Where I think there's room for improvement is that I don't believe there's any good reason for any of Chrome's product decisions to be based on not inconveniencing that segment.
So we're in agreement that there is no attack that Token Binding prevents? I get that you (correctly) say if we ship DRM & Token Binding, MITM will be harder (but not impossible). Still can do key logging, screen sharing, remote desktop and type in console, etc.
-
-
It exposes to the server side an indication of whether or not the U2F key is directly interacting with the TLS client at the other end. That allows for the server side to make certain risk management judgements.
-
Under what circumstances could it possibly *not* be interacting them? The only possible case is an untrustworthy Administrator (Token Binding doesn't help) or Compromised endpoint (Token Binding doesn't help). Agree?
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.