Browser is blocked by Akamai and Cloudflare

I have the same with Akamai and Cloudflare. It does not matter how much captcha’s I fill in (cloudflare), it does not let me through. We could start a topic at https://community.cloudflare.com/ .

It is possible to check your Akamai reputation here: Client IP Reputation Lookup . For my ip it says that I did not receive a bad risk score.

You can’t; if you try to go to https://community.cloudflare.com/ you will get the same infinitely loading page that @throwaway69 mentioned above.

It seems to me that an established and wellknown public company stands a better chance of contacting cloudflare and enacting change than any of us Joe Randompersons, who to cloudflare are just the next scammer trying to get unblocked. Jolla might already use cloudflare for e.g. the jolla.com or sailfishos.org domains, in which case they could use their existing contract to raise a support case.

However, even if we could, as outlined above by @direc85 this is really a problem with the browser itself. It is either doing something it shouldn’t do, or failing to do something it should do. As the creators and maintainers of the browser (specifically this one built into the OS itself) it should fall to Jolla to address problems with their for-money product.

A good first step would be to acknowledge that there is a problem by removing the false ‘fixed’ tag and adding this to their official tracker instead @flypig .

2 Likes

My quess is that DDoS will give for example 307 response for first HTTP request and sets some sort access token to browser for next requests. Maybe eaven requiring multiple TLS handshakes before access to site is allowed. That forces DDoS attacker to do multiple request to get single request on site. Maybe on that process some trick what Akamai uses on that process, won’t work properly on Sailfish browser.

I don’t quite get the point of this thread but all pages mentioned in this thread appear to work fine for me, e.g. cloudflare. (Xperia 10ii, SFOS 4.4.0.68.

The issue is clearly related to cookies, and there is an easy workaround: revoke the sites’ permissions to access cookies. The only drawback is that then the sites keep pestering you about the cookies, but at least you aren’t blocked.

1 Like

Depends on the mechanism, 4chan captcha gives this if you disable cookies: Please enable Cookies and reload the page.
Android firefox manages to bypass this so in theory you can extract cf_clearance cookie from there and add a header to each request, that should work for 24h (that’s how some android apps bypass this afaik) still a shame so soon after engine upgrade browser becomes unusable again

I also get a lot of these blocked messages. They almost all try to smuggle advertising shit in the mix that I /dev/null. So, I’m not surprised, and I don’t care cause they’re basically spam ware sites :slight_smile:

Well, these are incompetent content providers. Just a small slice of bull:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location. (Reason: CORS request did not succeed). Status code: (null).

Ah, didn’t understand CSP. Fair enough. Who does.

Loading failed for the <script> with source “https://www.buienradar.nl/akam/13/14970cd3”.

Oops. 404. Well, it’s just javascript. Who know what it does!???

Utter garbage (probably SEO spam page) that generates js errors like this:

Uncaught SyntaxError: expected expression, got '<'

If you examine the number and content of the errors produced by this site, including improper inclusion of google OAUTH stuff, it’s amazing that it works with … ah, chrome maybe. Dumpster fire of a website.

And as for modern, heavy, weather sites, look how clean, for instance, Germany Weather Radar Live Map - RainViewer is on the ancient SFOS browser. It’s just a properly engineered web site. Not quick on SFOS, but it renders cleanly with no errors.

99% of the web is garbage. And yes, we have an ancient browser, but I think we need a better list of ‘real websites’ that are a problem.

When 3.4 became 4.x I could no longer read a major newspaper. That got me looking. And I made a note of it here. That issue was fixed. But adding sites that are dubious/broken doesn’t help much.

My guess is that on DDoS protection, javascript calculates some “cryptographic” challenge. (proof of work)

@d.geelen Luckily the sailfish browser is not the only browser I have.

Some other browsers had an issue like this 3 months ago. When they adressed it, cloudflare fixed it after a while. Tell HN: Cloudflare Is Blocking Firefox Forks Waterfox Classic and Pale Moon | Hacker News

Disabling cookies seems to help.

Um. That script failed to load (FF, debian, not sfos) so it’s not calculating anything … :->

Could someone please update the title to include cloudflare? I can’t seem to do it from my phone and I’m ‘on the road’ :slight_smile:

@flypig I see the ‘fixed’ state is editable in the wiki, do you mind much if we set it back to ‘open’? As this really is an open problem and is only expected to get worse as more sites use akamai/cloudflare or a third protection racket starts blocking the browser.

2 Likes

I’ve switched it from ‘fixed’ to ‘pending’. Just to clarify, the aim of both these tags is to avoid this being a recurring output from the Bug Coordination Team’s bug tracking scripts.

From what I understand Akamai and Cloudflare have heuristics for deciding whether to block a browser, and application of these is controlled by individual customers. The heuristics can go to the level of measuring the rendering speed of individual elements on a page, so finding a general solution may be tricky.

https://techdocs.akamai.com/cloud-security/docs/detection-methods

Even if there’s no general technical solution that will work for all sites, that doesn’t mean it’s not worth exploring workarounds for specific sites of course.

Has anyone enjoyed any success from contacting the blocking sites? It’d be useful to collect that info in case anyone has. Did you receive any response from Gigantti @direc85?

4 Likes

I haven’t gotten a reply from them yet…

I browsed around lippu.fi for a while and couldn’t reproduce it anymore, so I updated the post (and fixed the typo in the URL).

1 Like

You don’t want to be on Cloudflare’s naughty list | Ctrl blog

Somewhat related: this guy got his whole internet blocked for a week, and he never managed to even figure out why.

Relevant quote:

I’m unsure if my IP reputation was classified with a high bot score (likely automated requests) or given a high threat score (likely malicious request). Cloudflare doesn’t offer end-users any way to dispute or even check their IP reputation scores. The company doesn’t offer end-users any support at all. Everything is automated.

The worrying thing here is that it’s unknowable why the blockade happened. I fear that we too may be at risk because our phones keep tripping up cloudflare, akamai, etc. What if one day I try to access one too many of these site from my phone, and my home IP gets put on the blocklist by some bot because of it?