That doesn't make it any less fraudulent. You could sign a release saying you don't care if I forge other people's signatures on checks I give you, but it's still fraud for me to forge those people's signatures.
Arghh! No, it can't. Token Binding *can* (depending on implementation) make sure that you're talking to the machine you're think you are, but it can't promise that machine isn't compromised. There is no attack that TB prevents, it just changes how you exploit it.
-
-
Describe how U2F MITM today would work without Administrator access or compromised endpoint. Now either of those things is enough to defeat Token Binding, so what did you solve? Nothing.
-
Admin access to install corporate CA for the target origin. U2F MITM would work. If, however, a server-side is able to insist on token binding, a whole extra level of serious patching would be required to MITM. Shifts more control of MITM acceptability policy to server side.
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
