Cloudflare tries to secure the internet, blocks users instead

Some public WiFi networks inaccessible after move to tighten security of 1.1.1.1

Cloudflare’s domain name system (DNS) service 1.1.1.1 was launched earlier this year, and has since climbed to be a competitive alternative to prominent public resolver offerings, such as Google’s 8.8.8.8.

But recent moves to improve the security of the service’s landing page has caused some noise on social media, and left some without access to the internet.

“This is outright malicious,” Ben Cox, a former Cloudflare system engineer, wrote last week on Twitter.

“Bricking devices is not ok.”

Cox, who declined to speak to The Daily Swig, was likely trying to connect to a public WiFi network using a modern browser – a routine action for anyone that’s logged onto the internet from their local coffee shop, or hotel foyer.

The WiFi that Cox, or any other blocked user for that matter, was trying to connect to was using the IP address 1.1.1.1 for its captive portal – the pop-up screen that asks you to agree to terms and conditions before providing its internet access.

While many networks were using this incorrect configuration, including devices from network provider Cisco, it wasn’t until Cloudflare took public ownership of the string of numbers that problems began.

“It wasn’t like Google was using 1.1.1.1 as their website,” John Graham-Cumming, Cloudflare CTO, told The Daily Swig. “So people got away with it, even though it’s not actually a private address. It is one that can be used publicly, as we are doing.”

The serious issues began when Cloudflare moved to improve the security of their service.

“One interesting issue with web browsers is that when you type in the name of a website, google.com or 1.1.1.1, they don’t necessarily know whether to make a secure connection or an insecure connection if it’s going to a website that it’s never been to before,” said Graham-Cumming.

“Cloudflare has a very strong privacy and security stance and so we only serve that website [1.1.1.1] over HTTPS. So only over a secure connection.”

HSTS, or HTTP Strict Transport Security, is a technology that helps ensure users are visiting secure websites by automatically redirecting them to encrypted protocols like HTTPS.

Chrome, and others, have created a preload list that lets browsers know which websites should only be accessed over an encrypted channel – Cloudflare added 1.1.1.1 to the list.

“So if the browser thinks that 1.1.1.1 is always secure, and you happen to be connecting to a network that has snatched 1.1.1.1 for itself, you might have a problem,” said Graham-Cumming, explaining how a user wouldn’t be able to connect securely and thus incapable of arriving at the 1.1.1.1 site.

“Where this really creates a problem is if they decide to use 1.1.1.1 as the pop-up screen that tells you to agree to the terms to get access to the portal. Then they won’t be able to log on.”

Complaints followed as users like Cox were no longer able to connect to public WiFi, causing Google to subsequently withdrawal 1.1.1.1 from its HTTPS preloading list.

“We’ll resubmit in the future when we think it’s safe to do so,” said Graham-Cumming. “We don’t want to break other people’s coffee shop experiences, and you can still go to 1.1.1.1, you just don’t get this extra layer of safety that you only ever go their securely.

“I’d imagine that people will start realizing that they can use a different address and that they just have to update their software.

“Ultimately, we’re just trying to make sure that the web goes secure all around.”

Graham-Cumming added that next month, Chrome will begin flagging insecure websites – those which do not support HTTPS.