of the criteria for a challenge?

vnkr3y ago

Customers can create firewall rules to challenge requests using any type of request metadata. User agent is one of the filters, that can be used in manual Firewall fields.

rezonant3y ago

This is almost certainly a firewall rule put in place by the operators of that site. My own sites which are protected with Cloudflare do not exhibit this behavior when using Firefox.

webmobdev3y ago

Privacy preserving extensions like uBlock Origin, Canvas Blocker, Decentraleyes etc. used in Firefox also trigger the CloudFlare wall of harassment. Some of the actions of these extensions prevent browser fingerprinting and CloudFlare gets easily confused when this happens and unnecessarily triggers a lot of challenges for a user. You can easily get sucked into the blackhole of captchas - sometimes even solving 5+ captchas isn't enough to convince them that you are a real human.

schappim3y ago

>> CloudFlare wall of harassment

You’re right, this is a form of harassment, and it needs to be recognised as such.

buro93y ago

This.

I used to work there, and there wasn't a global "do this for this browser" (except for a little bit to reduce annoyance specifically for the Tor browser).

It is almost 99% certain to be a site operator firewall rule based on the browser user agent. This may even be accidental, they may have been hit by an aggressive bot using a UA string that matches Firefox and the site operator may not even realise they've done this (if they use Chrome, which is likely).

lwthikerOP3y ago

I think they have different plans and configurations for their anti-bot service [1]. I'm not sure though because I'm not using their services.

[1] https://developers.cloudflare.com/bots/get-started/

dylan6043y ago

Is there a meme like name along the lines of "self-own" when you go online and have a tantrum about someone doing something to you only to find out it's your own doing that caused the issue?

number63y ago

Maybe this one? But it lacks the self reflection:

https://knowyourmeme.com/memes/baton-roue

zinekeller3y ago

I think it's two-fold: rise of tools like curl-impersonate (https://github.com/lwthiker/curl-impersonate) and the very consistent Firefox TLS fingerprint across platforms. Unlike Chromium (where you could differentiate a Linux, Mac or Windows computer from its chiphers, and so for example challenge only Linux clients), Firefox has NSS and NSS is used everywhere the Gecko engine is used while Chromium, although has BoringSSL for modern chiphers, also uses the underlying TLS stack of the operating system (whether it's Microsoft's SChannel, Apple's SecureTransport or Linux's... NSS). The only time Chromium uses a pure BoringSSL implementation is on Android (Conscrypt).

1 more reply

Aachen3y ago

I mean, with that market share, popularity among open source fans... it's an easy group to target and filter oddballs.

I'm a Firefox user and I'm used to this treatment at every step of the way, no matter if it's about software, airports, opening a bank account so I can receive a salary, etc. Fundamental things everyone wants to do are being made hard to do the right way. It's always anti privacy, anti self repair, anti longevity/sustainability, anti user freedoms, anti whatever we ideally want in this world. Of course using Firefox is now suspicious.

detritus3y ago

Really? I'm a firefox user too and whilst I occasionally bump into some situation as you describe where I need to hop onto Chrome, I genuinely can't remember the last time this happened. Nope, actually - sometime last year, with some poorly-coded gig ticket purchase thing, if I remember right. I was able to check the code and amend some stupid niggle in WebDev tools to get around it.

Not saying I should have to accept that, but that's what it was.

Certainly not 'regularly'.

marcosdumay3y ago

I certainly do not see it on the frequency the GP is talking about. But it's there. Every once in a while there is a site that insists on throwing you into infinite captchas, on requiring some extra information, or just refusing to work just because Firefox won't spy on me for their benefit.

I also do really not experience it "regularly", but different people visit different sites.

That said, the one problem I get most often is this Cloudfare one.

coffeefirst3y ago

Yeah, I find 99% of the web is fine but the exceptions are jarring. Fedex tracking is totally broken in Firefox. Quite a few sites still struggle without 3p cookies, which also affects Safari. Slack has some issues. It's also come up a few times while looking for a Google Docs replacement—several options are effectively Chromium only, which is ironic when you're only looking at them so you can avoid Google products.

SoftTalker3y ago

Often, just changing the user agent string so that Firefox appears to be Chrome will let those sites work. I.e. they work fine in Firefox, but are restricted by user agent string checks to reject that browser and/or OS.

There are several plugins for Firefox that make this easy.

2 more replies

lwthikerOP3y ago

For a while now I can't even access WhatsApp Web [1] through Firefox. It gets stuck on the loading page and keeps refreshing itself forever. I have to resort to Chrome whenever I need WhatsApp on my laptop.

[1] https://web.whatsapp.com

3 more replies

OJFord3y ago

I don't even have another browser installed.

1 more reply

Silhouette3y ago

I'm a firefox user too and whilst I occasionally bump into some situation as you describe where I need to hop onto Chrome, I genuinely can't remember the last time this happened.

Sadly I find it happens more and more often, even with important things like financial services.

What I haven't figured out yet is whether it's really the Firefox engine that is the problem or just that Firefox also provides better tools for blocking obnoxious trackers and the like. Maybe because I have those tools turned on by default more sites using obnoxious trackers break in Firefox than other browsers. In most cases that is a feature not a bug but it's frustrating when essential functionality on sites providing essential services gets broken as collateral damage.

1 more reply

Hedepig3y ago

At work I have to reject a call on slack and ask they make a "huddle" instead.

Barrin923y ago

Just in the last month Firefox didn't work for me on my health insurer's site, my bank's site as well as when trying to request a mail-in ballot for a regional election. Obviously not Mozilla's fault, but for me at this point the browser isn't that usable any more because that's important services I need to have access to.

On large international sites the likelihood that Firefox works flawlessly is pretty high. But a lot of regional service providers appear to kind of have given up on it.

bencollier493y ago

About once or twice a month I come across a site which hasn't been tested properly on Firefox and a flow of some sort doesn't work. The most recent was accessing scientific papers via a journal and academic society login. The redirect was broken on FF. Oh, and Facebook. Although that seems broken in various ways on all the browsers. Pretty remarkable.

pmontra3y ago

Google Cloud Console works only in Chrome for me. I've been accessing it with Vivaldi for years, then I got the you broke my internet sad robot icon since a few months ago. Firefox loads the page but most of it is blank. I played with the controls of my privacy plugin with no benefit. It could be my configuration.

jtuente3y ago

It's common enough that you recognize that you need to use a chromium browser, that's entirely too common. As a recent example, UPS tracking was/is broken on Firefox.

davidhay3y ago

Same, firefox works as it should for me.

deknos3y ago

i do not experience as much as your pre-poster, but i also experience it. "just use chrome"

cleandreams3y ago

Firefox use, same.

GekkePrutser3y ago

I don't even have chrome installed and never need it to be honest.

Except for some boneheaded sites that refuse FF entirely ( https://business.apple.com is such an offender) I don't have issues with sites not working.

Edit: it looks like even Apple has got their act together now, it seems to support Firefox now too. Finally

CamperBob23y ago

I just followed your link and it says, "Your browser is not supported. We recommend using the latest version of Safari, Microsoft Edge, or Chrome."

So apparently Firefox is subversive and scary enough to make Apple refer me to Microsoft or Google to avoid it. I guess that's what passes for "Think Different" at Apple these days.

1 more reply

throwlllllllll3y ago

Don't get me started on banks and accounts! It's like they WANT me to take the simple, easy, forbidden paths.

phh3y ago

My personal experience is that I do fallback some sites to testing in Chrome quite often, maybe once a week. But the number of times where using Chrome actually fixed the issue is maybe once a year? Really, it's just that I stumble on quite a number of broken websites.

kordlessagain3y ago

Firefox is fast, so maybe it's getting flagged because people are using it with webdriver to crawl sites. Just a hypothesis.

lfkdev3y ago

Cool Username

Aachen3y ago

Appreciated :). I see you're from nearby, might you happen to be looking for dev or security work? (For anyone else reading this, remote is also possible. Contact in profile, to not spam the thread.)

I'm not actually from Aachen myself, but nearby in NL and I work in Aachen nowadays and wasn't sure what username to choose.

If someone else would want it, I'm also fine passing it on. Dunno if there are guidelines on that actually but I'd consider an HN username like a domain name: finite, first-come-first-serve in principle, and hoarding is not cool.

shaicoleman3y ago

A workaround is to install the Privacy Pass extension to bypass the captchas [1] [2]

It's an open source extension available for Chrome and Firefox. It allows to privately identify you're human, and is the process of going through IETF standardisation, so hopefully someday you won't need to install an extension for it. After you complete a captcha once, you won't need to do it again for a long time.

I'm not happy about installing extensions just to view some websites, but it'll make things less painful

1. https://privacypass.github.io/

2. https://support.cloudflare.com/hc/en-us/articles/11500199265...

dingleberry4203y ago

Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.

shaicoleman3y ago

"The blind signing procedure ensures that passes that are redeemed in the future are not feasibly linkable to those that are signed. We use a privacy-preserving cryptographic protocol based on ‘Verifiable, Oblivious Pseudorandom Functions’ (VOPRFs) built from elliptic curves to enforce unlinkability. The protocol is exceptionally fast and guarantees privacy for the user. As such, Privacy Pass is safe to use for those with strict anonymity restrictions."

1. https://privacypass.github.io/

> Deanonymizing yourself just to appease cloudflare is not a valid solution

I'm not claiming it is a valid solution, I'm just sharing a possible workaround.

2 more replies

shadowgovt3y ago

> If they don't, the website is broken.

The Internet is a network with social effects. Whether "this didn't work" means "the website is broken" or "the browser is broken" has always been more about end-user experience and the wisdom of crowds than a more concrete definition.

A website broken only on Firefox works for 96.5% of users. I have personally had to make the hard judgment call (as a fan of Firefox!) to not spend 25% of our engineering debugging time on a problem only 3.5% of users encounter.

2 more replies

lowwave3y ago

>Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.

I totally agree with you. I think maybe an upper limit per ip (maybe a bit higher for tor ips) would be need to prevent DoS type attacks.

trog3y ago

Firefox user - have seen this many times. Always assumed it's either NoScript or Firefox's built-in tracking protection meaning there's some pre-existing cooking not set that Cloudflare places from other site visits, or because some script is getting blocked somewhere else.

rezonant3y ago

Seeing the cloudflare challenge as a user can happen in any browser depending on the site and it's configuration. A site can choose a security level that requires all visitors to receive a JS/captcha challenge, and sites can make custom firewall rules to require JS/captcha challenges on any of hundreds of different attributes of a particular request using CF's web application firewall tools. One of those attributes is user agent, for instance.

eastdakota3y ago

Nope. Individual customer setting, not a Cloudflare policy. We work closely with the Firefox team on many projects.

my69thaccount3y ago

Aren't you not supposed to comment on individual customers?

tomcatfish3y ago

They aren't, they're commenting on company general policy and making the obvious deduction from that.

It's (literally) basic logic

1. Some site flags Firefox. 2. Not all sites flag Firefox. 3. Either every site flags Firefox or individual sites flag Firefox. 4. It is not true that every site flags Firefox (obverse of 2) C. Individual sites flag Firefox (disjunction with 3, 4)

gzer03y ago

Incredible. I just changed my user-agent whilst on the Google Chrome browser.

  * Changing to Firefox immediately displayed the Cloudflare error message
  * Edge had no errors
  * Chrome had no errors
  * Safari had no errors

Edit: Even internet explorer 9, android kitkat, and the opera browser had no errors.

Edit 2: as another user has pointed out, this is most likely a firewall rule put in place by the website operator themselves.

jefftk3y ago

Do you see the error when testing with Firefox, though?

Receiving a "you look like a bot" message when using Chrome configured to pretend to be Firefox isn't very surprising.

existencebox3y ago

I can confirm this on pure (native) FF as well. As someone who has run multiple large web properties this hurts to see. I've observed firsthand the impact of what adding friction to certain browser segments does to utilization, if large corps decide that FF is a "risk" it will do a number on their already struggling traction, and we already live in far too much of a browser monoculture.

(Disclaimer, MSFtie, all opinions are my own)

leereeves3y ago

I can also confirm this on Firefox. With JS enabled I get the challenge from Cloudflare, and with JS disabled for g2.com, I get:

> Please turn JavaScript on and reload the page.

> DDoS protection by Cloudflare

tomerv3y ago

I use Firefox Focus on my phone (opens links from apps in a private session - generally a great idea!) and always get this 5 second delay (which is often actually 10 or more seconds). I never considered that it's a Firefox-only thing!

cpeterso3y ago

Are you using Firefox Focus on Android or iOS? Does the 5-10 second delay happen on all websites or a specific one?

itvision3y ago

I'm using VPN 99.9% of the time, so it's all the same for me.

The perks of living in a authoritarian state which tries to limit your access to the Internet.

StanislavPetrov3y ago

>The perks of living in a authoritarian state which tries to limit your access to the Internet.

Unfortunately these days this could be virtually anywhere.

1 more reply

dchest3y ago

Tested in Safari, got the captcha challenge. I doubt it's due to some specific Firefox block.

dan12343y ago

For me, it was fine in Safari and Chrome, but got the 'checking your browser' message in Firefox

CamperBob23y ago

This business of flagging legitimate downloads as "suspicious" is getting way out of hand. Here's what I'm dealing with lately:

https://i.imgur.com/ZzExHt2.png

This setup program is signed with an EV certificate from DigiCert and hosted on an https site. No other hoops left to jump through except this awesome Catch-22 implementation, which leaves no actionable solution.

LegitShady3y ago

I've been de-googling all of my services and software over the last couple years including a switch to firefox.

I have noticed cloudflare challenging me more and more often. I assumed it was related to privacy extensions like noscript, ublock, and privacy badger.

megous3y ago

I also got perma blocked by cloudflare (no option to override to get access, not even their captcha), because I dared to disable web timing APIs in Firefox at some point in the distant past. (I felt those have no legitimate uses, and I still do)

dom.enable_event_timing / dom.enable_performance_navigation_timing

I only figured what was wrong after a month of no access to gitlab and other websites.

Operyl3y ago

I can’t reproduce what this article is claiming, even using a completely new profile. I’m only a size of one for this perspective though.

134153y ago

Same for me, my Firefox with all kinds of adblockers is not flagged.

gfs3y ago

I'd be curious to see if this is the case for other sites that use Cloudflare bot protection as well. There are a bunch of ways to tune the service so maybe they are just extra cautious?

rezonant3y ago

It is definitely this. My websites on Cloudflare are not exhibiting this behavior with Firefox...

dowath3y ago

Could it have anything to do with the Tor browser being based on Firefox?

jtbayly3y ago

This is absolutely my thought.

shadowgovt3y ago

> Open-source browsers are an important part of the web and should not be treated differently than their closed-source counterparts.

One way to interpret that is they should all have the same suspicion rules for lack of popularity applied to them. One way Cloudflare's rules could be causing this is if there's some threshold for fingerprints-per-second under which any UA is considered sus, and Firefox's market share is so low that it tends to fall under that threshold.

In which case, what lwt hiker is asking for is special treatment for the browser because they believe the Mozilla project's browser has special value to the web ecosystem. Which they are allowed to believe, but let's be clear about when we're seeking special treatment vs. being treated like any other user agent.

NelsonMinar3y ago

Cloudflare provides service both for Firefox VPN and Firefox DNS over HTTP. Or at least did recently, I don't think anything's changed.

https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare...

https://www.mozilla.org/en-US/privacy/firefox-private-networ...

ddispaltro3y ago

Fedora Chrome (not chromium) user here, I get the full challenge too.

forgotmypw173y ago

I'm not sure what the cause was, but many sites failed to resolve for me in Firefox (and derivatives) for a month or two straight recently. archive.is was one of them. I think it may still happen with default settings, but I solved it by turning off DNS-over-HTTPS (which I think is a stupid feature anyway)

russelg3y ago

Basically archive.is has an issue with the way Cloudflare DNS does things. This will also affect DNS over HTTPS as Cloudflare is the default DoH provider in Firefox.

SkeuomorphicBee3y ago

For me it was even worse, I got a straight "Access denied" with no captcha or recourse. (Firefox, Linux)

erung883y ago

I don't think one can conclude anything with just 1 site being blocked by www.g2.com using Firefox. More tests will show a clearer picture:

What about using another OS?

What about using another IP address?

What about other websites? Is the issue only repeatable with www.g2.com?

What about using mobile phone browser instead?

realusername3y ago

I can confim the behavior on mobile

jmclnx3y ago

I have been seeing this issues also, very odd, workarounds I tried do not get around the issue.

>If this behavior gets adapted on more sites, we can expect even more users leaving Firefox

But I will just not go to the sites instead of using something other than Firefox.

midislack3y ago

I just close the tab if Cloudflare pops up and I don’t visit the site again. I don’t trust or like Cloudflare and I suspect they themselves initiate DDOS’s even though I have no actual proof.

klepto693y ago

Maybe it's your IP. I tried it in Firefox and Edge. No problem

iamdual3y ago

The challenge screen has appeared on Google Chrome on a Linux distro.

Erlangen3y ago

Does it have to do with the main browser you use? I am running Debian, Firefox is main browser, while chromium is used occasionally. I got captcha for Chromium, but not Firefox.

ummonk3y ago

I hit the “checking your browser” quite often, as well as hitting captchas. I assume this means my adblocker / tracking blocker (in Safari) is doing a good job.

tuankiet653y ago

I got HCaptcha-ed while using Chromium + uBlock Origin (no other privacy extensions / settings as far as I think). Happens both in normal and incognito mode.

rbut3y ago

Same HCaptcha in Brave.

I then tried in Firefox and only got the delay mentioned in the article.

Note that I am also browsing via a VPN.

vanous3y ago

Tested on Android with Fennec (Firefox without telemetry), FOSS browser and Midori. Only Fennec gets the challenge. Even such obscure browser like Midori is OK.

santamex3y ago

Every time I login to gitlab.com with Firefox I get this screen. I thought that was normal. Because it is like this for months or maybe years already.

t_mann3y ago

Can confirm that I got that exact challenge only on Firefox at least a week ago, although only on one site. Still getting it now.

klepto693y ago

Tried it, didn't stop me viewing the page, no delay either

baisq3y ago

Cloudflare uses a lots of heuristics to determine whether to show their challenge. In fact getting served a challenge says more about the amount of bot traffic that the website is getting than about how bot-like you look.

Dylan168073y ago

It might say "more" about how much bot traffic the site is getting, but it is also making some very clear statements about user agent. Those don't contradict at all.

lobocinza3y ago

I use Chromium and was served the challenge.

robonerd3y ago

We're regressing to a state reminiscent of the dark IE years.

Except back then when you suggested alternative browsers, people were generally receptive once they saw the practical utility of features like tabs. Now when you suggest alternative browsers, people complain about tens of milliseconds more latency and insist on using Chrome for the speed. It's hard to blame them though, since the practical advantages of Firefox are slipping away as Mozilla focuses on more abstract advantages, like privacy, freedom, etc. Noble causes to be sure, reason enough for me to continue using Firefox even if it were a hundred times slower. But I think most people are looking for practical advantages; Firefox usage continues to decline and I don't have much hope for these trends turning around anytime soon.

pjmlp3y ago

Even if FOSS fans don't like it, it is iOS/Safari that is the last block preventing the Web platform to be finally renamed to Chrome OS.

robonerd3y ago

Liking it is beyond the point, it isn't available for me to use unless I replace my phone and computers. But yes I think you're right, Firefox has become so thoroughly marginalized that Safari seems like the last meaningful resistance to the Chrome monoculture.

ocdtrekkie3y ago

Unfortunately there are literally activists promoted to ending that final stand protecting the open web.

1 more reply

tyrfing3y ago

That ship sailed when developers collectively decided that browsers should be complete reimplementations of the entire operating system, and anything less was hopelessly broken. With a barrier to entry so high that trillion dollar companies don't find it worth the investment, it's no surprise that the last independent implementation is struggling to keep up.

userbinator3y ago

when developers collectively decided

Based entirely on propaganda from the one company that is rapidly taking control of the whole Internet.

account423y ago

> Mozilla focuses on more abstract advantages, like privacy

Mozilla marketing focuses on that. Mozilla development still uses opt-out telemetry, experiments on users without consent and they still have Google Analytics on their websites.

Terry_Roll3y ago

Considering CDN's are duplicates of websites located around the world to remove lag, has anyone every flagged up how CDN's can be used for nefarious means, or do people just trust CDN's blindly? When is a sock puppet not an avatar on a web forum but an entire website radicalising individuals in secret?

usr11063y ago

I have got this on gitlab.com every morning when I log in for at least a year. (We are a paying customer.) I use Firefox with Coookie Auto Delete.

I know that the internet is full of idiots and criminals. If they protect their service it's my benefit. It costs me maybe 2-3 seconds every morning, but then there will be 1000s of requests during the workday. If each of them were 0.1 seconds slower because their servers deal with nonsense my user experience would be much worse.

(I have no idea whether keeping cookies or using a different browser would avoid the visible challenge. I just don't care.)

Edit: I would really hate it if I had to do free Google captcha labor. Or fill the AWS one which always takes me 3 attempts to get it right.

j / k navigate · click thread line to collapse

168 comments

prdonahue3y ago

(I’m responsible for Cloudflare’s L7 security products)

You can confirm this by signing up a free zone and making a request from Firefox.

tyingq3y ago

That is, you're not saying "Firefox doesn't change the scoring at all", right?

judge20203y ago

0: https://developers.cloudflare.com/bots/concepts/bot-score/

1: https://support.cloudflare.com/hc/en-us/articles/200170056-U...

prdonahue3y ago

Appreciate the speculation, but using Firefox does not increase your likelihood of being flagged as a bot nor does it increase your threat score.

1 more reply

tomjen33y ago

Can customers configure Firefox as one of the criteria for a challenge?

vnkr3y ago

Customers can create firewall rules to challenge requests using any type of request metadata. User agent is one of the filters, that can be used in manual Firewall fields.

rezonant3y ago

This is almost certainly a firewall rule put in place by the operators of that site. My own sites which are protected with Cloudflare do not exhibit this behavior when using Firefox.

webmobdev3y ago

schappim3y ago

>> CloudFlare wall of harassment

You’re right, this is a form of harassment, and it needs to be recognised as such.

buro93y ago

This.

I used to work there, and there wasn't a global "do this for this browser" (except for a little bit to reduce annoyance specifically for the Tor browser).

lwthikerOP3y ago

I think they have different plans and configurations for their anti-bot service [1]. I'm not sure though because I'm not using their services.

[1] https://developers.cloudflare.com/bots/get-started/

dylan6043y ago

Is there a meme like name along the lines of "self-own" when you go online and have a tantrum about someone doing something to you only to find out it's your own doing that caused the issue?

number63y ago

Maybe this one? But it lacks the self reflection:

https://knowyourmeme.com/memes/baton-roue

zinekeller3y ago

1 more reply

Aachen3y ago

I mean, with that market share, popularity among open source fans... it's an easy group to target and filter oddballs.

detritus3y ago

Not saying I should have to accept that, but that's what it was.

Certainly not 'regularly'.

marcosdumay3y ago

I also do really not experience it "regularly", but different people visit different sites.

That said, the one problem I get most often is this Cloudfare one.

coffeefirst3y ago

SoftTalker3y ago

There are several plugins for Firefox that make this easy.

2 more replies

lwthikerOP3y ago

[1] https://web.whatsapp.com

3 more replies

OJFord3y ago

I don't even have another browser installed.

1 more reply

Silhouette3y ago

I'm a firefox user too and whilst I occasionally bump into some situation as you describe where I need to hop onto Chrome, I genuinely can't remember the last time this happened.

Sadly I find it happens more and more often, even with important things like financial services.

1 more reply

Hedepig3y ago

At work I have to reject a call on slack and ask they make a "huddle" instead.

Barrin923y ago

On large international sites the likelihood that Firefox works flawlessly is pretty high. But a lot of regional service providers appear to kind of have given up on it.

bencollier493y ago

pmontra3y ago

jtuente3y ago

It's common enough that you recognize that you need to use a chromium browser, that's entirely too common. As a recent example, UPS tracking was/is broken on Firefox.

davidhay3y ago

Same, firefox works as it should for me.

deknos3y ago

i do not experience as much as your pre-poster, but i also experience it. "just use chrome"

cleandreams3y ago

Firefox use, same.

GekkePrutser3y ago

I don't even have chrome installed and never need it to be honest.

Except for some boneheaded sites that refuse FF entirely ( https://business.apple.com is such an offender) I don't have issues with sites not working.

Edit: it looks like even Apple has got their act together now, it seems to support Firefox now too. Finally

CamperBob23y ago

I just followed your link and it says, "Your browser is not supported. We recommend using the latest version of Safari, Microsoft Edge, or Chrome."

So apparently Firefox is subversive and scary enough to make Apple refer me to Microsoft or Google to avoid it. I guess that's what passes for "Think Different" at Apple these days.

1 more reply

throwlllllllll3y ago

Don't get me started on banks and accounts! It's like they WANT me to take the simple, easy, forbidden paths.

phh3y ago

kordlessagain3y ago

Firefox is fast, so maybe it's getting flagged because people are using it with webdriver to crawl sites. Just a hypothesis.

lfkdev3y ago

Cool Username

Aachen3y ago

Appreciated :). I see you're from nearby, might you happen to be looking for dev or security work? (For anyone else reading this, remote is also possible. Contact in profile, to not spam the thread.)

I'm not actually from Aachen myself, but nearby in NL and I work in Aachen nowadays and wasn't sure what username to choose.

shaicoleman3y ago

A workaround is to install the Privacy Pass extension to bypass the captchas [1] [2]

I'm not happy about installing extensions just to view some websites, but it'll make things less painful

1. https://privacypass.github.io/

2. https://support.cloudflare.com/hc/en-us/articles/11500199265...

dingleberry4203y ago

Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.

shaicoleman3y ago

1. https://privacypass.github.io/

> Deanonymizing yourself just to appease cloudflare is not a valid solution

I'm not claiming it is a valid solution, I'm just sharing a possible workaround.

2 more replies

shadowgovt3y ago

> If they don't, the website is broken.

2 more replies

lowwave3y ago

>Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.

I totally agree with you. I think maybe an upper limit per ip (maybe a bit higher for tor ips) would be need to prevent DoS type attacks.

trog3y ago

rezonant3y ago

eastdakota3y ago

Nope. Individual customer setting, not a Cloudflare policy. We work closely with the Firefox team on many projects.

my69thaccount3y ago

Aren't you not supposed to comment on individual customers?

tomcatfish3y ago

They aren't, they're commenting on company general policy and making the obvious deduction from that.

It's (literally) basic logic

gzer03y ago

Incredible. I just changed my user-agent whilst on the Google Chrome browser.

  * Changing to Firefox immediately displayed the Cloudflare error message
  * Edge had no errors
  * Chrome had no errors
  * Safari had no errors

Edit: Even internet explorer 9, android kitkat, and the opera browser had no errors.

Edit 2: as another user has pointed out, this is most likely a firewall rule put in place by the website operator themselves.

jefftk3y ago

Do you see the error when testing with Firefox, though?

Receiving a "you look like a bot" message when using Chrome configured to pretend to be Firefox isn't very surprising.

existencebox3y ago

(Disclaimer, MSFtie, all opinions are my own)

leereeves3y ago

I can also confirm this on Firefox. With JS enabled I get the challenge from Cloudflare, and with JS disabled for g2.com, I get:

> Please turn JavaScript on and reload the page.

> DDoS protection by Cloudflare

tomerv3y ago

cpeterso3y ago

Are you using Firefox Focus on Android or iOS? Does the 5-10 second delay happen on all websites or a specific one?

itvision3y ago

I'm using VPN 99.9% of the time, so it's all the same for me.

The perks of living in a authoritarian state which tries to limit your access to the Internet.

StanislavPetrov3y ago

>The perks of living in a authoritarian state which tries to limit your access to the Internet.

Unfortunately these days this could be virtually anywhere.

1 more reply

dchest3y ago

Tested in Safari, got the captcha challenge. I doubt it's due to some specific Firefox block.

dan12343y ago

For me, it was fine in Safari and Chrome, but got the 'checking your browser' message in Firefox

CamperBob23y ago

This business of flagging legitimate downloads as "suspicious" is getting way out of hand. Here's what I'm dealing with lately:

https://i.imgur.com/ZzExHt2.png

LegitShady3y ago

I've been de-googling all of my services and software over the last couple years including a switch to firefox.

I have noticed cloudflare challenging me more and more often. I assumed it was related to privacy extensions like noscript, ublock, and privacy badger.

megous3y ago

dom.enable_event_timing / dom.enable_performance_navigation_timing

I only figured what was wrong after a month of no access to gitlab and other websites.

Operyl3y ago

I can’t reproduce what this article is claiming, even using a completely new profile. I’m only a size of one for this perspective though.

134153y ago

Same for me, my Firefox with all kinds of adblockers is not flagged.

gfs3y ago

I'd be curious to see if this is the case for other sites that use Cloudflare bot protection as well. There are a bunch of ways to tune the service so maybe they are just extra cautious?

rezonant3y ago

It is definitely this. My websites on Cloudflare are not exhibiting this behavior with Firefox...

dowath3y ago

Could it have anything to do with the Tor browser being based on Firefox?

jtbayly3y ago

This is absolutely my thought.

shadowgovt3y ago

> Open-source browsers are an important part of the web and should not be treated differently than their closed-source counterparts.

NelsonMinar3y ago

Cloudflare provides service both for Firefox VPN and Firefox DNS over HTTP. Or at least did recently, I don't think anything's changed.

https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare...

https://www.mozilla.org/en-US/privacy/firefox-private-networ...

ddispaltro3y ago

Fedora Chrome (not chromium) user here, I get the full challenge too.

forgotmypw173y ago

russelg3y ago

Basically archive.is has an issue with the way Cloudflare DNS does things. This will also affect DNS over HTTPS as Cloudflare is the default DoH provider in Firefox.

SkeuomorphicBee3y ago

For me it was even worse, I got a straight "Access denied" with no captcha or recourse. (Firefox, Linux)

erung883y ago

I don't think one can conclude anything with just 1 site being blocked by www.g2.com using Firefox. More tests will show a clearer picture:

What about using another OS?

What about using another IP address?

What about other websites? Is the issue only repeatable with www.g2.com?

What about using mobile phone browser instead?

realusername3y ago

I can confim the behavior on mobile

jmclnx3y ago

I have been seeing this issues also, very odd, workarounds I tried do not get around the issue.

>If this behavior gets adapted on more sites, we can expect even more users leaving Firefox

But I will just not go to the sites instead of using something other than Firefox.

midislack3y ago

I just close the tab if Cloudflare pops up and I don’t visit the site again. I don’t trust or like Cloudflare and I suspect they themselves initiate DDOS’s even though I have no actual proof.

klepto693y ago

Maybe it's your IP. I tried it in Firefox and Edge. No problem

iamdual3y ago

The challenge screen has appeared on Google Chrome on a Linux distro.

Erlangen3y ago

Does it have to do with the main browser you use? I am running Debian, Firefox is main browser, while chromium is used occasionally. I got captcha for Chromium, but not Firefox.

ummonk3y ago

I hit the “checking your browser” quite often, as well as hitting captchas. I assume this means my adblocker / tracking blocker (in Safari) is doing a good job.

tuankiet653y ago

I got HCaptcha-ed while using Chromium + uBlock Origin (no other privacy extensions / settings as far as I think). Happens both in normal and incognito mode.

rbut3y ago

Same HCaptcha in Brave.

I then tried in Firefox and only got the delay mentioned in the article.

Note that I am also browsing via a VPN.

vanous3y ago

Tested on Android with Fennec (Firefox without telemetry), FOSS browser and Midori. Only Fennec gets the challenge. Even such obscure browser like Midori is OK.

santamex3y ago

Every time I login to gitlab.com with Firefox I get this screen. I thought that was normal. Because it is like this for months or maybe years already.

t_mann3y ago

Can confirm that I got that exact challenge only on Firefox at least a week ago, although only on one site. Still getting it now.

klepto693y ago

Tried it, didn't stop me viewing the page, no delay either

baisq3y ago

Dylan168073y ago

It might say "more" about how much bot traffic the site is getting, but it is also making some very clear statements about user agent. Those don't contradict at all.

lobocinza3y ago

I use Chromium and was served the challenge.

robonerd3y ago

We're regressing to a state reminiscent of the dark IE years.

pjmlp3y ago

Even if FOSS fans don't like it, it is iOS/Safari that is the last block preventing the Web platform to be finally renamed to Chrome OS.

robonerd3y ago

ocdtrekkie3y ago

Unfortunately there are literally activists promoted to ending that final stand protecting the open web.

1 more reply

tyrfing3y ago

userbinator3y ago

when developers collectively decided

Based entirely on propaganda from the one company that is rapidly taking control of the whole Internet.

account423y ago

> Mozilla focuses on more abstract advantages, like privacy

Mozilla marketing focuses on that. Mozilla development still uses opt-out telemetry, experiments on users without consent and they still have Google Analytics on their websites.

Terry_Roll3y ago

usr11063y ago

I have got this on gitlab.com every morning when I log in for at least a year. (We are a paying customer.) I use Firefox with Coookie Auto Delete.

(I have no idea whether keeping cookies or using a different browser would avoid the visible challenge. I just don't care.)

Edit: I would really hate it if I had to do free Google captcha labor. Or fill the AWS one which always takes me 3 attempts to get it right.

j / k navigate · click thread line to collapse