Man-in-the-middle attack against WebAuthn by a powerful attacker from Mart Sõmermaa on 2019-02-21 (public-webauthn@w3.org from February 2019)

From: Mart Sõmermaa <mart.somermaa@gmail.com>
Date: Thu, 21 Feb 2019 16:11:19 +0200
To: public-webauthn@w3.org
Message-ID: <CAAMeKyhxpbKMs1CEwrnLusNzDvtzfHxzxNU2r+CbMCM245VPyQ@mail.gmail.com>

Hello!

Have you considered that origin validation is not a sufficient
countermeasure against man-in-the-middle attacks in case of a powerful
attacker who controls responses to user's DNS requests and has a valid
certificate that is trusted by the user's browser for the target host?

Full details of the attack here:
https://gitlab.com/mrts/webauthn-additions/wikis/Man-in-the-middle-attack-against-WebAuthn-by-a-powerful-attacker

I have a proposal how to mitigate this, but I would like to hear
your thoughts regarding this first.

Thanks in advance for looking into this,
Mart Sõmermaa

Received on Thursday, 21 February 2019 21:28:40 UTC