hngopher.com

       [HN Gopher] Building a WebAuthn Click Farm
       ___________________________________________________________________
        
       Building a WebAuthn Click Farm
        
       Author : jsnell
       Score  : 85 points
       Date   : 2021-06-14 07:50 UTC (1 days ago)
        
 (HTM) web link (betterappsec.com)
 (TXT) w3m dump (betterappsec.com)
        
       | baybal2 wrote:
       | Informing people again, WebAuthn is authentication only, and does
       | not substitute for signing, and client encryption.
       | 
       | It's been nearly 10 years in making, went through multiple
       | complete spec rewrites, and endless erratas.
       | 
       | And for that bicycle reinvention attempt with extra feature of
       | captcha, and DRM, Google killed the keygen tag in Chrome.
        
       | 1cvmask wrote:
       | You can actually buy FIDO keys wholesale for under $5 if the
       | order is over 10 thousand units directly from the manufacturers.
        
         | megablast wrote:
         | Great idea. This guy should have paid $50,000 instead of $100
         | with next day shipping.
        
       | no_time wrote:
       | If this catches on I will make sure to buy and abuse a few of
       | these tokens every month just to get them banned.
       | 
       | Doing a little trolling, 100k+ banned tokens at a time.
        
       | xaduha wrote:
       | I'm holding off buying WebAuthn stuff until fabled YubiKey Bio
       | comes out since WebAuthn support is still so insignificant even
       | compared to TOTP. But big players like Cloudflare supporting it
       | might change the picture.
        
       | fouc wrote:
       | >How I built a click farm to "bypass" Cloudflare's CAPTCHA killer
       | with some cheap USB security keys, an Arduino, and a bit of
       | python.
        
       | soheil wrote:
       | > Any opinions stated here are my own, not necessarily those of
       | any past, present, or future employer.
       | 
       | Is it common to get in trouble with employers if this is not
       | stated? I don't understand how a clearly non-work related blog
       | post like this could land someone in hot waters with their
       | employer. And even if it were I still don't understand how this
       | statement alone can help.
        
         | kkirsche wrote:
         | I've seen it a fair amount in cyber security, especially if you
         | are attacking or leveraging things that the company sells or
         | promotes. Does it work? Anecdotally yes, but that's not
         | something I would bank on when releasing content that I feel
         | needs a disclaimer.
         | 
         | Realistically, if someone wants to release something
         | questionable, it's preferable to work with the company prior to
         | releasing it to find the verbiage they want used (similar to
         | how many google GitHub repositories state they aren't official
         | Google products) and to understand if you will end up in hot
         | water.
        
         | jessedhillon wrote:
         | Disclaimers have become magical incantations of a litigious,
         | safety-obsessed culture.
        
           | noizejoy wrote:
           | They remind me of the safety labels on every day items
           | containing often apparently ridiculously obvious warnings.
           | Like electrical shock warnings on extension chords, or
           | warnings to not put a ladder on a slippery surface.
           | 
           | For non US based individuals encountering these for the first
           | time, they often were their first encounter with how
           | different the US legal system really was/is from the rest of
           | the world.
        
           | xbar wrote:
           | Back, demon!
           | 
           | ------------------------------------------------------------
           | WARNING: This product contains a chemical known to the State
           | of California to cause cancer.
        
         | nkrisc wrote:
         | The cost of including it is nothing, so on the chance it works,
         | there's only upside. If it doesn't work, it's the same as not
         | having it but the cost to include it was nothing, so what
         | reason is there to not include it?
        
           | soheil wrote:
           | This sounds awfully a lot like Pascal's wager.
        
       | daveguy wrote:
       | > "Does this mean 'Attestation of Personhood' is broken? ... In
       | my opinion, no. Starting with the obvious, Cloudflare has clearly
       | considered this attack vector as they mentioned it in the post
       | and decided it still raises the cost of an attack over the
       | current CAPTCHA model...
       | 
       | Attackers are already willing to purchase a bunch of cell phones
       | to emulate human behavior. 'Attestation of Personhood' with the
       | use of a hardware key is completely broken.
        
       | mandatory wrote:
       | Plot twist: this post is a smokescreen for this person working
       | remotely from home and needing to automate their U2F key pressing
        
         | dkdk8283 wrote:
         | Anything with a capacitive touch sensor can easily be
         | automated.
        
       ___________________________________________________________________
       (page generated 2021-06-15 23:00 UTC)