Cloudflare infinte loop (Checking if the site connection is secure)

Question

What can I do to fix the CloudFlare "Checking if the site connection is secure" infinite loop?

I'm tying to load a website. The very first GET gets sent to an interstitial page run by Cloudflare that says

Checking if the site connection is secure

[site] needs to review the security of your connection before proceeding.

When the page first loads:

1. first a spinning circle appears
2. then the circle disappears
3. then a reCAPTCHA-like grey table with a "challenge spinner" appears, but all it says is Verifying... with a green spinner. It stays like this for a long time, leaving me to twiddle my thumbs in frustration.
4. then, finally, the "challenge spinner" disappears and another grey spinning circle appears
5. then the page reloads completely, this time with a "challenge spinner" with a checkbox that says Verify you are human.
6. I click the checkbox, and it changes back to the green spinner.
7. Then the challenge spinner disappears
8. Then a grey spinner appears
9. Then the page reloads and I'm again presented with another "challenge spinner" that says Verify you are human.
10. GOTO 6

I'm trying to access a website in TAILS (using Tor Browser, for security reasons). This issue occurs on a fresh boot. It should go without saying that I'm not doing anything malicious, but I'll say it: all I've done is type the naked domain into the address bar and press <enter>.

Is this a bug? I've done this infinite loop for half an hour. How can I prove to CloudFlare that I'm human and escape this infinite loop?

Answer 1

It might not be possible.

Unlike offline spaces, it's currently legal for a business to discriminate against you purely on the basis of how you look by denying you access to their online premises.

Unfortunately, the methods used by CloudFlare (a private for-profit company) to deny customers access to a business' website use closed-source algorithms that are not (yet) legally required to be disclosed to the public for the purposes of transparency (to ensure that they do not violate the law due to unlawful discrimination).

It's highly likely that these fingerprinting algorithms (which are notorious for false-positives leading to widespread discrimination on the Internet) are using machine-learning algorithms. Fortunately, in 2023 the EU has begun to draft legislation that will require disclosure, public review, and restrictions of AI-powered algorithms. US lawmakers have also met with leading experts on AI algorithms to discuss regulations.

Lobby the government

Hopefully one day we will have data privacy laws that protect consumers from businesses that discriminate on the basis of how you look (and, rather, only enforce protections on the basis of how you act), but currently the best solution to this problem is: write to your legislators and donate to digital-rights NGO lobbyists like the EFF, Open Rights Group, Privacy International, etc.

Lobby the business

You can also contact the business and let them know that their Cloudflare setup is misconfigured and causing false-positives (CC their security team).

At the time of writing, Cloudflare's default settings do not result in an infinite loop. In fact, if you go to Cloudflare's website and try to login as a customer, you probably won't get stuck in an infinite loop. Cloudflare knows how to configure & test their own systems not to break like this; many of their customers don't.

Cloudflare's customers can easily enable "anti-bot protection" in cloudflare and misconfigure it to the point to where their users experience false-positive issues like this questions describes. This is, in fact, a misconfiguration. It probably wasn't detected by the business due to poor testing.

Email them. Let them know that you can't access their website. Tell their security team that their cloudflare setup is misconfigured, and ask them to test their website on Tor Browser.