Clever Geek Handbook

Why replacing Captcha with FIDO2 / Webauthn is a bad idea. Arguments against Cloudflare's decision

Yesterday Cloudflare announced a replacement for Captcha with FIDO attestation. You can read about it on their blog https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/ , and try the solutions themselves (if you have a FIDO certified security key like Yubikey) https: / /cloudflarechallenge.com/





You can also read the news from @maybe_elf https://habr.com/ru/news/t/557776/





For those who are interested in learning more about FIDO2, I advise you to read this article https://habr.com/ru/post/354638/





How "FIDO Captcha" works for Cloudflare:

  1. The user is sent to the CAPTCHA page





  2. User clicks "I am human"





  3. The security key lights up and the user touches the key





  4. The browser asks for permission to obtain device attestation. After user agreement, the attestation is sent to Cloudflare.





  1. Cloudflare, having a root certificate received from the manufacturer, confirms the validity of the attestation certificate.





  2. PROFFIT !!!!





Before understanding why this is all bad, let's clarify the two main concepts of Attestation and Captcha.





What is FIDO Attestation?

FIDO . FIDO , . ( ).





. , , a . FIDO2 GUID/UUID, U2F SKID(Subject Key Identifier). , , . , PKI.





?

́[1] ( CAPTCHA — . Completely Automated Public Turing test to tell Computers and Humans Apart —     ) — , , , : . 





. https://ru.wikipedia.org/wiki/%D0%9A%D0%B0%D0%BF%D1%87%D0%B0





, : , , .., .





FIDO ?





: FIDO

. Cloudflare FIDO . FIDO . . , 5$ , :





Yes, it's $ 60 UNO, but $ 5 nano clones work just as well. East. https://twitter.com/agl__/status/1392876159591882755
, 60$ UNO, 5$ . . https://twitter.com/agl__/status/1392876159591882755

:

, , WebAuthn API - NONE. , attestation: "direct"



API. , . - , .





The user must consent to the provision of certification to the website

Chromium , EraseAttestationStatement JS "direct" "none" - , Cloudflare .





Google Enterprise https://chromeenterprise.google/policies/#SecurityKeyPermitAttestation





: FIDO

, , 700 1700. , HID 500-1000. , HID 25 , 30 , HID !





Here is a design example of how you can do it all.

: , Ryzen 3900, PCI-USB , USB , USB . 1000 Feitian U2F, Yubico Security Key 15-20$ . HID USB , . HID . 5$ 30,000 - 40,000 , , 25,000$ .





:





  • HID - https://github.com/djpnewton/vmulti





  • HID Python - https://pypi.org/project/hid/





ACS122U NFC NFC : SCARD_UNPOWER_CARD/SCARD_POWER_CARD NFC . .





: CAPTCHA

. Cloudflare :





  • 1. - , . , Cloudflare FIDO . FIDO , . , , , , . Cloudflare . .





  • 2. - . - . . : , . 1/100,000. , Cloudflare, , 1/100,000 . Cloudflare , .





  • 3. - , .





  • 4. - : ? FIDO, aka Metadata Service - MDS, , FIDO . Cloudflare , , -. , . Cloudflare , FIDO .





Cloudflare , - . Cloudflare , . .





Cloudflare. Cloudflare , . - , , , "" - FIDO . , : , .





: FIDO . - - .





Q&A

- // ?





Because Cloudflare only supports certified devices, whose certification is strictly controlled by the manufacturer. Samopal and software authenticators will simply fail.







More articles:


All Articles