Well, it finally happened to me. I was blocked out of a website I need for work because of Cloudflare. And I have no idea if or when I’ll be let back in.
Cloudflare’s secure connection loop
The story begins with Cloudflare. Cloudflare is a company that provides content delivery networking, distributed denial-of-service prevention, and other networking infrastructure services to large parts of the internet. The decisions that this company makes have broad impacts for individuals, companies, and anything that relies on the internet, as their homepage describes.
Many websites that use Cloudflare’s services deploy a “browser integrity check” before you can access their site. In theory, this is to keep bad actors, unscrupulous bots, and other undesirables off of your website to keep your traffic costs down and ensure your website is interacting with a genuine human using your site for a purpose you intended. But often there are issues with these security pages that cause problems for users who are just minding their own business and genuinely trying to access the site with good intentions.
One such issue is the “secure connection loop”. You type the URL for the site you want to visit in the address bar, Cloudflare intercepts that request, and puts up a security page that says “Checking if the site connection is secure”. That page looks like this:
The issue is that sometimes you can never get past this page. The loading symbol just keeps spinning, but the check never completes. Or maybe the page refreshes and asks you to verify you are a human for a second time. Then it refreshes again, and again, and again. So even though you are a human who is jumping through the hoops Cloudflare demands you jump through, they throw away that hoop and ask you to jump through another one, or else they won’t let you through.
This is a common enough problem that when you search for “Cloudflare checking if the site connection is secure”, you see one result for Cloudflare’s official documentation and every other result asking about how to get around these pages because users are stuck at them.
This is what happened to me when I tried to access a page on GitLab for some scientific software I was checking out for work on my work computer. GitLab starting using Cloudflare in 2020, so naturally I was met their their “browser integrity check page”. But no matter what I did, I was stuck in that “secure connection loop”. I have no idea why. I checked the developer console for errors and tried to fix them. I temporarily disabled extensions. I opened a private browsing window. I restarted my computer. Nothing worked.
Getting around the secure connection loop
Because I needed to check out this software, I read a bunch of those search results to see if I could get around Cloudflare’s check.
Eventually, I found some suggestions that if you’re using Firefox you can disable the privacy.resistFingerprinting option in the about:config page.
But that was already listed as false for me when I got stuck, so I switched the value to true just to see if that would do anything.
And that worked! I navigated straight through the browser integrity check and was able to check out the software I wanted to look at. Problem solved.
Just kidding, my problem was only temporarily relieved. And this, in fact, made my situation much worse.
The next day, I tried accessing a web page internal to my company that I need for my work and I was met with this page:
To recap: I couldn’t get past a security check page because of issues in Cloudflare’s software. Because of that, I enabled a single privacy-preserving feature in my browser to bypass the faulty page. As a result, I was then blocked on an unrelated website that I need for work.
The silliness of it all is that I was on my work device the whole time, which was behind my workplace VPN. And you can’t access this VPN without specific security certificates being installed on the device. Worse yet, I know that Cloudflare knows I have those certificates. Why? Because it asked for them!
Cloudflare has extremely reliable data to attest that I am in fact the person I say I am:
- user-specific security certificates
- corporate VPN IP addresses
MAC IP address of my machine that I have previously used to access this site1
But it actively ignores this information in favour of a hint that maybe, there is a possibility that I might, in some possible universe, be doing something I wouldn’t normally do.
I didn’t install some sketchy extension. I’m not connecting over a headless browser. I didn’t change the user agent string. I didn’t try to access the website over Tor or some unconventional protocol. I only changed one privacy-preserving setting in my browser. Even reverting the setting to its previous value didn’t change anything. But now resources that I absolutely need for work are in jeopardy and there’s no easy recourse for me to resolve these issues. And need I remind you that the only reason I enabled this option in the first place was to get around Cloudflare’s faulty security in the first place?
What I think happened
What I suspect happened is that the secure connection loop caused my browser to request access to a single page many times in a short time span. Cloudflare detected the high frequency of requests and denials (but not their faulty loop that caused this pattern of requests, of course), and tagged my browser as suspicious. When I then blocked fingerprinting to get around the page, it worked initially, but Cloudflare eventually identified the series of events as nefarious and marked me with their scarlet letter. So now I have no idea when that page will work for me again. Maybe I’ll have to dig through the corporate directory to find the sysadmin responsible for this page to see if they can enable my access again. Who knows how much time that will waste.
What about Google Chrome?
I tried all of the above in Firefox. So I naturally tried to access the same page in Google Chrome to see if I’d still be blocked. Thankfully, I wasn’t.
But of course I wasn’t because Chrome doesn’t have the same privacy- and security-enhancing designs that Firefox does. Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed. It also doesn’t resist fingerprinting or let me modify settings to the same degree that Firefox does because Chrome relies on those fingerprinting technologies to ensure that I am targeted by ads it deems necessary for me to see.
Being blocked on Firefox and not blocked on Chrome also tells me that Cloudflare is blocking me based on the fingerprint (or lackthereof) of my browser. Everything about my connection is identical between the two requests, aside from the browser being used. It’s the same security certificates, same corporate VPN, same machine, even the same timeframe when I try to access the site.
What next?
For the foreseeable future, I have to use Chrome to access this internal work site. I may also have to do this for other sites, because I don’t know how many internal and external websites are “secured” by Cloudflare that may block me, now. I could try reinstalling Firefox and to see if that changes anything. But at this point I’m just guessing what I could do to solve my problems. And if I’ve learned anything from the events above it’s that guessing with stuff like this can make my situation much worse with little to no recourse.
Implications for the web, in general
These types of experiences are precisely the things that worry me about the future of the web. I have strong proof that I am who I say I am, but because I took one step out of lockstep with what was expected of me by others that I can’t communicate with, I’m blocked from accessing resources that I need. My case is obviously only one small example. But it is an example that makes my livelihood more difficult and fragmented.
Similar remote attestation and “security” measures could just as easily target things like online banking, which would interfere with just about every aspect of a person’s life. And this isn’t just hypothetical examples, mind you. Anyone who uses a de-Googled Android phone has to go to great lengths to ensure hardware attestation is working correctly, like GrapheneOS documents here, or else they can’t using banking apps. There is scant middle ground between accessing your money on your device and letting Google monitor your every interaction with that device.
Proposals for the future of the web that leave more power with unaccountable corporations and less with the individual will inevitably lead to more situations like this where individuals are left scrambling to figure out the Kafka-esque and invisible rules that they must follow to meet the ever-changing whims of these corporate entities. I feel confident in making bold statements like this because companies, governments, and regulatory bodies across the world have repeatedly and overwhelmingly made decisions that favour corporate and governmental control over individual freedoms, rights, and privacy over the past 20 years. Only in the last few years have legal frameworks with actual teeth started going after companies that routinely violate privacy laws, like the 1.2 B EUR fine levied against Facebook due to its GDPR violations. But these legal decisions don’t happen without huge fights and blowbacks from tech companies.
The Web Integrity API proposal that has so many people and companies in uproar about the future of the web is precisely this kind of proposal. If and when financial companies opt in to remote attestation policies for their websites, it will place greater restrictions on the types of hardware, operating systems, and software individuals can use. I understand that there are legitimately good reasons to block certain combinations of hardware and software, say old devices with known vulnerabilities that cannot get patched. But decisions like this from corporate entities always seem to have motivated reasoning that increases the control of corporations at the cost of the freedoms or rights of individuals.
Take the first example of the Web Integrity API proposal:
Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they’re human, sometimes through tasks like challenges or logins.
Within two sentences, the authors are able to present the needs of advertisers as if they were synonymous with the needs of individuals. And in the third sentence they put the onus on the individual to do something about it. Is it relevant that the authors all work for Google, which makes most of its money from advertising?
Similarly, the introduction of passkeys is a useful proposal that could go multiple ways. More secure access to websites that also provides a simpler user experience is undoubtedly a win-win. But like I mentioned above in my experience with Cloudflare, I already had very strong data to prove that I was who I said I was and they blocked me anyway. How am I to know whether these synced SSH keys that are unique to a single domain won’t get overlooked by Cloudflare or similar service providers? And if these passkeys are going to form the backbone of how I interact with almost any website, how much control over them will I have? A small list of important questions I have about using passkeys are:
- Will I be able to create and sync these passkeys myself?
- Can only certain types of software use passkeys? If so, who decides what software meets this standard?
- Will I only be able to generate passkeys on a device with specific hardware/software requirements like a TPM, DeviceCheck, or Integrity API?
- Can I, at any time, export my passkeys from one service provider and switch to another provider?
- If a passkey is invovled in a suspicious event, will that suspicious mark propogate to any other device that uses that same passkey?
- Do devices that contain suspicious passkeys also get marked as suspicious? If so, would that impact the ability of that device to access other independent websites?
I’m not a sysadmin or network engineer, so answers to these questions are simply beyond my expertise. There are other, more important questions I focus on in my day job and I simply do not have the time to become a computer security expert as well. As much as I’d love to use a simpler and standardized authentication method that is more secure than passwords, the central question of how much control I have over my data and how that is respected by others is critical when considering the benefits of ceding control over to corporate entities. And that is a separate question from how much it will even matter if, at the end of the day, some other company with dubious practices and origins will just do their own thing anyway?
Passwords, for all their faults, have one fundamentally stellar property by nature: individuals make them for themselves. Individuals can make them on whatever device they own. Individuals can make them how they want. Individuals can manage them how they like. Certain people or tools or companies can make it easier to manage and use your passwords, but ultimately passwords are made by, and belong to, the individual.
VPNs, certificates, fingerprinting, and other technologies are ways of addressing the shortcomings of passwords and computer security. But if I have to give up all pretense of privacy to do basic things, and might still get blocked anyway, how much is any of this stuff helping?
Comments on Mastodon.