Rich... come on 
Describe how U2F MITM today would work without Administrator access or compromised endpoint. Now either of those things is enough to defeat Token Binding, so what did you solve? Nothing.
-
-
Admin access to install corporate CA for the target origin. U2F MITM would work. If, however, a server-side is able to insist on token binding, a whole extra level of serious patching would be required to MITM. Shifts more control of MITM acceptability policy to server side.
-
So we're in agreement that there is no attack that Token Binding prevents? I get that you (correctly) say if we ship DRM & Token Binding, MITM will be harder (but not impossible). Still can do key logging, screen sharing, remote desktop and type in console, etc.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.