- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 12 Nov 2018 14:45:42 +0000
- To: public-webauthn@w3.org
> Therefore a MitB could intercept a valid response of an authentication and send it in an own connection to the given route in order to impersonate the user. Yes, I guess so. The MitB attacker can't tamper with any of the signed data, but it can indeed steal the `AuthenticatorAssertionResponse` and use it to log in from a different machine - *unless* Token Binding is in use, I think. But then again, it might not be necessary for the MitB to move to a different machine to carry out their attack. WebAuthn doesn't try very hard to defend against MitB attacks, since a successful MitB attacker could cause all kinds of havoc anyway (say, present one thing to the user while something else is actually being signed). The [`txAuthSimple`][ext-sim] and [`txAuthGeneric`][ext-gen] extensions provide some possible mitigations against that kind of attack. [ext-sim]: https://w3c.github.io/webauthn/#sctn-simple-txauth-extension [ext-gen]: https://w3c.github.io/webauthn/#sctn-generic-txauth-extension -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1111#issuecomment-437907178 using your GitHub account
Received on Monday, 12 November 2018 14:45:43 UTC