Re: [webauthn] Relying Party Session

> Therefore a MitB could intercept a valid response of an authentication and send it in an own connection to the given route in order to impersonate the user.

Yes, I guess so. The MitB attacker can't tamper with any of the signed data, but it can indeed steal the `AuthenticatorAssertionResponse` and use it to log in from a different machine - *unless* Token Binding is in use, I think. But then again, it might not be necessary for the MitB to move to a different machine to carry out their attack.

WebAuthn doesn't try very hard to defend against MitB attacks, since a successful MitB attacker could cause all kinds of havoc anyway (say, present one thing to the user while something else is actually being signed). The [`txAuthSimple`][ext-sim] and [`txAuthGeneric`][ext-gen] extensions provide some possible mitigations against that kind of attack.


GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Monday, 12 November 2018 14:45:43 UTC