W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2019

Man-in-the-middle attack against WebAuthn by a powerful attacker

From: Mart Sõmermaa <mart.somermaa@gmail.com>
Date: Thu, 21 Feb 2019 16:11:19 +0200
Message-ID: <CAAMeKyhxpbKMs1CEwrnLusNzDvtzfHxzxNU2r+CbMCM245VPyQ@mail.gmail.com>
To: public-webauthn@w3.org
Hello!

Have you considered that origin validation is not a sufficient
countermeasure against man-in-the-middle attacks in case of a powerful
attacker who controls responses to user's DNS requests and has a valid
certificate that is trusted by the user's browser for the target host?

Full details of the attack here:
https://gitlab.com/mrts/webauthn-additions/wikis/Man-in-the-middle-attack-against-WebAuthn-by-a-powerful-attacker

I have a proposal how to mitigate this, but I would like to hear
your thoughts regarding this first.

Thanks in advance for looking into this,
Mart Sõmermaa
Received on Thursday, 21 February 2019 21:28:40 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC