The concern is that someone could drag signature.png onto a form to authorize it. This is not a coherent threat model for a few reasons.
-
-
-
The biggest is that wet-ink is not authenticatable at all, and exists solely as a proof-of-work... work that literally a 1st grader can do.
- 2 more replies
New conversation -
-
-
I think the value is "Much less than you'd naively expect." (If you can prove a browser is a named person OTOH "billions.")
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Can you elaborate on the distinction and how authorization ought to be specified and granted elsewhere?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
In that example I think of the signature as authorization and the passport as authentication.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.