Browser is blocked by Akamai and Cloudflare

I’ve reached out to Adam Martinetti from Cloudflare (PM of challenge platform) as he was offering his help in a recent HN thread to firefox users that get endless challenge. Did get a reply (yay) and he’s optimistic as they managed to get waterfox users’ issues fixed, the only problem is I don’t think there is a way for us to get a HAR file from our browser when it fails a challenge (gets into endless loop), I did send him logs from gitlab user login, but not sure if that has all the info that a HAR would. Does anybody know how to get our browser to generate HAR file? Any Jolla devs maybe have a secret build with dev tools enabled (and a secret right-click option too I guess)?

9 Likes

One can build the browser with debug enabled or something like that, there are instructions on the github repo for that

Debug will most likely just contain symbols for debugging crashes with gdb, dev tools I’m assuming requires even more newer packages than standard build and as it’s practically unusable on mobile (no right click etc) and would add to memory consumption is probably skipped, but maybe someone out there built with the dev tools included?

Hmm… made me think… it would be nice if devtools.debugger.remote-enabled about:config preference would work… Newer Firefox browsers have a GUI option for this.
I havent been able to see an open listening port for this option though. It might require some ssh forwarding if you figure out an option that works.

1 Like

Just my two cents, but I’m not at all experiencing this issue on Cloudflare sites using the SFOs browser in the latest 4.5. I’m not disputing browser improvement is needed, but it may be more than just the browser leading to some being classified as inadmissible or getting trapped in verification loops. I do sometimes have trouble with Cloudflare if I’m on a VPN such as nordvpn- but changing browsers in those cases (my alt is Brave under AlienDavlik) has never solved that.

So yeah, this is not going anywhere, he sent the logs to his engineers and they claim they do not contain the information they need (30 seconds of few challenges failed generated 20Mb so doubt, just their automated tools are probably custom made for HAR files and no engineer is going to bust his ass to parse all that data, pretty sure nsHttp:5 logging level has everything HAR files have and much more). Apparently their challenge platform has problems with privacy focused browsers that override ‘referer’ headers, but pretty sure sfos browser doesn’t do this and it was enough to grep the log file for ‘referer’ to see that this data was of course there and looks pretty much the same as what you get from desktop firefox. Looks like the only way is to inform platforms that use cloudflare they are blocking real customers and losing potential business (if you have a project on gitlab let them know I guess, maybe they can dial down their WAF to 9 instead of 11 as cloudflare is unlikely to change this)

4 Likes

So you managed to get har files from sailfishos-browser? How?

It is pretty odd that they want client-side logging for something like this.
When i almost got a response, they just wanted the id string thingy from the error.
But their useless forum closes everything automatically after two weeks, so no follow-ups were possible.

BTW: can the emulator run the browser, so they may be able to self-serve in pointing it against somewhere they have extra logs enabled?

No, just logging from about:networking, if you enable all modules it generates tens of megabytes per minute, har files contain pretty much what nsHttp module logs about requests (headers (size), cookies, url, querystring, content), the module throws pretty much everything at level 5 for debugging so it’s all there just not in json

3 Likes

Yeah on HN he was just asking for Ray ID (that’s listed on the bottom of the page) and seeing how many responses he got their product still has tons of false positives (weirdly enough a lot of FF forks affected, then again they also broke all 4chan apps when they started requiring higher android webview version all of a sudden so it’s not only FF users that get to feel quality of their work)

1 Like

Thanks for sharing and for trying to reach out to them about this problem.

1 Like

I think the problem may get worse still: https://blog.cloudflare.com/turnstile-ga/

Cloudflare is switching off traditional captcha challenges (which we might still have been able to pass) in favour of their own bot detection, which is the one we have been running into. So I expect even more sites to become blocked by this protection racket.

3 Likes

If I wasn’t such a civilized person, I do believe I’d declare war on cloudflare. Yet another ‘capture the market’ and ‘enshitify the market’ story. When are consumer advocates going to get enough clout.

8 Likes

To be fair, Browser uses ESR 78, which was released more than three years ago, so we can’t reasonably expect it to work with the newest whatever technologies. Let’s hope the ESR 91 on the works fixes the issue “as a side product”!

1 Like

I don’t agree with this. I have browsers that are completely compliant with the standards that won’t be served by them. That is breaking a pledge to abide by standards. The fact is you can use a browser like links/x that introduces LESS variables (XSS bullshit, most js nonsense) and that counts against you? http://www.sierra.com/ doesn’t even deem it necessary to send a response (to lynx) at all. wtf? If it’s a 403 (while this is just a DOS) then at least tell me that!

Letting a monopoly position cdn/edge proxy determine web standards is about as good as letting a weapons manufacturer determine the rules of war.

6 Likes

I’m pretty shocked that apparently a sympathetic search engine like ecosia.org is hiding behind cloudflare, anyway I’m stuck in this stupid loop.

1 Like

I contacted ecosia and made them aware of the problem. Let’s see what happens.

Palemoon blocked by cf too:
https://forum.palemoon.org/viewtopic.php?p=250208#p250208
Not really sure which gecko version they are using (they rebranded it as goana?), but it seems latest gets pulled when they compile uxp/xul, so even disabling FF features mostly will get you called bot by CF it seems, not looking good
Edit: then again all version numbers they mention seem ancient (68?)

Palemmoon use its own fork of gecko esr 52.

They added 8000 commits on top. It’s the continuation of gecko, but without using rust. It’s probably behind esr78 function wise (my guess).

https://repo.palemoon.org/MoonchildProductions/UXP/commits/branch/master?page=148

3 Likes

Just a quick update with pre-release esr91!

These seem to work now:

These are different kind of borked:

These still don’t work:

An interesting observation on GitLab: the “assisted” search bar functionality now works - it doesn’t work on current Firefox/Fennec oddly enough.

6 Likes