Re: [webauthn] Why does WebAuthn require a challenge when asking the client to register a new credential? (#1355)

@nickmooney do you know which controls fail outside of TLS? I'm aware that it is possible for a man in the middle to execute a replay attack by fooling a user or a user's browser to retry a request. The man in the middle can do that by sending a TCP reset back to the client and by still sending the original request through. Thus, (and I'm still guessing here) the following situation could be possible without the challenge:

1. A user tries registering a new credential.
2. That request is held by a man in the middle and a TCP reset is sent to the user's browser.
3. The user's browser retries the request and successfully registers the new credential.
4. Within a short period of time, the user decides to deregister their credential.
5. Again within a short period of time, the man in the middle releases the original request to the server and thus, the credential is re-registered without the user's knowledge.
6. Sometime later, the man in the middle steals the user's FIDO2 authenticator.
7. The man in the middle can now pose as the user.

Am I on the right track here?

-- 
GitHub Notification of comment by johnnyodonnell
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1355#issuecomment-566800336 using your GitHub account

Received on Tuesday, 17 December 2019 23:46:45 UTC