Sure, it can (depending on if backed by hardware) prevent cookie from being used on another machine...but what attack are you imagining that can't be executed from the compromised machine instead? This is my main sticking point.
-
-
Replying to @taviso @RichFelker
stealing cookie from a workstation left unlocked for a couple minutes while someone gets coffee
2 replies 0 retweets 0 likes -
Replying to @__b_c @RichFelker
Why wouldn't you just install malware? Then you can use the cookie as much as you like. I really feel like there is no good answer to this. The httponly comparison is the best argument I've heard, and it's not super convincing.
1 reply 0 retweets 1 like -
Replying to @taviso @RichFelker
to me installing malware is a higher bar than stealing a cookie. more premeditated than opportunistic. but maybe that's naive
1 reply 0 retweets 0 likes -
Replying to @__b_c @RichFelker
Why couldn't i just download meterpreter or whatever, run it and walk away? That kinda seems easier than "steal cookies", what's the process you're thinking of that doesn't require any code? Login to dropbox, navigate to %USERPROFILE%, upload cookies.db?
1 reply 0 retweets 1 like -
Replying to @taviso @RichFelker
i'm thinking of just viewing the cookie in the browser prefs
1 reply 0 retweets 0 likes -
Replying to @__b_c @RichFelker
And memorizing it...? You have to save it somewhere, otherwise you're stuck transcribing it so you can use it - that's a lot of work. Is your argument that attacker will say "darn, token binding, I'll give up" instead of slightly different attack with same impact?
1 reply 0 retweets 1 like -
Replying to @taviso @RichFelker
only that it wouldn't work when they attempted to use it later
1 reply 0 retweets 0 likes -
Replying to @__b_c @RichFelker
I think I understand all the arguments now, I think Token Binding is a solution looking for a problem! Hopefully you can see why someone might feel that way
2 replies 0 retweets 4 likes -
Replying to @taviso @RichFelker
Is it fair to say that I can see why someone might feel that way without necessarily feeling that way myself? :)
1 reply 0 retweets 1 like
Yes, although I think you should be clearer when people ask what it prevents that it doesn't *prevent* any attack, it just changes how to exploit them. You named some complicated attacks I had to think about TB impact, like "subdomain takeover" and "oauth api replay" 
-
-
Replying to @taviso @RichFelker
Fair enough. Although I maintain that OAuth cross api replay would be actually prevented. But it's not directly browser dependent. Only indirectly dependent on browser support b/c TB will likely not see any meaningful adoption without browser support.
1 reply 0 retweets 0 likes -
And with that, I'm going to consider it a personal success that *The* Tavis Ormandy “had to think about” anything I said. :)
1 reply 0 retweets 2 likes - 15 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.