W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2019

Re: Man-in-the-middle attack against WebAuthn by a powerful attacker

From: David Waite <dwaite@pingidentity.com>
Date: Thu, 21 Feb 2019 22:05:20 -0700
Message-ID: <CA+3kW=bmqWb=CLZ-fsj1FqBm0jj8AJfrNatxzL-3yM06KFc7kw@mail.gmail.com>
To: Mart Sõmermaa <mart.somermaa@gmail.com>
Cc: public-webauthn@w3.org
This attack would imply at least partial control of networking
infrastructure (client routing or RP DNS) and of a legitimate CA, meaning
it is either an enterprise policy, an attack based on enterprise policy, or
state actor attack.

Typically I would expect this to be solved by some form of certificate
transparency or certificate pinning:
- `HPKP` was a previous solution for this, but was unfortunately abusable
and will never see wide adoption
- Certificate Transparency (and the `Expect-CT` header) allow a site to opt
into certificate transparency for browsers that support it
- Including the TLS thumbprint of the TLS Certificate in `clientDataJSON`
(when token binding is not supported) would allow the RP infrastructure to
validate against a whitelist of TLS certificates.

On Thu, Feb 21, 2019 at 2:29 PM Mart Sõmermaa <mart.somermaa@gmail.com>

> Hello!
> Have you considered that origin validation is not a sufficient
> countermeasure against man-in-the-middle attacks in case of a powerful
> attacker who controls responses to user's DNS requests and has a valid
> certificate that is trusted by the user's browser for the target host?
> Full details of the attack here:
> https://gitlab.com/mrts/webauthn-additions/wikis/Man-in-the-middle-attack-against-WebAuthn-by-a-powerful-attacker
> I have a proposal how to mitigate this, but I would like to hear
> your thoughts regarding this first.
> Thanks in advance for looking into this,
> Mart Sõmermaa

<https://www.pingidentity.com>[image: Ping Identity]
David Waite
Principal Technical Architect, CTO Office
w: 303 468 2855
Connect with us: [image: Glassdoor logo]
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
Received on Friday, 22 February 2019 05:06:29 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC