Google Captcha Terror

[Drugwash]

PuzzledGreatly, when you say "running in safe mode" what exactly do you mean? Is it the browser that's running in such mode (no extensions etc.) or is it the operating system itself? Because in case it's the latter you should check (and temporarily, at least, disable) any resident application that may tamper with the Internet connection, such as some antivirus suites (that just protect the rich guys not the average user).

However, if I recall correctly you said earlier before that you had same problems on different computer(s) connected to different ISP(s) so this problem may spread across multiple variables such as browser, OS, provider, town, country. We're still far away from pinpointing the issue other than the hunch of it being Cloudflare's fault.

[PuzzledGreatly]

I'm using Pale Moon, select help > restart with add ons disabled. The dialogue refers to that as Safe Mode. I don't consider it safe as the browser is essentially naked. Running in this manner without any extensions does NOT solve the problem. It merely allows me to complete the captcha. If I run my browser normally and allow all scripting and requests for the site then I'm stuck in an endless loop with one captcha after another. This started about five days ago. I'm positive it is Cloudflare as it sets the cf_clearance cookie. With this cookie I can get straight through to the site. Without it I see the captcha. I tried editing the cookie to extend it beyond the hour and a day it gives me but that didn't work. This morning although I had the cookie I still got the captcha. After running in "safe mode" the cookie's date was reset. What will happen is that cookie will expire and I'll be confronted with the whole mess all over again. I think something is up with Cloudflare. Why is it forcing me to run a naked browser and why does it ignore the date of Its own cookie? It would be helpful if someone else from England or Japan could comment on what cookies they are seeing and whether they have been challenged by Cloudflare. Who else has this cf_clearance cookie? This is beyond frustrating.

[Drugwash]

So in fact you are facing a double challenge:
- browser (through some extension) blocks captcha/cookie validation
- location is permanently red-flagged for Cloudflare
Strange that both your Britain and Japan locations are red-flagged.
For the validation you'll have to tinker with your extensions, see which one is blocking access. Either disable all and enable one at a time testing AHK access, or disable them one by one and retry accessing AHK. Tedious work, I know.

As you probably noticed I'm not living in either England or Japan so unfortunately can't help with cookies. For what it's worth there's no cf_clearance for me (as I've already posted my set of cookies sometime earlier in this topic). Frustration is something I understand very well, I'm sorry you have to live through al this.

[PuzzledGreatly]

I don't think my extensions are blocking the captcha. If I allowed all the scripting and referrals the captcha would work. But around five days ago what happens now is after the captcha clears and I get the green tick I'm presented with captacha process all over again from scratch in an infinite loop. No updates on my PC so I think the change is with Cloudflare. It's almost as if the mere presence of certain extensions is enough to trigger the block. I suppose I could try and pinpoint particular extensions Cloudflare doesn't like but this is beginning to feel like victimization. What's really galling is that Cloudflare is setting a clearance cookie that terminates after 25 hours. What's with that?

[Drugwash]

What I said was that certain extension(s) may block the captcha validation, not the process itself of seeing/interacting with the captcha. That is, the response the captcha script is sending to the (Cloudflare or AHK?) server gets blocked or corrupted.

It might help if you could list all your extensions, no matter how insignificant they may appear to be. Personally I have an extension called "about: addons-memory" which lists all addons on a dedicated page. Then I have "Screengrab (fix version)" which can take a screenshot of the entire web page.
However, the listing itself wouldn't help much as individual addon settings may differ greatly from user to user.
As for the idea of "the mere presence of certain extensions" being the trigger I kinda doubt that but theoretically it's possible. However I could compare your listing with mine and eliminate the common ones that I have no problems with.

From a logical standpoint the clearance cookie is like a limited-age passport. It says you're OK for now but at some point it may not be you using that IP so whoever is using it at that point should pass the test again to get new clearance. This shows your IP ranges are definitely red-flagged in the Cloudflare database and it's unlikely to be cleared permanently anytime soon.

The Internet is not what it used to be anymore. I've had my share of navigating "troubled" waters back then and it all seemed like a large ocean of knowledge. Not anymore for some time already - it's been transformed into small seas with narrow policed canals (if any) that allow passage from one sea to another. That's the reality and the "freedom" of the 21st century, my friend…

[PuzzledGreatly]

After testing by disabling extensions it seems that cloudflare doesn't like Smart Referer (version 0.0.11). With this disabled I can allow scripting with NoScript and RequestPolicy to load and pass the captcha and get the cf_clearance cookie. I tried using Cookie Manager to change the cf_clearance cookies expiry date but the cookie still times out. It looks like cloudflare is specifically targeting my computer with the AHK site. Regarding the canals it's less policing and more like militarized occupation.

[tank]

yep its just you cloudflare had an executive meeting and said fragg this guy in particular

[Drugwash]

After testing by disabling extensions it seems that cloudflare doesn't like Smart Referer (version 0.0.11). With this disabled I can allow scripting with NoScript and RequestPolicy to load and pass the captcha and get the cf_clearance cookie. I tried using Cookie Manager to change the cf_clearance cookies expiry date but the cookie still times out. It looks like cloudflare is specifically targeting my computer with the AHK site. Regarding the canals it's less policing and more like militarized occupation.

Good, you found the culprit for one part of the bigger issue. That's a step forward. Personally I've never used that extension so can't say anything about its usage, but its description on the Mozilla Addons page says "You can whitelist domains with wildcards and configure other things, look in the preferences page of the addon in the addon manager" so you'd have to look there and change some settings if you want to keep using it.

There are settings regarding the lifetime of cookies in Pale Moon's options and there may be more advanced options if you install Pale Moon Commander. There are also settings regarding sending the referer, în Tools > Advanced options > Security > Privacy (the advanced options are provided by Pale Moon Commander). Maybe you should tinker with those settings a bit. But don't touch the Ciphers tabs or bad things may happen. I've enabled all of them instead of using the defaults and couldn't access my profile and settings in WordPress anymore afterwards. So be careful what you change, maybe get screenshots of the defaults for each tab and subtab and test thoroughly.

As for Cloudflare specifically targeting your computer… c'mon, you have to admit it's too far stretched.
You may be right with the canals though. Either way it doesn't make us feel safer, but more oppressed. Oh well…

[joedf]

Yay

[PuzzledGreatly]

Thanks, I'll look into the settings you mention, but I don't have issues with cookies from any other site so I'm doubtful. I'd be surprised if the AHK site is the only one I visit that uses Cloudflare but it is the only one that presents me with a captcha every time I do so, hence my remark about my computer being targeted. But my worry is that there may be a significant number of people based in England and Japan that are being blocked by cloudflare and don't get to the site because of the hassle.

[Drugwash]

Maybe - just maybe - you have some other tight settings regarding browser type, OS type or whatever other information a server such as Cloudflare might request from your computer and when the request is denied it goes into paranoia mode and presents you with the captcha.

Another possibility would be for the AHK site to be placed on a higher rank in the list of sites more susceptible to a DDoS attack or whatever, so Cloudflare will check its visitors more thoroughly when they come from red-flagged IP blocks.

Again, this is just an assumption - only someone who knows Cloudflare really really well could confirm or deny.

[nnnik]

CloudFlare tries to decide whether a certain attempt to connect to a site is harmful or not.
When it isn't sure whether you are human or not it will show a captcha.

So far that's how it works in a simple way. Now it would be bad if there were no optimisations.
If you imagine a DDOS hitting it is basically a lot of computers executing similar code to access a certain site. If it always had to individually decide whether an access is bad or good during such times it would exhaust it's own system and that wouldn't prevent the DDOS.
So in order to make things easier it will try to find a common denominator all these accesses have in common and store that result. It will try to analyze every bit of information about your browser it can get out of it.
Now when you get a Captcha and a plugin prevents CloudFlare from confirimg the result you have basically failed the test of being a good connection. CloudFlare will try to analyze anything that's special about your browser and memorize it to recognize the robot.
Since you failed the captcha so often it thinks that a lot of bots using your request/browser settings access the site and you will get a Captcha more frequently.
( At least that's what I think is happening )

That is neither a problem or fault on our side nor is it a fault of CloudFlare. It's simply impossible to cover all possible use cases - you only cover a certain part that's in scope. With our current ressources you are out of scope.

[PuzzledGreatly]

Well it is definitely the Cloudflare settings for this site that are triggering the captcha. I found at least one other site I visit regularly that uses Cloudflare and I've never seen hint of a captcha there. The problem is that Cloudflare is forcing me to go through the captcha process every day even though I am logged in. I don't think that is reasonable. Oh, and did I mention that the captcha process has gotten slower and more long winded. I just hope this isn't happening to other visitors who are not members.

[Exaskryz]

Can you confirm at the moment that with Smart Referer disabled, you are able to login just fine?

I'm curious about testing, but don't want to risk it being a success and then having the same problems you are. I'll at the very least be able to use my smartphone and firefox browser for that addon and hopefully see if it triggers something while I'm on LTE data, to prevent impacting my PC on WiFi.

[nnnik]

Can you confirm at the moment that with Smart Referer disabled, you are able to login just fine?

I'm curious about testing, but don't want to risk it being a success and then having the same problems you are. I'll at the very least be able to use my smartphone and firefox browser for that addon and hopefully see if it triggers something while I'm on LTE data, to prevent impacting my PC on WiFi.

You would probably have to use Pale Moon too.

[Exaskryz]

That's what I'm afraid of. I use Pale Moon normally on my PC, but don't want to fall into this trap ^^

AFAIK, there's no mobile pale moon.

I might be able to try it if I take my PC to Uni, use their wifi, and use a different Windows profile and browser profile to minimize any association to my normal browser.

[PuzzledGreatly]

This is getting bizarre. I have Smart Referer active, the cf_clearance cookie has expired but I got to this page without any captcha. Previously, if I had Smart Referer active I'd get the captcha and then after completing it I'd get another one in an endless loop. With it disabled I could get through the captcha. After 25 hours the cf_clearance cookie would expire and I'd have to go through the whole captcha process again. I wonder how long this state of grace will last?

[tank]

the executive committee at cloudflare has pardoned you

[joedf]

lol, tank. you troll hahah

[Drugwash]

This is getting bizarre. I have Smart Referer active, the cf_clearance cookie has expired but I got to this page without any captcha. Previously, if I had Smart Referer active I'd get the captcha and then after completing it I'd get another one in an endless loop. With it disabled I could get through the captcha. After 25 hours the cf_clearance cookie would expire and I'd have to go through the whole captcha process again. I wonder how long this state of grace will last?

Maybe this time your current ISP has assigned you an IP in a "clear" range that CloudFlare trusts enough not to pull the captcha on its users.
Told you to monitor your IP on each connection to narrow down the issue…
BTW, there are several online whois services that offer details on IP ranges.