Tell HN: Cloudflare is locking out Linux users

76 points by supriyo-biswas 2 years ago

It appears that Cloudflare's Turnstile captcha product has decided Linux users are no longer considered "human" and therefore locked out of websites using this product.

While the usual explanation is that there may be a compromised device on the network, I can pass these challenges myself using my Mac, but not on Linux on the very same network. This is from a residential ISP in India, and as you can see in the screen recording, I'm using an incognito window with all extensions disabled, so it's unlikely that the IP address or the browser configuration are at fault here.

* Mac: https://drive.google.com/file/d/1glfS_9OkV5mw5ysU3ASZCwR5c5eCeRT3/view?usp=sharing

* Linux: https://drive.google.com/file/d/1WnNRUlikqfmqdELfcohu7SBfjJr9aNzZ/view?usp=sharing

At a societal level, it is scary how things seem to resemble RMS' "Right To Read" with one corporation deciding to unilaterally deciding what browser should have access, as I've said elsewhere.

At a technical level, I speculate the issues are because Cloudflare is unable to properly distinguish between headless and regular Chrome because of changes in Chromium[1] as well as because of TLS ClientHello permutations[2].

[1] https://antoinevastel.com/bot%20detection/2023/02/19/new-headless-chrome.html

[2] https://www.fastly.com/blog/a-first-look-at-chromes-tls-clienthello-permutation-in-the-wild

worenga 2 years ago

Hello, Benedikt from Cloudflare and the Turnstile Team here. Thanks you so much for the report. We looked into this report and identified that there was some false positive and cleared the signal. We have investigated this report and the issue should be fixed. Please reach out to me benedikt@cloudflare.com or at our Cloudflare Turnstile Discord, if you are still encountering problems.

pmontra 2 years ago

This got 41 points so far and worega from Cloudflare acknowledged and fixed the issue. And yet the post was flagged.

  • supriyo-biswas 2 years ago

    Well I guess someone might have thought it was a rant post and chose to flag it, though my intention here was to, at least to an extent, also draw attention towards how large corporations get to decide the rights of commoners.

    (Edit: I had a last paragraph here but it was in bad taste, so I removed it.)

  • s777 2 years ago

    Ironic considering how this post is about Cloudflare flagging users.

jonatron 2 years ago

As a Linux user, I have been told that I'm a robot with no option to do a CAPTCHA a couple of times from different websites over the last couple of days (not Cloudflare, so it's not just them doing it).

  • jmclnx 2 years ago

    Yes, this has happened to me also, maybe 10% of the time. I wonder if WEB Sites can up or lower the level of Cloudflare Checks ?

doix 2 years ago

It'll be some specific combination that you're hitting. I'm on Linux and I am not in captcha hell. I can get into captcha hell really easily by routing all my traffic through my OVH server using wireguard. I'm guessing they blacklist the entire OVH IP range or something.

I'm guessing it's some combination of being in India + Linux + incognito that is screwing you.

jeroenhd 2 years ago

Having never run into Cloudflare issues despite almost exclusively using Linux, I do wonder what's going on here.

I can never pinpoint what makes these prompts and problems show up constantly for some but almost never for me.

Are you behind CGNAT by any chance? I have my suspicions that CGNAT networks are more likely to trigger these robot detection flags than others (because their users share an external IP address with many others). I can imagine a website/user with only IPv4 set up ending up getting grouped together with the countless automated Chromium installs that may also ruin your IP address' reputation with spam prevention tools.

thewebcount 2 years ago

It's not just Linux users. I'm using Orion on macOS and I got stuck at the "Cloudflare needs to check the security of your connection…" prompt this morning. I didn't even get a Captcha. It just hung there. (And by the way, that prompt makes no sense.)

  • jeroenhd 2 years ago

    I've encountered that prompt inside a WebView in an Android app as well. Changing the user agent bypasses it for a certain amount of time.

    I'm pretty sure that prompt will hang indefinitely for user agents it doesn't recognize (because bot detection is almost impossible these days).

mordae 2 years ago

If only!

I get never ending checks in Firefox, but not in Chromium ever so often.

wmf 2 years ago

Linux users basically have to install Privacy Pass. https://developers.cloudflare.com/support/firewall/settings/...

  • JohnFen 2 years ago

    Yeah, I'm not going to do that. While I very rarely actually encounter cloudflare-related issues on my Linux boxen, when I do, I just figure that's a site who doesn't want me and don't go there anymore.

    • than3 2 years ago

      Unfortunately that's invisible though.

      They can never really know that you were there and change action. Just like they can never really know all those clicks are organic clicks for their ad-spend.

      Its more of a we trust its this because we don't want to look behind the curtain. Unfortunately.

      • JohnFen 2 years ago

        > They can never really know that you were there and change action.

        True, but that's the website's problem, not mine.

        I figure that everyone using Cloudflare knows that they're excluding a portion of their audience by doing so, and they've made the calculation that they're OK with that. So if I'm in the excluded group, I assume that I'm one of the people they deemed as an acceptable loss.

    • jmclnx 2 years ago

      This is my take.

      And Install a plugin from Cloudflare ? I don't think so, who knows what it really does.

      • Incipient 2 years ago

        As it's open source, should be easy to see what the extension does. What cf does with the token is a different story - you'd probably have to check the maths if it was truly anonymous?