Skip to content(if available)orjump to list(if available)

Firefox appears to be flagged as suspicious by Cloudflare


(I’m responsible for Cloudflare’s L7 security products)

While we can’t comment on the specifics of any customer configuration, we do not block or challenge Firefox by default—either with our Bot Management products or with any other L7 security controls.

You can confirm this by signing up a free zone and making a request from Firefox.


You're saying there's not a simplistic "block Firefox rule" right? But, the user agent is surely one of the weighted features going into your ML stew. So it's plausible the poster is seeing that Firefox sends some calculation over the edge and causes blocking for them.

That is, you're not saying "Firefox doesn't change the scoring at all", right?


To add, without knowing the homepage firewall rule g2 has set up, we won't know exactly what sort of rules is triggering this, although the most likely signals they're using are either bot scores[0] or threat scores[0].




Appreciate the speculation, but using Firefox does not increase your likelihood of being flagged as a bot nor does it increase your threat score.


Care to back that up with data? The link above is demonstrating the opposite.


Can customers configure Firefox as one of the criteria for a challenge?


Customers can create firewall rules to challenge requests using any type of request metadata. User agent is one of the filters, that can be used in manual Firewall fields.







By “this” do you mean the fact that “we do not block or challenge Firefox by default”?


This is almost certainly a firewall rule put in place by the operators of that site. My own sites which are protected with Cloudflare do not exhibit this behavior when using Firefox.


Privacy preserving extensions like uBlock Origin, Canvas Blocker, Decentraleyes etc. used in Firefox also trigger the CloudFlare wall of harassment. Some of the actions of these extensions prevent browser fingerprinting and CloudFlare gets easily confused when this happens and unnecessarily triggers a lot of challenges for a user. You can easily get sucked into the blackhole of captchas - sometimes even solving 5+ captchas isn't enough to convince them that you are a real human.


>> CloudFlare wall of harassment

You’re right, this is a form of harassment, and it needs to be recognised as such.



I used to work there, and there wasn't a global "do this for this browser" (except for a little bit to reduce annoyance specifically for the Tor browser).

It is almost 99% certain to be a site operator firewall rule based on the browser user agent. This may even be accidental, they may have been hit by an aggressive bot using a UA string that matches Firefox and the site operator may not even realise they've done this (if they use Chrome, which is likely).


I think they have different plans and configurations for their anti-bot service [1]. I'm not sure though because I'm not using their services.



Is there a meme like name along the lines of "self-own" when you go online and have a tantrum about someone doing something to you only to find out it's your own doing that caused the issue?


Maybe this one? But it lacks the self reflection:


I think it's two-fold: rise of tools like curl-impersonate ( and the very consistent Firefox TLS fingerprint across platforms. Unlike Chromium (where you could differentiate a Linux, Mac or Windows computer from its chiphers, and so for example challenge only Linux clients), Firefox has NSS and NSS is used everywhere the Gecko engine is used while Chromium, although has BoringSSL for modern chiphers, also uses the underlying TLS stack of the operating system (whether it's Microsoft's SChannel, Apple's SecureTransport or Linux's... NSS). The only time Chromium uses a pure BoringSSL implementation is on Android (Conscrypt).



I don't imagine it's deliberate.

A bunch of cloudflare engineers are long-term ex-servo, ex-mozilla given their experience on Rust.




It's probably not a deliberate attack, but consider the incentive structure and the goals here.

Cloudflare is a site protection service. Their goal is to keep malicious traffic from griefing their customers. To do that, they have to distinguish malicious and non-malicious traffic. That becomes a game of trust, and if the user agent is masking its signal (or, more generally, making its signal less distinct) in the interest of privacy for its user, there are fewer trust hooks for Cloudflare to use to distinguish legit Firefox-shaped traffic from attacks.

Ironically, attempting to keep oneself anonymous can make one lest trustworthy. The server is always at liberty to refuse to serve.


That's pretty much what they did with Tor, yes.

Remember that Cloudflare's business model is MITM-as-a-service, they don't really like the idea of privacy.


I mean, with that market share, popularity among open source fans... it's an easy group to target and filter oddballs.

I'm a Firefox user and I'm used to this treatment at every step of the way, no matter if it's about software, airports, opening a bank account so I can receive a salary, etc. Fundamental things everyone wants to do are being made hard to do the right way. It's always anti privacy, anti self repair, anti longevity/sustainability, anti user freedoms, anti whatever we ideally want in this world. Of course using Firefox is now suspicious.


Really? I'm a firefox user too and whilst I occasionally bump into some situation as you describe where I need to hop onto Chrome, I genuinely can't remember the last time this happened. Nope, actually - sometime last year, with some poorly-coded gig ticket purchase thing, if I remember right. I was able to check the code and amend some stupid niggle in WebDev tools to get around it.

Not saying I should have to accept that, but that's what it was.

Certainly not 'regularly'.


I certainly do not see it on the frequency the GP is talking about. But it's there. Every once in a while there is a site that insists on throwing you into infinite captchas, on requiring some extra information, or just refusing to work just because Firefox won't spy on me for their benefit.

I also do really not experience it "regularly", but different people visit different sites.

That said, the one problem I get most often is this Cloudfare one.


Yeah, I find 99% of the web is fine but the exceptions are jarring. Fedex tracking is totally broken in Firefox. Quite a few sites still struggle without 3p cookies, which also affects Safari. Slack has some issues. It's also come up a few times while looking for a Google Docs replacement—several options are effectively Chromium only, which is ironic when you're only looking at them so you can avoid Google products.


Often, just changing the user agent string so that Firefox appears to be Chrome will let those sites work. I.e. they work fine in Firefox, but are restricted by user agent string checks to reject that browser and/or OS.

There are several plugins for Firefox that make this easy.


I wonder if those plugins are causing Firefox's marketshare to appear worse than it actually is.


I've used Firefox and Mozilla for what, 20 years? And I've never bumped into a situation like this. Some very clearly shit internal IT systems had pathetic IE requirements, but never one that said sorry go get chrome


For a while now I can't even access WhatsApp Web [1] through Firefox. It gets stuck on the loading page and keeps refreshing itself forever. I have to resort to Chrome whenever I need WhatsApp on my laptop.



If you time, please file a bug report on Mozilla’s with the steps you took and a screenshot. Mozilla’s webcompat developers will try to debug the website, reach out to the website’s web developers with a proposed fix, and until the website is fixed, add a site-specific intervention or UA override in Firefox itself, if possible.

Looks like there are already a couple bug reports about, but not the forever-refreshing page you see:


I don't think I can be of much help but WhatsApp web has been working for me on Ubuntu with all Firefox versions since WhatsApp web has been a thing. Did you try to start Firefox in safe mode, no addons and/or a fresh profile?


If anyone finds a solution it would be greatly appreciated. I have been cut off from a huge number of sites due to infinitely refreshing cloudflare.

It's absurd that this is even possible. They should at least provide troubleshooting advice for end users.


I don't even have another browser installed.


I'm an ex-webnik who still occasionally dabbles in web design, so have all of them installed.

Unused, mostly, but installed :)


I'm a firefox user too and whilst I occasionally bump into some situation as you describe where I need to hop onto Chrome, I genuinely can't remember the last time this happened.

Sadly I find it happens more and more often, even with important things like financial services.

What I haven't figured out yet is whether it's really the Firefox engine that is the problem or just that Firefox also provides better tools for blocking obnoxious trackers and the like. Maybe because I have those tools turned on by default more sites using obnoxious trackers break in Firefox than other browsers. In most cases that is a feature not a bug but it's frustrating when essential functionality on sites providing essential services gets broken as collateral damage.


What I find most common is that the website has arbitrarily blocked firefox based on the user agent. The site works fine if you tell it you're using Chrome, so it's neither an engine nor a tracking issue.


At work I have to reject a call on slack and ask they make a "huddle" instead.


Just in the last month Firefox didn't work for me on my health insurer's site, my bank's site as well as when trying to request a mail-in ballot for a regional election. Obviously not Mozilla's fault, but for me at this point the browser isn't that usable any more because that's important services I need to have access to.

On large international sites the likelihood that Firefox works flawlessly is pretty high. But a lot of regional service providers appear to kind of have given up on it.


I don't even have chrome installed and never need it to be honest.

Except for some boneheaded sites that refuse FF entirely ( is such an offender) I don't have issues with sites not working.

Edit: it looks like even Apple has got their act together now, it seems to support Firefox now too. Finally


I just followed your link and it says, "Your browser is not supported. We recommend using the latest version of Safari, Microsoft Edge, or Chrome."

So apparently Firefox is subversive and scary enough to make Apple refer me to Microsoft or Google to avoid it. I guess that's what passes for "Think Different" at Apple these days.


I tried spoofing Safari's and Chrome's User-Agent string in Firefox and still blocks me because I'm not using a real Safari or Chrome. So they appear to be using feature detection of some API that's not available in Firefox. I see that the site also blocks Apple's own Safari browser on iOS.

Looks like this site was been blocking Firefox users since at least 2018, according to the bug report on Mozilla's issue tracker:


Don't get me started on banks and accounts! It's like they WANT me to take the simple, easy, forbidden paths.


My personal experience is that I do fallback some sites to testing in Chrome quite often, maybe once a week. But the number of times where using Chrome actually fixed the issue is maybe once a year? Really, it's just that I stumble on quite a number of broken websites.


Firefox is fast, so maybe it's getting flagged because people are using it with webdriver to crawl sites. Just a hypothesis.




Cool Username


Appreciated :). I see you're from nearby, might you happen to be looking for dev or security work? (For anyone else reading this, remote is also possible. Contact in profile, to not spam the thread.)

I'm not actually from Aachen myself, but nearby in NL and I work in Aachen nowadays and wasn't sure what username to choose.

If someone else would want it, I'm also fine passing it on. Dunno if there are guidelines on that actually but I'd consider an HN username like a domain name: finite, first-come-first-serve in principle, and hoarding is not cool.


A workaround is to install the Privacy Pass extension to bypass the captchas [1] [2]

It's an open source extension available for Chrome and Firefox. It allows to privately identify you're human, and is the process of going through IETF standardisation, so hopefully someday you won't need to install an extension for it. After you complete a captcha once, you won't need to do it again for a long time.

I'm not happy about installing extensions just to view some websites, but it'll make things less painful




Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.


"The blind signing procedure ensures that passes that are redeemed in the future are not feasibly linkable to those that are signed. We use a privacy-preserving cryptographic protocol based on ‘Verifiable, Oblivious Pseudorandom Functions’ (VOPRFs) built from elliptic curves to enforce unlinkability. The protocol is exceptionally fast and guarantees privacy for the user. As such, Privacy Pass is safe to use for those with strict anonymity restrictions."


> Deanonymizing yourself just to appease cloudflare is not a valid solution

I'm not claiming it is a valid solution, I'm just sharing a possible workaround.


Unless you're a mathematician or a cryptographer who's qualified to verify these claims, I think all of this amounts to "trust us."


Sorry, can I get a layman's translation? What prevents websites from using Privacy Pass to track user behavior? (Beyond determining who is and is not a bot.)


> If they don't, the website is broken.

The Internet is a network with social effects. Whether "this didn't work" means "the website is broken" or "the browser is broken" has always been more about end-user experience and the wisdom of crowds than a more concrete definition.

A website broken only on Firefox works for 96.5% of users. I have personally had to make the hard judgment call (as a fan of Firefox!) to not spend 25% of our engineering debugging time on a problem only 3.5% of users encounter.


Right, so you accepted that your website was broken. That can be a valid business decision, but that doesn't not make it broken.

Try this analogy: Most people have functional legs, so why install a ramp? 99% of your users can access your property, so who cares, right?


That's too bad. If you didn't make that call it would probably have larger market share. What you've done actually feeds in to the problem.


>Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.

I totally agree with you. I think maybe an upper limit per ip (maybe a bit higher for tor ips) would be need to prevent DoS type attacks.




Firefox user - have seen this many times. Always assumed it's either NoScript or Firefox's built-in tracking protection meaning there's some pre-existing cooking not set that Cloudflare places from other site visits, or because some script is getting blocked somewhere else.


Seeing the cloudflare challenge as a user can happen in any browser depending on the site and it's configuration. A site can choose a security level that requires all visitors to receive a JS/captcha challenge, and sites can make custom firewall rules to require JS/captcha challenges on any of hundreds of different attributes of a particular request using CF's web application firewall tools. One of those attributes is user agent, for instance.


Nope. Individual customer setting, not a Cloudflare policy. We work closely with the Firefox team on many projects.


Aren't you not supposed to comment on individual customers?


They aren't, they're commenting on company general policy and making the obvious deduction from that.

It's (literally) basic logic

1. Some site flags Firefox. 2. Not all sites flag Firefox. 3. Either every site flags Firefox or individual sites flag Firefox. 4. It is not true that every site flags Firefox (obverse of 2) C. Individual sites flag Firefox (disjunction with 3, 4)


Incredible. I just changed my user-agent whilst on the Google Chrome browser.

  * Changing to Firefox immediately displayed the Cloudflare error message
  * Edge had no errors
  * Chrome had no errors
  * Safari had no errors
Edit: Even internet explorer 9, android kitkat, and the opera browser had no errors.

Edit 2: as another user has pointed out, this is most likely a firewall rule put in place by the website operator themselves.


Do you see the error when testing with Firefox, though?

Receiving a "you look like a bot" message when using Chrome configured to pretend to be Firefox isn't very surprising.


I can confirm this on pure (native) FF as well. As someone who has run multiple large web properties this hurts to see. I've observed firsthand the impact of what adding friction to certain browser segments does to utilization, if large corps decide that FF is a "risk" it will do a number on their already struggling traction, and we already live in far too much of a browser monoculture.

(Disclaimer, MSFtie, all opinions are my own)


I can also confirm this on Firefox. With JS enabled I get the challenge from Cloudflare, and with JS disabled for, I get:

> Please turn JavaScript on and reload the page.

> DDoS protection by Cloudflare




I use Firefox Focus on my phone (opens links from apps in a private session - generally a great idea!) and always get this 5 second delay (which is often actually 10 or more seconds). I never considered that it's a Firefox-only thing!


Are you using Firefox Focus on Android or iOS? Does the 5-10 second delay happen on all websites or a specific one?


I'm using VPN 99.9% of the time, so it's all the same for me.

The perks of living in a authoritarian state which tries to limit your access to the Internet.


>The perks of living in a authoritarian state which tries to limit your access to the Internet.

Unfortunately these days this could be virtually anywhere.




Tested in Safari, got the captcha challenge. I doubt it's due to some specific Firefox block.


For me, it was fine in Safari and Chrome, but got the 'checking your browser' message in Firefox


This business of flagging legitimate downloads as "suspicious" is getting way out of hand. Here's what I'm dealing with lately:

This setup program is signed with an EV certificate from DigiCert and hosted on an https site. No other hoops left to jump through except this awesome Catch-22 implementation, which leaves no actionable solution.