A request presents a Web Bot Auth (RFC 9421) signature that fails Ed25519 verification

net.web_bot_auth_invalid  ·  convicts

networklayer
coherencecategory
1evaders caught

What it catches

Web Bot Auth (IETF draft-meunier-web-bot-auth-architecture; Cloudflare edge-live 2026-03) lets a legitimate agent (GPTBot/ClaudeBot/Operator/Perplexity/Google/CommonCrawl) cryptographically SIGN its requests via RFC 9421 HTTP Message Signatures over Ed25519 — covering @authority (+ signature-agent), tag="web-bot-auth", with created/expires and a keyid that is the RFC 7638 JWK SHA-256 thumbprint. The edge (internal/webbotauth) reconstructs the RFC 9421 signature base and verifies the Ed25519 signature against the public key the keyid resolves to. It emits network.web_bot_auth_invalid ONLY on a DEFINITIVE forgery: a signature that is PRESENT and whose keyid resolves to a key we HOLD, but that FAILS verification — a bad/tampered signature, a wrong @authority, or a replay past its expires window. This is FP-SAFE BY CONSTRUCTION and is the cryptographic analog of net.fake_declared_crawler: a real signer (which holds the private key and signs live) ALWAYS produces a valid, in-window signature for its own key, so the only thing that can fire is an impostor replaying/forging a known agent's identity. An UNKNOWN keyid is unjudgeable (the lab simply lacks that agent's directory) and NEVER convicts — only a known-key verification FAILURE does; a VALID signature instead emits network.web_bot_auth_verified, which now ALLOW-LISTS the session as Label.verified (a declared good bot, not convicted — scoring.verified_agent; sound only under signing-key secrecy, and the lab seeds the PUBLIC RFC test key so KS_WEBBOTAUTH=valid demonstrates the allow-list bypass). A real browser sends no such headers, so it can never fire. CONVICTING (coherence): the cryptographic proof contradicts the claimed agent identity. GROUNDED in-process against the draft's OWN Appendix A.2.2 Ed25519 test vector (edge webbotauth_test.go: the official signature verifies; a tampered/expired/wrong-authority one fails; an unknown key is not treated as a forgery; the RFC 7638 thumbprint matches the published keyid) and red⇄blue by the go-tls KS_WEBBOTAUTH evader (a faithful signer = verified/no-fire; a replayed stale signature = web_bot_auth_invalid). browserforge calibration carries no network layer, so promotion cannot raise its legit flag rate. Lead G25; see docs/research-radar.md. PRODUCTION wires the real fetched agent directories (each agent's /.well-known/http-message-signatures-directory JWKS); the lab seeds the RFC 9421 test key.

Signals it reads

network.web_bot_auth_invalid

How it fires

present

Evaders it caught 1

Bypassed by 10

Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.

← all detections