will you join me in my (probably feeble) attempt to talk the good peoples at Chrome out of removing Token Binding support? https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/OkdLUyYmY1E … it's not like the future of web security is at stake or anything... #PleaseKeepTokenBindingInChrome #TokenBinding
-
-
token binding enables cookies/tokens to be bound to a key pair generated and held by the client and that binding prevents cookies/tokens from being used successfully if stolen
-
But what is the likely vector for stealing the token that doesn't also give you the key?
-
a subdomain takeover on a site that uses a widely scoped cookie for an authenticated session, for example, which happened to Uber last year.
-
cases where multiple apps/servers are authorized with the same credential/token but aren't or shouldn't be trusted not to replay the token against other services
-
coffee shop MITM
-
Coffee shop MITM is precluded by proper implementation of https by browser. Don't need another browser feature to deal with it.
-
Subdomain takeover is a real risk most developers and even many security reviewers aren't aware of, but if you are aware enough to try to mitigate you should properly scope cookies...
-
Sharing credentials is a 101-level fail...
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.