Coffee shop MITM is precluded by proper implementation of https by browser. Don't need another browser feature to deal with it.
The right solution is not using wildcard-scoped cookies and instead doing SSO-like cross-subdomain auth only in one direction. But this is heavy retrofitting. I think the idea is that token binding provides a lazy fix...
-
-
But my impression is that token binding is more about building/fitting into a Windows-AD-like ecosystem and being a nuisance against exercising control over your own auth tokens than about improving security.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.