W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2018

Re: [webauthn] Relying Party Session

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 12 Nov 2018 14:45:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-437907178-1542033940-sysbot+gh@w3.org>
> Therefore a MitB could intercept a valid response of an authentication and send it in an own connection to the given route in order to impersonate the user.

Yes, I guess so. The MitB attacker can't tamper with any of the signed data, but it can indeed steal the `AuthenticatorAssertionResponse` and use it to log in from a different machine - *unless* Token Binding is in use, I think. But then again, it might not be necessary for the MitB to move to a different machine to carry out their attack.

WebAuthn doesn't try very hard to defend against MitB attacks, since a successful MitB attacker could cause all kinds of havoc anyway (say, present one thing to the user while something else is actually being signed). The [`txAuthSimple`][ext-sim] and [`txAuthGeneric`][ext-gen] extensions provide some possible mitigations against that kind of attack.

[ext-sim]: https://w3c.github.io/webauthn/#sctn-simple-txauth-extension
[ext-gen]: https://w3c.github.io/webauthn/#sctn-generic-txauth-extension

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1111#issuecomment-437907178 using your GitHub account
Received on Monday, 12 November 2018 14:45:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:57 UTC