Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.software.firefox > #12729 > unrolled thread

CloudFlare is blocking smaller browsers

Back to article view | Back to alt.comp.software.firefox

Contents

  CloudFlare is blocking smaller browsers Sailfish <NIXCAPSsailfish@NIXCAPSunforgettable.com> - 2025-03-16 05:47 -0700
    Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-16 15:14 +0100
    Re: CloudFlare is blocking smaller browsers John McCue <jmccue@qball.jmcunx.com> - 2025-03-16 14:24 +0000
    Re: CloudFlare is blocking smaller browsers D <noreply@mixmin.net> - 2025-03-16 14:32 +0000
    Re: CloudFlare is blocking smaller browsers Newyana2 <newyana@invalid.nospam> - 2025-03-16 11:36 -0400
      Re: CloudFlare is blocking smaller browsers ant@zimage.comANT (Ant) - 2025-03-17 01:19 +0000
        Re: CloudFlare is blocking smaller browsers Daniel70 <daniel47@eternal-september.org> - 2025-03-17 19:22 +1100
          Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-17 10:55 +0100
            Re: CloudFlare is blocking smaller browsers "Carlos E.R." <robin_listas@es.invalid> - 2025-03-17 13:19 +0100
              Re: CloudFlare is blocking smaller browsers Andy Burns <usenet@andyburns.uk> - 2025-03-17 12:43 +0000
              Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-17 14:27 +0100
                Re: CloudFlare is blocking smaller browsers "Carlos E.R." <robin_listas@es.invalid> - 2025-03-17 20:04 +0100
                  Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-17 20:59 +0100
                    Re: CloudFlare is blocking smaller browsers "s|b" <me@privacy.invalid> - 2025-03-17 21:20 +0100
                      Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-18 07:40 +0100
                        Re: CloudFlare is blocking smaller browsers Newyana2 <newyana@invalid.nospam> - 2025-03-18 08:39 -0400
                          Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-18 15:43 +0100
                            Re: CloudFlare is blocking smaller browsers Newyana2 <newyana@invalid.nospam> - 2025-03-18 15:29 -0400
                              Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-18 21:12 +0100
                                Re: CloudFlare is blocking smaller browsers Newyana2 <newyana@invalid.nospam> - 2025-03-18 18:52 -0400
                                  Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-19 08:28 +0100
                                Re: CloudFlare is blocking smaller browsers Char Jackson <none@none.invalid> - 2025-03-19 01:30 -0500
                                  Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-19 08:08 +0100
                                    Re: CloudFlare is blocking smaller browsers Char Jackson <none@none.invalid> - 2025-03-19 02:49 -0500
                                    Re: CloudFlare is blocking smaller browsers Newyana2 <newyana@invalid.nospam> - 2025-03-19 08:39 -0400
                                      Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-19 14:20 +0100
                    Re: CloudFlare is blocking smaller browsers News <news@triffid.co.uk> - 2025-03-18 07:30 +0000
                      Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-18 09:10 +0100
            Re: CloudFlare is blocking smaller browsers Daniel70 <daniel47@eternal-september.org> - 2025-03-18 00:10 +1100
              Re: CloudFlare is blocking smaller browsers "R.Wieser" <address@is.invalid> - 2025-03-17 14:32 +0100
                Re: CloudFlare is blocking smaller browsers R Daneel Olivaw <Danni@hyperspace.vogon.gov> - 2025-03-17 15:37 +0100
              Re: CloudFlare is blocking smaller browsers "s|b" <me@privacy.invalid> - 2025-03-17 21:22 +0100
            Re: CloudFlare is blocking smaller browsers micky <NONONOmisc07@fmguy.com> - 2025-03-25 01:57 -0400
              Re: CloudFlare is blocking smaller browsers "Carlos E.R." <robin_listas@es.invalid> - 2025-03-25 20:25 +0100
                Re: CloudFlare is blocking smaller browsers micky <NONONOmisc07@fmguy.com> - 2025-03-25 20:35 -0400
        Re: CloudFlare is blocking smaller browsers R Daneel Olivaw <Danni@hyperspace.vogon.gov> - 2025-03-17 13:02 +0100
          No RCEs to see here [was: Re: CloudFlare is blocking smaller browsers] Dirk Fieldhouse <surname@gmx.net.plusremovethisandtherest.example.com> - 2025-03-17 13:50 +0000
            Re: No RCEs to see here [was: Re: CloudFlare is blocking smaller browsers] ant@zimage.comANT (Ant) - 2025-03-17 18:24 +0000
          Re: CloudFlare is blocking smaller browsers Chris Elvidge <chris@internal.net> - 2025-03-17 22:09 +0000
    Re: CloudFlare is blocking smaller browsers VanguardLH <V@nguard.LH> - 2025-03-16 12:26 -0500
    Re: CloudFlare is blocking smaller browsers not@telling.you.invalid (Computer Nerd Kev) - 2025-03-17 08:12 +1000
    Re: CloudFlare is blocking smaller browsers User One <noreply@invalid.com> - 2025-03-16 22:37 +0000
      Re: CloudFlare is blocking smaller browsers "s|b" <me@privacy.invalid> - 2025-03-17 21:18 +0100
    Re: CloudFlare is blocking smaller browsers ant@zimage.comANT (Ant) - 2025-03-17 01:18 +0000
      Re: CloudFlare is blocking smaller browsers Dirk Fieldhouse <surname@gmx.net.plusremovethisandtherest.example.com> - 2025-03-17 14:05 +0000
    Re: CloudFlare is blocking smaller browsers "David E. Ross" <nobody@nowhere.invalid> - 2025-03-17 13:45 -0700

Page 2 of 3 — ← Prev page 1 [2] 3  Next page →

#12791

Newyana2,

>  I started TCPView and wett to Microsoft.com. I clicked on Windows 11 or 
> some such. TCPView shows Firefox downloading from akamaitechnologies.com.

I've just posted that what /could/ be happening is that one of the 
non-Akamai domains on that MS page resolves to an IP that points to an 
Akamai server - and what your TCPView shows is the result of a reverse-DNS.

But yes, if enough domains resolve to Akamai's servers than it is in a good 
position to track users.

Lets hope security researchers stay on it and Europe keeps up it protection 
of the users privacy.

Regards,
Rudy Wieser

[toc] | [prev] | [next] | [standalone]

#12789

On Tue, 18 Mar 2025 21:12:43 +0100, "R.Wieser" <address@is.invalid>
wrote:

>Newyana2,
>
>>>> and that you can't block them in HOSTS?
>>>
>>> *Ofcourse* you can !  You just won't like being cut off from a large(?)
>>> number of websites. :-) :-(
>>
>> Try it. It doesn't work. That's because there's no DNS call.
>
>I would like you to post a link to such a webpage so I can try, as what you 
>are telling me does not make any sense to me.
>
>There is *no* situation where a webpage or any of its resources can live on 
>Akamai's servers, but no DNS call by my browser to resolve Akamai's domain 
>is made.

If I'm understanding correctly, my colleagues and I are asked to set up
that exact thing on a regular basis. Look at it this way, when you do a
DNS lookup for a specific domain, there's no guarantee, nor should there
be any expectation, that the IP address in the DNS response physically
lives on a server owned by that domain, or is located at a facility
owned by that domain. That's how you can end up using Akamai equipment,
or one of the others, even though you've not seen a DNS request for
Akamai.

Quite frequently these days, the IP address in the DNS response is
configured on a (usually virtual) load balancer, where the load balancer
and the servers in the various pools behind it are all located at one of
the big CDNs, such as CloudFlare, Amazon Web Services (AWS), Akamai,
etc. Certain kinds of traffic can contain clues that you've actually
been serviced by a CDN, but not always.

Related to that, we configure the DNS response to be dynamic, so that
from one response to the next, we always provide the "nearest available"
resource, where nearest more properly means the load balancer with the
fastest response, which automatically weeds out resources that are
temporarily unavailable, overloaded, geo restricted, etc.. Of course,
that also implies that our DNS is performing health checks on each
potential resource, because otherwise how would it know what to respond
with. It sounds more complicated than it is.

If you guys were talking about something else, please disregard.

>... other than that Akamai doesn't use a domain name, but a hard-coded IP 
>instead.  And thats a trick I've seen last quite a few years ago.

We don't do it that way, especially for public web sites, but I can't
speak for everyone.

>.. or the "pass thru" (both ways) is performed in-and-by the origional 
>website - wich would make a joke of any DDOS (or similar) mitigation Akamai 
>might offer.

We do some limited transparent traffic steering within an organization,
when requested, but we don't do it over the Internet and I haven't seen
anyone else do it. If a customer asked me to do it, I'd have a lot of
questions as to why. When they explain what they're trying to achieve, I
can sometimes suggest a different or better way. 

[toc] | [prev] | [next] | [standalone]

#12790

Char,

> Look at it this way, when you do a DNS lookup for a specific domain,
> there's no guarantee, nor should there be any expectation, that the
> IP address in the DNS response physically lives on a server owned
> by that domain, or is located at a facility owned by that domain.
> That's how you can end up using Akamai equipment, or one of the
> others, even though you've not seen a DNS request for

... which is what I thought of very shortly after I shut down my 'puter for 
the night.  :-)    (Up until then I was still trying to figure out the "pas 
thru" bit)

Yes, the whole website could be located on one of Akamai's servers, with the 
DNS record for the websites domain pointing to it.

Withouth doing a reverse-DNS on the returned IP the browser (and all its 
privacy enhancements) would be none the wiser.

Regards,
Rudy Wieser

[toc] | [prev] | [next] | [standalone]

#12792

On Wed, 19 Mar 2025 08:08:40 +0100, "R.Wieser" <address@is.invalid>
wrote:

>Char,
>
>> Look at it this way, when you do a DNS lookup for a specific domain,
>> there's no guarantee, nor should there be any expectation, that the
>> IP address in the DNS response physically lives on a server owned
>> by that domain, or is located at a facility owned by that domain.
>> That's how you can end up using Akamai equipment, or one of the
>> others, even though you've not seen a DNS request for
>
>... which is what I thought of very shortly after I shut down my 'puter for 
>the night.  :-)    (Up until then I was still trying to figure out the "pas 
>thru" bit)
>
>Yes, the whole website could be located on one of Akamai's servers, with the 
>DNS record for the websites domain pointing to it.
>
>Withouth doing a reverse-DNS on the returned IP the browser (and all its 
>privacy enhancements) would be none the wiser.

Yep, everything just works.

[toc] | [prev] | [next] | [standalone]

#12793

On 3/19/2025 3:08 AM, R.Wieser wrote:
> 
> Yes, the whole website could be located on one of Akamai's servers, with the
> DNS record for the websites domain pointing to it.
> 
> Withouth doing a reverse-DNS on the returned IP the browser (and all its
> privacy enhancements) would be none the wiser.
> 

   That explanation makes sense. Though there seem to generally
be multiple servers, which could be Akamai or the host. When I
tested it last night there were two Akamai connections, yet no
Akamai in the webpage.

   If you read my link you can see how Akamai have advertised
this as "pixel free" spyware. It's a giant hole in online privacy.
The original design of the Internet meant that there was privacy
between websites. Cookies were restricted to that domain, and so
on. Over the years, websites have developed 3rd party cookies,
fingerprinting, remote script, and various other ways to let 20+
companies watch your visit to a single domain. That betrays the
intended privacy and security, but it's expanding as spying itself --
and the data it produces -- has become a new industry. (For
example, the data wholesaler that was hacked in Florida recently.)

   What Char is saying makes sense, but the idea that a URL
should have no connection to an IP does not make sense. Again,
it's a betrayal of the original design. A similar problem is ISP
caching. In a technical respect it makes sense, but in a culture
of surveillance it's a deception that should be illegal. People
expect that when they visit acme.com they actually go to
acme.com's server. What they're doing is like calling someone
on the phone and it's sent through to an answering service, but
with no indication that you're not actually talking to the person
you called. And you have no idea who it is that you're talking to.
Not only that, but as you talk to that person they're actually
sharing information about you with 100 other entities.

   In this case it's a sleazy company, Akamai, trying to make an
extra surveillance buck on the side. They're actually selling their
customers' data and advertising back to them rather than just
providing server space. Akamai's Acerno sub-business promises
to track people "in-market" -- presumably that means people
actively shopping online based on surveillance data from
multiple websites -- and then present those people with the most
relevant ad banners as they move from store to store.

   The article I linked speaks of a "data cooperative": Akamai can
collect visitor surveillance of numerous customer websites and
pool it for better tracking. The pixel-free aspect, as Akamai
advertises it, is that their server is, itself, a surveillance device.
So they can provide (sell) details about visitors without any
in-page tricks needed. Thus, HOSTS to block 3rd-party scripts
and web beacons is bypassed.

   Interestingly, though, I haven't seen any ads to speak of in
25+ years, and I don't use adblockers. (I've dabbled with UBlock
Origin more recently, but in general I've just restricted script
and used HOSTS. If a site actually has ads that are on their
webpages -- not called in by 3rd-party links from the likes
of Doubleclick -- then I would see them.) If Akamai is inserting
ads into commercial sites I visit, I'm not seeing them. Maybe
they have me classified as a hermit or a freeloader -- someone
who's not being identified at commercial sites. (Which is reminiscent
of how credit card companies classify people as freeloaders who
pay off their bill every month, rather than paying up to 30%
loanshark interest. :)

   The description of Akamai's service seems to
point to a focus on compulsive shoppers. In-market seems to be
a phhrase that means actively online and going from website to
website, as in, "I wonder if Eddie Bauer has this cheaper. Oh, look,
here's an ad for the same thing at EMS."

[toc] | [prev] | [next] | [standalone]

#12794

Newyana2,

>   That explanation makes sense.

Phew ! :-)

> Though there seem to generally be multiple servers, which could be Akamai 
> or the host. When I tested it last night there were two Akamai 
> connections, yet no Akamai in the webpage.

As described, one or more of the domains on the webpage could be pointing to 
Akamai's servers.

You could do a "ping domainname" to get its IP, and than a "ping -a IP" to 
do a reverse-DNS (of sorts).   Normally what goes in the first and what 
comes out the second are the same (or, in the case of a distributed 
serverpark (CDN), similar).

In your case the second would sometimes return an Akamai domain name.

>   If you read my link you can see how Akamai have advertised
> this as "pixel free" spyware. It's a giant hole in online privacy.

Agreed.

>   What Char is saying makes sense, but the idea that a URL should have no 
> connection to an IP does not make sense.

Not "should", but "does not have".   When you register a domain you can put 
any IP address you want into it.  Also think of DynDNS servers (where you 
can change the IP at any moment you want - intended to point at your own 
dynamic home IP address).

> In this case it's a sleazy company, Akamai, trying to make an extra 
> surveillance buck on the side.

Have you realized that both your internet provider as well as the DNS server 
you are using can do the same * ?   And for the first one, even when using 
SSL ? (the first SSL negotiation shows the target domain name in plain text)

* and, in the past, have done so by, when it could not resolve a domain 
name, returning an IP pointing at an advertising server.  Not getting a 
"domain doesn't exist" response created big problems though, so that idea 
was quickly dropped.

> their server is, itself, a surveillance device. So they can provide (sell) 
> details about visitors without anyin-page tricks needed. Thus, HOSTS to 
> block 3rd-party scripts and web beacons
> is bypassed.

I hope you do realize that *any* website could do the same.  When you 
connect to them they could send a "hey, I've got user xxxx here" to whomever 
would like to buy such data.

> Interestingly, though, I haven't seen any ads to speak of in
> 25+ years, and I don't use adblockers. (I've dabbled with UBlock Origin 
> more recently, but in general I've just restricted script and used HOSTS.
...
> If Akamai is inserting ads into commercial sites I visit, I'm not seeing 
> them.

Most likely because most ads are delivered using JS.

> The description of Akamai's service seems to point to a focus
> on compulsive shoppers.

As long as they control the links on the webpages they host (read: links on 
webpages go to websites again on their servers) they can easily do that.  I 
can't even blame them for doing it to be honest.   Still would not like to 
be caught by it though.

Regards,
Rudy Wieser 

[toc] | [prev] | [next] | [standalone]

#12777

In article <vr9uuv$r50j$1@dont-email.me>,
   R.Wieser <address@is.invalid> wrote:
> Carlos,

> >> Yes (I seem to remember that they started as that), but it seems to 
> >> depend on the website.
> >
> > I suppose the website has to pay for this service.

> Absolutily., CloudFlare is a company, not some altruistic billionare. :-)

> Regards,
> Rudy Wieser

The older I get the more cynical I get...
I understand your point... But...

To become a billionaire the large number of folks 'screwed over' to get
you there, are the ones paying for the fake altruism.

D

[toc] | [prev] | [next] | [standalone]

#12778

News,

> To become a billionaire the large number of folks 'screwed over'
> to get you there, are the ones paying for the fake altruism.

I may be cynical too, but it looks you've already decided that /any/ 
billionaire *must* have screwed others over to get there ...  :-(

Funny that stuff like tax-evation and in general paying less (or not at 
all!) than what is owed seems to be a national sport all over the world.

Regards
Rudy Wieser

[toc] | [prev] | [next] | [standalone]

#12757

On 17/03/2025 8:55 pm, R.Wieser wrote:
> Daniel,
> 
>> (Possibly Stupid Question coming .... ) What's Cloudflare??
> 
> Not a stupid question at all (though a quick google might have also given
> you the below link).
> 
> Cloudflare is a company which pretty-much acts as a "firewall" for websites.
> 
> https://en.wikipedia.org/wiki/Cloudflare
> 
> The problem is that they service a *lot* of websites, and when they refuse
> requests from lesser-known browsers its users are cut off of a sizable chunk
> of the internet.
> 
> Regards,
> Rudy Wieser
> 
Ah!! Thank you.

So sort of like what's happening to SeaMonkey Suite ..... until the 
valiant SM Devs can work around it!!
-- 
Daniel70

[toc] | [prev] | [next] | [standalone]

#12759

Daniel,

> Ah!! Thank you.

You're wecome. :-)

> So sort of like what's happening to SeaMonkey Suite ..... until the 
> valiant SM Devs can work around it!!

Its possible that just changing the user-agent string might already work - 
but while thats what user might choose. I don't think thats something the 
SeaMonky maintainers like to do.  And I don't blame them.

Regards,
Rudy Wieser

[toc] | [prev] | [next] | [standalone]

#12762

R.Wieser wrote:
> Daniel,
> 
>> Ah!! Thank you.
> 
> You're wecome. :-)
> 
>> So sort of like what's happening to SeaMonkey Suite ..... until the
>> valiant SM Devs can work around it!!
> 
> Its possible that just changing the user-agent string might already work -
> but while thats what user might choose. I don't think thats something the
> SeaMonky maintainers like to do.  And I don't blame them.
> 
> Regards,
> Rudy Wieser
> 
> 

There is the occasional suggestion - in alt.comp.software.seamonkey - 
that we do that ourselves for specific sites, Google comes to mind.  Do 
not expect Seamonkey to do this premptively.

[toc] | [prev] | [next] | [standalone]

#12771

On Tue, 18 Mar 2025 00:10:48 +1100, Daniel70 wrote:

> Ah!! Thank you.
> 
> So sort of like what's happening to SeaMonkey Suite ..... until the 
> valiant SM Devs can work around it!!

I sometimes use Pale Moon and have experienced a problem while
'Verifying you are human. This may take a few seconds.' This seems to be
a problem that can not be solved by Pale Moon. CloudFlare needs to fix
this (but they won't).

-- 
s|b

[toc] | [prev] | [next] | [standalone]

#12863

In alt.comp.software.firefox, on Mon, 17 Mar 2025 10:55:40 +0100,
"R.Wieser" <address@is.invalid> wrote:

>Daniel,
>
>> (Possibly Stupid Question coming .... ) What's Cloudflare??
>
>Not a stupid question at all (though a quick google might have also given 
>you the below link).

fwIW, I'm not Daniel but I looked at the wiki entry and still didn't
know what it was. 

To you and prior posters like Ant and Mayana, how do you spoof an agent?

>Cloudflare is a company which pretty-much acts as a "firewall" for websites.

This is more clear than wiki. 

>https://en.wikipedia.org/wiki/Cloudflare
>
>The problem is that they service a *lot* of websites, and when they refuse 
>requests from lesser-known browsers its users are cut off of a sizable chunk 
>of the internet.
>
>Regards,
>Rudy Wieser
>

[toc] | [prev] | [next] | [standalone]

#12868

On 2025-03-25 06:57, micky wrote:
> To you and prior posters like Ant and Mayana, how do you spoof an agent?

As we are in the firefox group (I guess seamonkey is similar), you 
install an add on.

On the current Firefox I have running, I don't have one such installed, 
but I have used one in the past. I keep looking, and find it on my 
laptop: "User-Agent Switcher" (autor: Linder).

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]

#12869

In alt.comp.software.firefox, on Tue, 25 Mar 2025 20:25:46 +0100,
"Carlos E.R." <robin_listas@es.invalid> wrote:

>On 2025-03-25 06:57, micky wrote:
>> To you and prior posters like Ant and Mayana, how do you spoof an agent?
>
>As we are in the firefox group (I guess seamonkey is similar), you 
>install an add on.
>
>On the current Firefox I have running, I don't have one such installed, 
>but I have used one in the past. I keep looking, and find it on my 
>laptop: "User-Agent Switcher" (autor: Linder).

That's pretty clear!  I'm planning for when they do this to FF.  Tnx. 

[toc] | [prev] | [next] | [standalone]

#12754

Ant wrote:
> Newyana2 <newyana@invalid.nospam> wrote:
>> On 3/16/2025 8:47 AM, Sailfish wrote:
>>> REF: https://forum.palemoon.org/viewtopic.php?f=65&t=32127#p260689
>>>
>>> Pale Moon is one of those, and, possibly so are SeaMonkey, Waterfox, and
>>> LibreWolf.
>>>
> 
>>     I saw that at Slashdot. The speculation seems to be
>> that they may be trying to block bots, based on an assumption
>> that "real people use only the latest version of a standard
>> browser". Do we need to go back to the days of spoofing
>> userAgents?
> 
> I already spoof with user agents on some web sites in SeaMonkey. :(
> 

I also saw that story on Slashdot, including a list of 12 browsers which 
are affected.
https://tech.slashdot.org/story/25/03/15/236215/cloudflare-accused-of-blocking-niche-browsers
Slashdot itself was on the list of sites which "protect" themselves 
using Cloudflare.  My standard way of accessing Slashdot is to use a 
private session and logon there using a saved User+password pair, this 
appears to bypass Cloudflare's blocking and I never even realised there 
was supposed to be a problem.

One comment there made me curious,
> 
> 
> In case you're using SeaMonkey on Linux: stop using it (or at least stop telling everybody that you're using it).
> 
> Seamonkey on Linux is easily exploitable for remote code execution.
(the direct url is 
https://tech.slashdot.org/comments.pl?sid=23637379&cid=65236979 for that 
comment).

Is that true?  Was that true in the past but has now been fixed?

[toc] | [prev] | [next] | [standalone]

#12760 — No RCEs to see here [was: Re: CloudFlare is blocking smaller browsers]

On 17/03/2025 12:02, R Daneel Olivaw wrote:
> Ant wrote:
>...>
>>
>> In case you're using SeaMonkey on Linux: stop using it (or at least
>> stop telling everybody that you're using it).
>>
>> Seamonkey on Linux is easily exploitable for remote code execution.
> (the direct url is
> https://tech.slashdot.org/comments.pl?sid=23637379&cid=65236979 for that
> comment).
> 
> Is that true?  Was that true in the past but has now been fixed?

The most recent such CVE, from
<https://security.snyk.io/vuln/SNYK-UNMANAGED-SEAMONKEY-2380151>:
> How to fix?
> 
> Upgrade seamonkey to version 2.23 or higher.
So not even yesterday's news.

/df

-- 
London
UK

[toc] | [prev] | [next] | [standalone]

#12765 — Re: No RCEs to see here [was: Re: CloudFlare is blocking smaller browsers]

In alt.comp.software.firefox Dirk Fieldhouse <surname@gmx.net.plusremovethisandtherest.example.com> wrote:
> On 17/03/2025 12:02, R Daneel Olivaw wrote:
> > Ant wrote:
> >...>
> >>
> >> In case you're using SeaMonkey on Linux: stop using it (or at least
> >> stop telling everybody that you're using it).
> >>
> >> Seamonkey on Linux is easily exploitable for remote code execution.
> > (the direct url is
> > https://tech.slashdot.org/comments.pl?sid=23637379&cid=65236979 for that
> > comment).
> > 
> > Is that true?  Was that true in the past but has now been fixed?

> The most recent such CVE, from
> <https://security.snyk.io/vuln/SNYK-UNMANAGED-SEAMONKEY-2380151>:
> > How to fix?
> > 
> > Upgrade seamonkey to version 2.23 or higher.
> So not even yesterday's news.

Or better, the latest 2.53.20!
-- 
"...those who are led by the Spirit of God are sons of God." --Romans 8:14. It's St. Patrick's Day 2 get drunk, get rid of sneks, hate Boston Celtics even more, etc. after a slammy weekend. I'm not wearing green 2 so pinch me.
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
  /\___/\   Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
 / /\ /\ \                      Please nuke ANT if replying by e-mail.
| |o   o| |
   \ _ /
    ( )

[toc] | [prev] | [next] | [standalone]

#12774

On 17/03/2025 at 12:02, R Daneel Olivaw wrote:
> Ant wrote:
>> Newyana2 <newyana@invalid.nospam> wrote:
>>> On 3/16/2025 8:47 AM, Sailfish wrote:
>>>> REF: https://forum.palemoon.org/viewtopic.php?f=65&t=32127#p260689
>>>>
>>>> Pale Moon is one of those, and, possibly so are SeaMonkey, Waterfox, 
>>>> and
>>>> LibreWolf.
>>>>
>>
>>>     I saw that at Slashdot. The speculation seems to be
>>> that they may be trying to block bots, based on an assumption
>>> that "real people use only the latest version of a standard
>>> browser". Do we need to go back to the days of spoofing
>>> userAgents?
>>
>> I already spoof with user agents on some web sites in SeaMonkey. :(
>>
> 
> I also saw that story on Slashdot, including a list of 12 browsers which 
> are affected.
> https://tech.slashdot.org/story/25/03/15/236215/cloudflare-accused-of-blocking-niche-browsers 
> 
> Slashdot itself was on the list of sites which "protect" themselves 
> using Cloudflare.  My standard way of accessing Slashdot is to use a 
> private session and logon there using a saved User+password pair, this 
> appears to bypass Cloudflare's blocking and I never even realised there 
> was supposed to be a problem.
> 
> One comment there made me curious,
>>
>>
>> In case you're using SeaMonkey on Linux: stop using it (or at least 
>> stop telling everybody that you're using it).
>>
>> Seamonkey on Linux is easily exploitable for remote code execution.
> (the direct url is 
> https://tech.slashdot.org/comments.pl?sid=23637379&cid=65236979 for that 
> comment).
> 
> Is that true?  Was that true in the past but has now been fixed?

See also SoylentNews:
https://soylentnews.org/article.pl?sid=25/03/15/1622220


-- 
Chris Elvidge, England
I WILL NOT SELL SCHOOL PROPERTY

[toc] | [prev] | [next] | [standalone]

#12741

Sailfish <NIXCAPSsailfish@NIXCAPSunforgettable.com> wrote:

> REF: https://forum.palemoon.org/viewtopic.php?f=65&t=32127#p260689
> 
> Pale Moon is one of those, and, possibly so are SeaMonkey, Waterfox, and 
> LibreWolf.

The same CAPTCHA challenge DOES happen with both Firefox and Edge-C.
The challenge is not initiated by Cloudflare, but by the web site.  It
looks like a challenge issued by Cloudflare, but it is a feature
(option) of Cloudflare's DNS services that the web site uses.  Web sites
rarely use their own code to generate and validate CAPTCHA challenges.
They use someone else's code, and quite often use someone else's option
when using that someone else's services.

The User-Agent header is often used to identify the client visiting a
web site despite being a deprecated header.  Other means are possible to
detect the web browser, like its capabilities by testing the client.
The web site can determine which web browsers it doesn't like, and
configure their "manage" option at Cloudflare to target non-conformant
clients.

https://blog.cloudflare.com/end-cloudflare-captcha/

Dated April 2022, so Cloudflare has not yet eliminated their account
manage option to challenge/test clients connecting to a web site using
Cloudflare's services.

The war against bots and DOS (Denial of Service) attacks continue.  I
wasn't aware that Palemon, or other lesser-used variants of web
browsers, were more likely targeted for abuse as web bots.  Maybe they
are easier to adapt for reprogramming.  More likely is those less-used
web clients don't have a heuristic history (similar to Bayesian
weighting) as do the more highly used web clients.  Palemoon would have
a far lower incidence count as a web client visiting a web site.

"Previously, a Cloudflare customer could only choose between either a
CAPTCHA or JavaScript Challenge as the action of a security or firewall
rule."

Bitch to the web sites that employ the Cloudflare feature.  They are
employing a scheme to help eradicate much of the [D]DOS attacks against
them.  If they don't use the pre-built protection feature, they need to
find other means to conjure their own scheme to stall, abort, or thwart
DOS attacks.  I have not investigated how well, or if at all, a DOS'ed
web site, or the services to which they contract (DNS, webhosting, etc)
can identify the collective sources of the attacks, especially since
they may originate from zombied hosts by ignorant users, and more so by
those users that leave their web browser running 24x7 (the bitcoin
miners love those users) instead of loading the web client only when
they are actually using their web browser, and unloading the web client
when done using it.

[toc] | [prev] | [next] | [standalone]

Page 2 of 3 — ← Prev page 1 [2] 3  Next page →

Back to top | Article view | alt.comp.software.firefox

csiph-web