Sharing credentials is a 101-level fail...
-
-
Replying to @RichFelker @__b_c
So subdomain takeover looks like the big one, and whether the tradeoffs of token binding are worth it seems to depend on how hard it is to fix poorly scoped cookies.
1 reply 0 retweets 1 like -
Replying to @RichFelker
there are, of course, all kinds of protections available to prevent cookie theft. Token binding is unique in that it can prevent use after theft rather than trying to stop the theft itself. Both have value. Defence in depth etc. Token Binding also ...
1 reply 0 retweets 0 likes -
Replying to @__b_c @RichFelker
... can apply to things like OAuth and SSO tokens, which don't necessarily have the same characteristics as cookies. The browser case is maybe less compelling b/c of other cookie protections. But it's still useful IMHO. And, for better or worse, ...
1 reply 0 retweets 2 likes -
Replying to @__b_c @RichFelker
adoption and deployment at large likely hinges on the browser supporting it
1 reply 0 retweets 0 likes -
Replying to @__b_c @RichFelker
But you dodged Rich's main point, it has to be an attack that can't just be exploited using the same vector you used to get the cookie, right? Subdomain takeover is the first example I've heard that works, but that's pretty niche, you have to admit?
4 replies 0 retweets 2 likes -
Replying to @taviso @RichFelker
didn't mean to dodge so much as try to diplomatically say that I agree that there some limitations to the value prop around the browser/cookie protections but that there are other use cases, like SSO and native OAuth/API, that can benefit
1 reply 0 retweets 1 like -
and that even when there are other attack vectors, I believe there's still value in enabling a cookie to be bound to a client generated asymmetric key because it does prevent the cookie from being used successfully in a different context without also getting the key
1 reply 0 retweets 1 like -
Replying to @__b_c @RichFelker
Sure, it can (depending on if backed by hardware) prevent cookie from being used on another machine...but what attack are you imagining that can't be executed from the compromised machine instead? This is my main sticking point.
2 replies 0 retweets 2 likes -
Replying to @taviso @RichFelker
stealing cookie from a workstation left unlocked for a couple minutes while someone gets coffee
2 replies 0 retweets 0 likes
Why wouldn't you just install malware? Then you can use the cookie as much as you like. I really feel like there is no good answer to this. The httponly comparison is the best argument I've heard, and it's not super convincing.
-
-
Replying to @taviso @RichFelker
to me installing malware is a higher bar than stealing a cookie. more premeditated than opportunistic. but maybe that's naive
1 reply 0 retweets 0 likes -
Replying to @__b_c @RichFelker
Why couldn't i just download meterpreter or whatever, run it and walk away? That kinda seems easier than "steal cookies", what's the process you're thinking of that doesn't require any code? Login to dropbox, navigate to %USERPROFILE%, upload cookies.db?
1 reply 0 retweets 1 like - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.