Security Now (Audio), Episode 1035
Title: Cloudflare's 1.1.1.1 Outage – Bypassing Passkey Protections
Date: July 23, 2025
Hosts: Steve Gibson & Leo Laporte
Episode Overview
In this insightful episode, Steve Gibson and Leo Laporte unpack a dramatic global DNS outage caused by a misconfiguration at Cloudflare, delving into the technical nuances and the resulting worldwide impact. The show also covers the discovery of a viable attack for bypassing the much-vaunted passkey protections, explores the growing governmental clampdown on internet freedoms (with a focus on Russia and China), and examines the persistent industry challenges around age verification for internet users. Additionally, the episode highlights cybersecurity trends, notable ransomware attacks, changes in corporate security policies, and features Steve’s ongoing work with DNS benchmarking tools.
Major Discussion Topics & Insights
1. Cloudflare’s Quad One (1.1.1.1) DNS Global Outage
Timestamp: [04:14], Detailed Discussion: [128:18], [151:55]
- On July 14, 2025, Cloudflare's flagship DNS resolver “1.1.1.1” (“Quad One”) went offline globally for about an hour due to an internal misconfiguration associated with BGP (Border Gateway Protocol). Both IPv4 and IPv6 addresses were impacted, making DNS resolution for millions of users unavailable.
- The error stemmed from inadvertently including the Quad One service prefixes in a topology intended for a non-production DLS service. This latent configuration, introduced in June but only triggered in July, led to Cloudflare withdrawing critical BGP announcements worldwide.
- Steve highlighted the crucial best practice: always configure at least two DNS resolvers from different providers to guard against outages like this.
- Quote:
"This outage occurred because of a misconfiguration of legacy systems used to maintain the infrastructure that advertises Cloudflare's IP addresses to the Internet.... The root cause was an internal configuration error and not the result of an attack or a BGP hijack." – Steve Gibson reading Cloudflare’s report [132:50]
- The use of Anycast IP addresses by Cloudflare means DNS traffic is intelligently routed to the closest data center, usually providing low latency and high reliability—unless all global announcements vanish as they did here.
- The event graphically showed the internet’s reliance on DNS and how a single point of failure can have massive repercussions.
- Quote:
"For many users, not being able to resolve names using 1111 resolver meant that basically all Internet services were unavailable." – Cloudflare, quoted by Steve [129:58]
2. Active Attacks Successfully Bypassing All Passkey Protections
Timestamp: [17:31]
- Researchers at Expel Security discovered attackers leveraging "adversary-in-the-middle" (AitM) downgrade attacks to bypass FIDO2/passkey (passwordless) authentication during phishing.
- The method involves tricking victims into entering credentials at a phishing site, which then requests a cross-device passkey sign-in, serving the real authentication QR via the fake site. When the user scans this QR code (thinking it’s legitimate), the attackers gain access.
- Key vulnerability: Cross-device passkey flows lack the channel binding that on-device authentication offers.
- Quote:
"Bad actors have figured out how to downgrade FIDO key authentication when compromising accounts... This technique is being leveraged in phishing attacks, meaning it's happening in the wild that passkeys are being bypassed." – Steve Gibson [17:39]
- Steve contrasted this with his own SQRL technology, noting it was designed to avoid this AitM weakness during same-device authentication.
3. Other Security News & Trends
Ransomware Attacks Remain Pervasive
Timestamp: [33:44]
- Recent ransomware hits included South Korea’s Seoul Guarantee Insurance and the US grocery distributor United Natural Foods, collectively resulting in operational chaos and hundreds of millions in losses.
- A notable legal response: Qantas obtained an injunction against publishing their stolen data, which Steve wryly noted is "unlikely to concern the actual criminals."
Cloudflare Compromises on Net Neutrality – UK Domain Blocking
Timestamp: [39:42]
- For the first time, Cloudflare is actively blocking access to “pirate” sites in the UK, complying with legal orders and returning HTTP 451 ("unavailable for legal reasons") error messages.
- The show discusses the complexities of geofencing, transparency, legal compliance, and the relative ineffectiveness (and new effective uses) of DNS-level blocking.
- Quote:
"Cloudflare appears to have changed their long standing policy of enforcing total net neutrality... they're now geo-blocking sites for UK users to comply with legal orders." – Steve Gibson [39:42]
Tightening of Internet Controls: Russia & China
Timestamp (Russia): [79:50]
- Russia criminalizes searching for as well as sharing “extremist” content, with penalties and potential for escalation to criminal prosecutions, illustrating increasing global governmental intervention in internet freedoms.
- Quote:
"A new Russian law has criminalized online searches for controversial content... the new amendments follow remarks by high-ranking officials that censorship is justified in wartime." – Steve Gibson [79:50] Timestamp (China): [92:11]
- Chinese border and police authorities are extracting data from Android phones using new forensics tools; travelers are advised to use burner devices and establish plausible histories.
- Leo notes, "…the USA is just as bad" regarding digital device checks at the border.
The (Still) Intractable Problem of Age Verification
Timestamp: [59:50], [110:02]
- Platforms continue facing mounting pressure to implement robust user age verification (e.g., Roblox, Steam, and payment processor-imposed bans on content).
- Robust technical solutions that preserve privacy while resisting spoofing (fake IDs) are lacking; Steve sketches potential protocols involving biometrics and cryptographic zero-knowledge proofs.
- Quote:
"The need to verify the age of internet users is not off in the future… we need standards, we need technology, and we need all that yesterday–because the need for age verification is today." – Steve Gibson [61:51]
4. Listener Feedback
Timestamp: [98:54], [109:59]
- Users report successful use of SpinRite to recover Kindles and TiVo devices.
- Discussion about the nature of AI and simulated intelligence—Steve echoes Edsger Dijkstra’s sentiment:
- Quote:
"The question of whether computers can think is just as relevant and just as meaningful as the question of whether submarines can swim." – Edsger Dijkstra, recounted by Steve [109:21]
5. Steve’s DNS Benchmark Development
Timestamp: [128:40], [166:25]
- Steve provides an update on the next-generation DNS Benchmark tool. It now includes domain filter checking, supports all DNS protocols, and identifies the fastest provider for any user location. He notes Cloudflare’s dominant speed and reliability, largely owing to their strategic use of Anycast.
Notable Quotes & Memorable Moments
-
On Anycast and Cloudflare’s Outage:
“It is so crucial to the operation of all of the services that we now just take for granted on the Internet.” – Steve Gibson [166:19]
-
On Cross-Device Passkey Phishing:
“A determined attacker in the middle that’s able to engineer a spoofed phishing attack and convince a user to enter their valid username and password… can still get themselves authenticated even with passkey protected authentication.” – Steve Gibson [30:04]
-
On the Changing Internet Regulatory Environment:
“The world is starting to wake up to the Internet and the age of the people using it is suddenly a big deal. So we need protocols… and I don’t see any sign of this happening.” – Steve Gibson [60:52]
Key Timestamps for Important Segments
| Timestamp | Topic Description | |------------------|--------------------------------------------------| | [04:14] | Episode agenda and Quad One DNS outage preview | | [17:31] | Passkey bypass attack: method and implications | | [33:44] | Ransomware attack round-up, Qantas legal action | | [39:42] | Cloudflare net neutrality compromise, UK blocks | | [59:50] | Growing pressure and complexity of age verification | | [79:50] | Russia criminalizing online searches | | [92:11] | China’s phone forensics, travel cyber hygiene | | [98:54] | SpinRite success stories, simulated intelligence | | [109:21] | Dijkstra on AI and intelligence | | [128:18] | In-depth analysis: Cloudflare’s 1.1.1.1 outage | | [151:55] | Cloudflare’s outage timeline, internal causes | | [166:25] | DNS Benchmark tool update |
Additional Technical Explanations
- Anycast DNS (Cloudflare): Ensures global low-latency query resolution by routing requests to the nearest geographic data center.
- BGP (Border Gateway Protocol): Vital for internet routing; a misannouncement or withdrawal can “disappear” global services.
- FIDO2/Passkey Bypass: AitM attacks can exploit the fallback “cross-device” authentication flows that lack secure key-binding between authentication factors.
Final Thoughts
Steve and Leo close with reflections on the unprecedented dependence on DNS reliability, the need for urgent innovation in age verification protocols, and the rising global tide of state-level internet controls. Steve promises further updates on his DNS Benchmark tool and continues to advocate for privacy-first, user-centric security designs in a rapidly shifting digital landscape.
For more resources and this episode’s transcript:
- GRC.com Security Now Show Notes & Benchmarks
- Cloudflare Radar for 1.1.1.1 (shortcut: GRC.SC/1035)
Next Episode Preview: Listener feedback, new security tools, and continued coverage of emergent cyber threats.