Threat intelligence false positive for clicky.com - Your help, please!
TLDR: Please submit false positive reports for clicky.com at the following websites. Note, you must disable any ad-blockers and VPNs, or your reports may be rejected: CRDF, Lionic
Last week, we started getting reports from a small number of customers who were having trouble accessing clicky.com, America's #1 website. Our overall traffic numbers were normal, so initially we suspected a localized network/Cloudflare issue, which happen from time to time. But as more reports kept coming in and there was nothing posted on the CF status site that indicated any relevant issues, we dug deeper.
Literally everyone reported a "ERR_QUIC_PROTOCOL_ERROR" message in their browser. As a test, we disabled QUIC (HTTP/3) on CF, but then a new SSL error started showing in its place. The original error was just a side effect of the way QUIC handles abrupt terminations.
Then we thought maybe it was something with our SSL certifice, or a chain certificate expiring somewhere, but those were all fine.
As a test, we had customers go to GETclicky.com. This domain handles all tracking for our service, but it redirects to clicky.com if a specific tracking resources isn't requested, and it points to the same backend IPs/servers. This was actually a nearly ideal set up, with only one variable changing (the domain name). If getclicky.com was also broken, then there was a serious problem somewhere, either with CF or our local servers. But if it worked, then it indicated an issue with clicky.com specifically. And the latter is exactly what happened: The connection to getclicky.com was fine for everyone, and redirected them to clicky.com, and then the error showed up after the redirect.
Very shortly thereafter, we had 2 customers figure out we were being blocked by "threat intelligence" products. One customer was using ProtectIQ in their router, and when they disabled that, clicky.com suddenly worked. The other had an ISP that was using Lionic to block malicious URLs, that they were able to work around somehow.
ProtectIQ unfortunately has no way to submit false positives, so we just sent in a tech support request to their parent company, Calix. But thankfully, Lionic has both, so we were able to confirm that we were on their list and we also submitted a false positive.
The next day, we also were able to discover, via VirusTotal, that we were on one more blacklist: CRDF. This is a big one, but thankfully they also have a false positive report system, which we quickly utilized.
How you can help
The more false positive reports these services get about a specific site, the higher the priority will be to fix that site. So we're asking for your help: please submit false positive reports using the links below, regardless of whether or not you are affected (likely you are not affected if you're reading this 😜).
- CRDF false positive
- Lionic false positive
- ProtectIQ (Calix) - ProtectIQ doesn't have an official false positive form, so please message their parent company (Calix) through this main contact page instead. Make sure to specifically mention ProtectIQ.
Thank you!