How does this work against U2F security keys?
So in theory Gmail or Facebook could turn this on and protect users with security keys against the scenario outlined here, without requiring any changes on the user side.
-
-
Maybe an oversimplification to say "turn this on", but ultimately, yes, I believe building and deploying that technology could make it possible for U2F to remain resilient to active MITM with valid certs. Whether user-side changes are required would depend on browser support.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
This Tweet is unavailable.
-
This Tweet is unavailable.
- Show replies
-
-
-
This Tweet is unavailable.
-
Yes, overall this is a significant gap that will need to be closed if U2F is to be resilient to active MITM. As you note, in practice, no one has been using ChannelID.
End of conversation
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.