will you join me in my (probably feeble) attempt to talk the good peoples at Chrome out of removing Token Binding support? https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/OkdLUyYmY1E … it's not like the future of web security is at stake or anything... #PleaseKeepTokenBindingInChrome #TokenBinding
-
-
a subdomain takeover on a site that uses a widely scoped cookie for an authenticated session, for example, which happened to Uber last year.
-
cases where multiple apps/servers are authorized with the same credential/token but aren't or shouldn't be trusted not to replay the token against other services
-
coffee shop MITM
-
Coffee shop MITM is precluded by proper implementation of https by browser. Don't need another browser feature to deal with it.
-
Subdomain takeover is a real risk most developers and even many security reviewers aren't aware of, but if you are aware enough to try to mitigate you should properly scope cookies...
-
Sharing credentials is a 101-level fail...
-
So subdomain takeover looks like the big one, and whether the tradeoffs of token binding are worth it seems to depend on how hard it is to fix poorly scoped cookies.
-
there are, of course, all kinds of protections available to prevent cookie theft. Token binding is unique in that it can prevent use after theft rather than trying to stop the theft itself. Both have value. Defence in depth etc. Token Binding also ...
- 7 more replies
New conversation -
-
-
Token binding seems like just a nuisance when you want to "steal" your own token (eg use it with curl after obtaining it in browser).
-
yeah, it would also break that kind of usage
-
by definition
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.