Do you think you can safely inject a DLL and hook chrome? I don't think you can, it's really hard. I think you probably can set up a corporate CA. I don't think you should, but if I have to pick one - I pick the latter.
Under what circumstances could it possibly *not* be interacting them? The only possible case is an untrustworthy Administrator (Token Binding doesn't help) or Compromised endpoint (Token Binding doesn't help). Agree?
-
-
Non corp scenario: BGP hijack of target website allows rogue MITM to get proper publicly trusted cert for XYZ. Rogue MITM MITM's the U2F auth, speaking as client to real server and as server to real client. The MITM is able to authenticate. Token binding would stop this.
-
So there it is, an attack scenario that Token Binding would mitigate that neither requires endpoint nor website compromise, only a MITM with significant network layer capabilities (which have been previously demonstrated).
- 2 more replies
New conversation -
-
-
It doesn't give you proof of no MITM. It can let you prove that some MITM schemes are in play on a given session.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.