Any opinions stated here are my own, not necessarily those of any past, present, or future employer.
Cloudflare recently published a blog post about a potential replacement for CAPTCHAs by utilizing signatures from hardware security keys and WebAuthn they are calling “Attestation of Personhood”. The post triggered a good bit of discussion online, particularly around the threat of automation mentioned near the end of the post:
Here’s the slides and exploits from the DEF CON 24 talk in Las Vegas, NV. Video to follow in a few weeks.
Update on the slides, these issues have all been resolved, the slides were not updated before upload to the DEF CON server
I decided to relaunch my blog with my recent domain name change. It’s unlikely I will migrate the old content, but look forward to my incoherent ramblings about security bugs and the state of the industry in the future.