Subdomain takeover is a real risk most developers and even many security reviewers aren't aware of, but if you are aware enough to try to mitigate you should properly scope cookies...
-
-
your point is taken. But given that it's optional and only used when negotiated by both parties in the TLS handshake, it doesn't seem that invasive to me.
-
The argument I heard was that because this will break Antivirus (I'm the last person who would complain about that), they will just start being more invasive with hooks and patching. That's pretty convincing argument, bluecoat aren't just going to close down the business

- 31 more replies
New conversation -
-
-
I have zero influence on chrome, but in my experience they're not afraid to shake things up for big Security wins. But token binding sounds complicated, invasive and major cons for about the same Security as httponly...im kinda leaning towards agreeing with dropping it...
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.