didn't mean to dodge so much as try to diplomatically say that I agree that there some limitations to the value prop around the browser/cookie protections but that there are other use cases, like SSO and native OAuth/API, that can benefit
-
-
That feels like claiming we don't need 2-factor auth as long as we keep our passwords safe
-
I'm not discussing this topic any more to protect my own sanity, I've discovered that people defend token binding with religious fervour. I understand all the arguments, and agree with the decision to remove it.
End of conversation
New conversation -
-
-
Is it fair to say that I can see why someone might feel that way without necessarily feeling that way myself? :)
-
Yes, although I think you should be clearer when people ask what it prevents that it doesn't *prevent* any attack, it just changes how to exploit them. You named some complicated attacks I had to think about TB impact, like "subdomain takeover" and "oauth api replay"

- 17 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.