That's the problem, Token Binding *doesn't* offer any security benefit *and* we think it will force people to start hooking. If there was a huge security win here, who wouldn't take that deal?
-
-
Replying to @taviso @RichFelker and
U2F can utilize token binding to ensure that the two TLS endpoints speaking to each other are the parties to the authentication process. Presently, this is a gap in U2F coverage and a party today could actually MITM a U2F authentication.
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @RichFelker and
Arghh! No, it can't. Token Binding *can* (depending on implementation) make sure that you're talking to the machine you're think you are, but it can't promise that machine isn't compromised. There is no attack that TB prevents, it just changes how you exploit it.
1 reply 0 retweets 0 likes -
Replying to @taviso @mdhardeman and
Describe how U2F MITM today would work without Administrator access or compromised endpoint. Now either of those things is enough to defeat Token Binding, so what did you solve? Nothing.
1 reply 0 retweets 0 likes -
Replying to @taviso @RichFelker and
Admin access to install corporate CA for the target origin. U2F MITM would work. If, however, a server-side is able to insist on token binding, a whole extra level of serious patching would be required to MITM. Shifts more control of MITM acceptability policy to server side.
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @RichFelker and
So we're in agreement that there is no attack that Token Binding prevents? I get that you (correctly) say if we ship DRM & Token Binding, MITM will be harder (but not impossible). Still can do key logging, screen sharing, remote desktop and type in console, etc.
1 reply 0 retweets 0 likes -
Replying to @taviso @RichFelker and
It exposes to the server side an indication of whether or not the U2F key is directly interacting with the TLS client at the other end. That allows for the server side to make certain risk management judgements.
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @RichFelker and
Under what circumstances could it possibly *not* be interacting them? The only possible case is an untrustworthy Administrator (Token Binding doesn't help) or Compromised endpoint (Token Binding doesn't help). Agree?
2 replies 0 retweets 0 likes -
Replying to @taviso @RichFelker and
Non corp scenario: BGP hijack of target website allows rogue MITM to get proper publicly trusted cert for XYZ. Rogue MITM MITM's the U2F auth, speaking as client to real server and as server to real client. The MITM is able to authenticate. Token binding would stop this.
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @taviso and
So there it is, an attack scenario that Token Binding would mitigate that neither requires endpoint nor website compromise, only a MITM with significant network layer capabilities (which have been previously demonstrated).
1 reply 0 retweets 0 likes
I think I have to mute this thread for my own sanity.
-
-
Replying to @taviso @RichFelker and
I understand an appreciate your engagement so far. I do hope you'll consider the purely technical threat model I've provided right above which requires no engagement of legal theory.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.