- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 07 May 2019 11:51:45 +0000
- To: public-webauthn@w3.org
>Assume that there is a web page hosted at 127.0.0.1 and it serves up a self-signed cert with foo.google.com. I assume the effective domain will be google.com, [...] > >Now assume that the authenticator [...] has already created a credential for google.com [...] the rpid argument for this example will be google.com (even though the webpage was served up from the loopback address) [...] Allowing the effective domain to be faked like that sounds very dangerous to me. Less so if it only applies to 127.0.0.1 as a special case, but I imagine it still wouldn't be terribly difficult to turn that into a practical attack bypassing WebAuthn's phishing protection. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204#issuecomment-490047175 using your GitHub account
Received on Tuesday, 7 May 2019 11:51:47 UTC