Yesterday, it was revealed by Google’s Project Zero that Cloudflare (a popular Content Delivery Network) was leaking sensitive information between websites. For example, if Alice signed into OKCupid.com (which uses Cloudflare), Bob can see Alice’s password, her private messages, her full profile, and her credit card number by exploiting a bug in Cloudflare (by requesting a specially-crafted HTML page). This bug affects every site that uses Cloudflare, which number in the millions.
The fundamental problem is that Cloudflare is a trusted middle-man between the site and the user. In most configurations, Cloudflare is the TLS endpoint for the site (TLS provides communications security over the Internet using cryptography). What this means is that when you log into the site behind Cloudflare via HTTPS, you’re really connecting to a Cloudflare proxy via HTTPS. The proxy then connects to the back-end site via a separate HTTPS connection. This means that by using Cloudflare, the site allows it to Man-in-the-Middle attack all of its users’ connections without the user’s knowledge.
This is obviously a huge breach of trust. When you sign into your favorite sites, you rightfully expect that only you and the site ever see your usernames, passwords, credit card numbers, and so on. But Cloudflare also sees this data, and due to this bug, so does everyone else.
How Blockstack Would Have Prevented This
Blockstack apps have no trusted middlemen. The design simply does not admit them into the trusted computing base. It does so in three ways:
-
Your authentication credentials never leave your computer. There are no passwords in Blockstack; you sign into apps with Blockstack using a private key known only to you. Since you never send your password to the app, there’s nothing to compromise.
-
Blockstack enforces the Trust-to-Trust Principle. The only trust link Blockstack allows is between you and the application developer’s code. It doesn’t matter where the application’s code is hosted, where your data is hosted, what underlying network you use, and which CDNs are involved in your connection; all these are outside the trusted zone. If an app wants to do something potentially evil like send funds from your Blockstack wallet or transfer your names, the only way for it to do so is to ask for your explicit permission using your locally-running Blockstack node. Since only your local node can spend your money or modify your identity, there’s nothing a leaky middleman can do to hurt you.
-
Your data is signed and encrypted end-to-end. With Blockstack, your application-specific data is signed with your private key, and encrypted before it leaves your device. You choose who may decrypt it. Your storage providers (and leaky CDNs) will only see ciphertext, so there’s no security lost by using them.
The Way Forward
If you used any of the Cloudflare-affected sites, you should rotate your passwords and other sensitive information. In the future, we should design our applications to use CDNs for availability, but not correctness. Blockstack applications can still use CDNs to accelerate data delivery, but the CDN would only see ciphertext. Blockstack app developers cannot betray your trust by using a man-in-the-middle, since by design you don’t trust any devices that you don’t own.