[AegirLeet]

I've had the exact same problem for a while. Here are some of the sites I've been unable to access (found by searching for "just a moment" in my browser history):

- https://gitlab.com/users/sign_in

- https://steamdb.info/login/

- https://www.zabbix.com/forum/

- https://casetext.com/

- https://namemc.com/login

- https://spinroot.com/

- https://camelcamelcamel.com/

It's really annoying and Cloudflare is apparently doing nothing to fix it as this has been going on for months if not years. I guess Cloudflare just hates the open web and really wants to enforce Chrome/Chromium/Blink hegemony.

[adammartinetti]

Would you be willing to share a rayID you see during one of these looping challenges? I'm the PM for Cloudflare's challenge platform, and we'd love to look into this. RayIDs contain no PII so you can share publicly, or feel free to drop me an email at amartinetti at cloudflare.

We'll also release a reporting mechanism soon, so in the future you can let us know when you see these issues and we can react to them quickly.

[lopkeny12ko]

Such a classic and incredibly annoying SaaS PM move. Pinky-promise that you mean well, pretend to be invested in the issue, ask customers to supply evidence and say you'll look into it, followed by radio silence and no follow up whatsoever.

Incidentally, another Cloudflare PM for Pages asked me to do the same thing--I shared my account ID, the request, the problem, timestamps, etc...never heard back ever, request went straight into the void.

[sockaddr]

Yup. It's all show.

A service has injected itself between you and your goal, it's going to periodically impede you from reaching that goal and then lie to you about why, all while making money off of the arrangement.

[tick_tock_tick]

It's it more the like the owner of the website has intentionally gone out of their way to add a service between you and the website to solve issues the website owner feels are more important then you?

[itscrush]

Here's some loop samples;

- Gitlab; Ray ID: 7f3961b4ec46c443

- Zabbix; Ray ID: 7f39624d982bc32e

- NameMC; Ray ID: 7f3962e68d251871

- Camelcamelcamel; Ray ID: 7f3962eb9cbb421f

Easily can recreate at least the never ending loop by flipping on ublock origin's 3rd party scripts and 3rd party frame blocking, which matches their recommended medium settings.

[adammartinetti]

Thanks so much to you and everyone else who's supplied these. I'm collecting them now, and the team is looking into this.

[executesorder66]

It would be nice, once the investigation is concluded, if you guys posted the findings on the cloudflare blog. Otherwise it would just feel like a "your call is very important to us, please hold" kind of situation.

[adammartinetti]

I think this is fair! I can promise a public blog update in the next 90 days that includes a progress update on the work we're doing now to reduce real humans being blocked and announcing the feedback form users can click on to easily let us know when there's a problem.

[adammartinetti]

Would you be able to clarify your comment about ublock origin? Cloudflare's challenge page (any captcha provider as well) is a third party script. If I enable these settings I don't see the challenge load as all. Are you enabling ublock origin before entering the challenge or sometime later?

[throwaway154]

https://gitlab.com/users/sign_in 7f3cc1d59acd31e5

https://steamdb.info/login/ 7f3cc161bf85dbd9

https://www.zabbix.com/forum/ works

https://casetext.com/ works

https://namemc.com/login 7f3cc182b8c20ccf

https://spinroot.com/spin/whatispin.html works

https://camelcamelcamel.com/ 7f3cc171f96d2b9b

[AegirLeet]

Here's a handful:

- 7f395b5ddfe43a54

- 7f395ca09bfa3a54

- 7f395d8afaf73a54

- 7f395f075e33690d

- 7f396102afef35fd

[adammartinetti]

Thanks for the examples! Would you be able to share browser and extension information with me? If you don't want to share publicly I've dropped my email in this thread.

[AegirLeet]

https://pastebin.com/79bBdBhX

[blocked-by-cf]

I also cannot access my VPS provider when using firefox.

ray id 7f3a169d4e630306

I previously had the same problem with ungoogled-chromium as well (regular chromium worked), but I guess it works now after 2-3 loops.

[adammartinetti]

Would you be able to drop me an email at amartinetti at cloudflare dot com with more information on your setup? Some of the signals we're getting from your browser don't seem to match what we'd expect to see. We'd love to better understand what's causing the mismatch so we can improve our logic.

[doctor_radium]

all from Opera Mini:

- https://gitlab.com/users/sign_in 7f3e45c3cebfb90f

- https://steamdb.info/login/ 7f3e4a04bf7a0e39

- https://www.zabbix.com/forum/ 7f3e4b681f8f1cc6

- https://casetext.com/

7f3e4cab4af40b05

- https://namemc.com/login 7f3e4debdf6cb7f1

- https://spinroot.com/ loads normally, no delay or blocking

- https://camelcamelcamel.com/ loads normally, no delay or blocking

Adammartinetti, I appreciate your interest in doing this, but would love to hear that CF maintains a giant white board in the developer area with the name of every TLS 1.3 web browser known to mankind (the same data on a Group Policy-enforced internal home page would be even better), to reinforce the idea that it takes more than Google to make the world go round.

Personally, I'll add myself to the list of people who think you've created a game you can never win, and thus shouldn't be playing.

[2Gkashmiri]

gitlab 7f39759e1abe1bce

casetext 7f39762f693733e4

steam 7f397694995aa3b7

all over firefox

[ta89313]

- Gitlab: 7f39707d0fa023af

- Zabbix: 7f3970eabe8ff196

- SteamDB: 7f396f534b0400d2

- Casetext: (works)

- NameMC: 7f3971a01a22d5a8

- Spinroot: (works)

- Camelcamelcamel: (works)

[adammartinetti]

I'd love to get more information from you on this. We don't see any suspicious signals from these attempts, and it looks like they were completed 100% successfully from our perspective. You can drop me an email at amartinetti at cloudflare dot com.

[clsec]

It happens to me all the time. And it has been going on for years, but it's getting noticeably worse over time. One way or another you have to pay to use the web, be it costing you loss of access because of your strict privacy settings or paying by giving away your privacy. There's no win here..

[zer8k]

I haven't had any problems on Waterfox. However, it is absurd to me I need javascript to simply visit a website anymore.

[michaelt]

Sadly, the fact a given site works for you or me is no guarantee it works for someone else.

These bot detection systems tend to use all manner of imprecise statistical heuristics and weird fingerprinting.

Perhaps AegirLeet has a graphics card that a popular web scraper pretends to have. Maybe they're in a suspicious timezone. Maybe they've installed a font usually only found on a different operating system. Maybe I'm never blocked because I have an excellent IP reputation, due to regular visits to approved websites.

[flangola7]

Fingerprinting is scarily accurate now, strangely. https://fingerprint.com/

[marcosdumay]

Somehow, it doesn't matter. Like the fact that the author shared non-repudiable identification information with the site also didn't matter and he was classified as a robot anyway.

[veave]

As a data point, enabling privacy.resistFingerprinting on Firefox defeats this website.

[stjohnswarts]

yeah, starting that that invisible pixels and cookie tracking are way in the past and unless you're using something like tor (and not changing the resolution) then they know who you are. I mean you can still block ads and cookies, but I figure they really do know who you are.

[kmlx]

that’s because websites have evolved into web apps.

[adrianN]

Most websites haven’t done that

[megous]

Yeah, gitlab also blocks me from logging in (via its cloudflare use). It did so even when we paid for it. We no longer do. (for other reasons, but anyway, good riddance)

[adrr]

Users want to chrome hegemony and don't care about the open web or Firefox. Its the number #1 browser on desktop even though it doesn't come with the OS. Windows comes with edge and macs come with safari. Users have to download Chrome.

[j45]

All browsers so far have come and gone in popularity. Even when it seemed unimaginable.

[Iulioh]

But today everything but Firefox is Chromium.

That's a little different

[warrenm]

And 20 years ago everything was IE (at >90% penetration)

[Iulioh]

The problem is Chromium ,not Chrome

Like you have the illusion of choice, that's what I'm talking about and that's different

[j45]

Firefox entered into a contract per-install with Google that did no evil while Google iirc was building their own browser secretly.

Browser engines are now open source a lot more than they were.

I don’t think it’s about illusion of choice as much as some browsers actively working to degooglify themselves from Chromium and maintain it.

Some browsers are maintaining their own forks, others aren’t.

[ryukoposting]

I've noticed the same issue for years. The Microsoft acquisition pushed me from Github to GitLab. CloudFlare pushed me back.

[amadeuspagel]

If only there was some open standard for browsers to verify that a real human is visiting a website, so that website owners wouldn't have to rely on bespoke hacks that only work in chrome.

[systemvoltage]

This would be great if it didn’t have any downsides. China has a system like that: QR code to login everywhere. Everything is linked to your phone number which is given after taking a picture of you and official ID.

We are gonna have to live in a slightly bot-rich society to keep this at bay.

It starts with browser control. And then, ends with needing human verification to ssh into a server that you own. Let’s just build better security.

[danShumway]

The problem isn't that the hack only works in Chrome, it's that the system being proposed is inherently terrible regardless of how it's implemented.

There is no such thing as a reliable standard for browsers to verify that users are human that does not harm the open web or threaten user autonomy and accessibility. Every single accessibility standard and user choice about extensions and access is abusable by malicious actors, and every security measure to block abuse of automated scraping or access also blocks valid use cases.

Making it a web standard won't change that fact.

[yjftsjthsd-h]

Yes, an open standard that any browser could use to prove human interaction would be great. It's also impossible, of course; all attempts so far lock in specific software or hardware stacks and then pretend that bots can't use those systems, guaranteeing both false negatives and false positives.

[shadowgovt]

They're booing, but you know you're right. ;)

[stjohnswarts]

I see the "are you human" on there with a click, but no looping, it goes straight to the website

[unmole]

I can access them all fine using Firefox on Android.