Following in the rickety footsteps of Fastly, bedeviled by a bug earlier this week, network services biz Cloudflare briefly stumbled on Friday as an elevated error rate interfered with connectivity for customers in Chicago and Los Angeles.
“Cloudflare is aware of, and investigating an issue which potentially impacts multiple customers,” the company said on its status page on June 11, 2021, at 1617 UTC. “Further detail will be provided as more information becomes available.”
Sixteen minutes later, the biz said it had identified the problem and was working on a fix.
Cloudflare didn’t immediately respond to a request to provide more detail about what went wrong. However, the service troubles led to connection difficulties around 1637 UTC for chat service Discord, which reported “connection failures in US East (ATL) due to issues upstream of our service,” and said its engineers were working with Cloudflare to restore service.
E-commerce biz Shopify likewise reported service issues around 1607 UTC with its Admin, Storefront, Support, and Point of Sale services. And it said the problems were resolved by 1712 UTC.
At 1715 UTC, Cloudflare on its status page said, “A fix has been implemented and we are monitoring the results.”
Separately, the company’s CAPTCHA alternative, “Cryptographic Attestation of Personhood” (CAP) has been challenged by Luke Young, security engineer at LinkedIn.
Young, acting in a personal capacity, decided to test whether Cloudflare’s bot-spotting CAP system could be beaten by an automated system.
CAP implements Web Authentication Attestation (WebAuthn) by presenting site visitors with a challenge that they click on, which then triggers a prompt for a hardware security key. The key provides a cryptographic token to Cloudflare, in conjunction with a user presence check, as proof that the visitor is a person rather than a bot.
Cloudflare proposed this scheme as a way to avoid being asked to solve bothersome CAPTCHA riddles, like identifying traffic lights and crosswalks repeatedly in pictures. But it did so with the acknowledgement that a mechanical system designed to fake physical presence by interacting with CAP challenges might be possible.
Young demonstrated that constructing such a system is not all that difficult for those with security and soldering skills. He managed to use a SoloKey, an open source FIDO2 security key, to develop security key firmware to bypass the user presence check (triggered by manually pressing the button on the key). From there, he created a simple Python server to use the USB security key to automate CAP interactions.
Armed with a handful of $16 HyperFIDO keys purchased online and CPU-equipped circuit board (initially, a Raspberry Pi and later an Arduino), he managed to assemble a web service capable of responding to WebAuthn signing requests in a way that bypasses the user presence test.
“If an attacker has automated attacks (e.g. DDOS, mass goods purchasing, etc.) that need to bypass the attestation of personhood, this is a reliable way to do it with relatively low cost and effort,” said Young in a post about this project.
“For a few hours of work and a hundred dollars of hardware keys, an attacker could make a reusable system that could support theoretically limitless automated requests that could successfully bypass the challenge.”
Young, however, points out that Cloudflare has considered the possibility of such trickery. At the time it proposed CAP, the company suggested the system would still be more costly to bypass than current image-based CAPTCHA systems.
“With our current set of trusted manufacturers, this would be slower than the solving rate of professional CAPTCHA-solving services, while allowing legitimate users to pass through with certainty,” said Cloudflare research engineer Thibault Meunier in May. “In addition, existing Cloudflare mitigations would remain in place, efficiently protecting Internet properties.”
In response to an email inquiry from The Register, a Cloudflare spokesperson pointed to Meunier’s observations and said the company has not noticed any attack vectors related to the Cryptographic Attestation of Personhood (CAP) experimental research project that’s being worked on.
“It’s great that the security community continues to be interested in this experiment,” the company spokesperson said. “CAP is one layer in a multilayered system that defends against bots.” ®