Cloudflare's Bot Bouncer Blocks Weirdo Browsers

Users of some of the less well-known web browsers are getting blocked from accessing multiple sites by Cloudflare's flaky browser-detection routines.

Aside from reporting it on Cloudflare's forum, there appears to be little users can do, and the company doesn't seem to be paying attention.

Cloudflare is one of the giants of content distribution network. As well as providing fast local caches of busy websites, it also attempts to block bot networks and DDoS attacks by detecting and blocking suspicious activity. Among other things, being "suspicious" includes machines that are part of botnets and are running scripts. One way to identify this is by looking at the browser agent and, if it's not from a known browser, blocking it. This is a problem if the list of legitimate browsers is especially short and only includes recent versions of big names such as Chrome (and its many derivatives) and Firefox.

The problem isn't new, and whatever fixes or updates occasionally resolve it, the relief is only temporary and it keeps recurring. We've found reports of Cloudflare site-blocking difficulties dating back to 2015 and continuing through 2022.

In the last year, The Register has received reports of Cloudflare blocking readers in March, again in July 2024, and earlier this year in January.

Users of recent versions of Pale Moon, Falkon, and SeaMonkey are all affected. Indeed, the Pale Moon release notes for the most recent couple of versions mention that they're attempts to bypass this specific issue, which often manifests as the browser getting trapped in an infinite loop and either becoming unresponsive or crashing. Some users of Firefox 115 ESR have had problems, too. Since this is the latest release in that family for macOS 10.13 and Windows 7, it poses a significant issue. Websites affected include science.org, steamdb.info, convertapi.com, and – ironically enough – community.cloudflare.com.

• Cloudflare hopes to rebuild the Web for the AI age – with itself in the middle
• What happens when someone subpoenas Cloudflare to unmask a blogger? This...
• 2024 according to Cloudflare: Global traffic up, Google still king, US churning out bots
• Cloudflare broke its logging-as-a-service service, causing customer data loss

According to some in the Hacker News discussion of the problem, something else that can count as suspicious – other than using niche browsers or OSes – is something as simple as asking for a URL unaccompanied by any referrer IDs. To us, that sounds like a user with good security measures that block tracking, but it seems that, to the CDN merchant, this looks like an alert to an action that isn't operated by a human.

Making matters worse, Cloudflare tech support is aimed at its corporate customers, and there seems to be no direct way for non-paying users to report issues other than the community forums. The number of repeated posts suggests to us that the company isn't monitoring these for reports of problems.

We have asked Cloudflare to comment, and we'll update this story if it gets back to us. ®

Bootnote

Our thanks to Reg readers Ian West and previous commenter and Certified Fraud Examiner Andy Prough for bringing this to our attention, as well as Pale Moon maintainer "Moonchild."