Re: Man-in-the-middle attack against WebAuthn by a powerful attacker from Adam Langley on 2019-02-22 (public-webauthn@w3.org from February 2019)

From: Adam Langley <agl@google.com>
Date: Fri, 22 Feb 2019 14:45:00 -0800
To: Mart Sõmermaa <mart.somermaa@gmail.com>
Cc: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAL9PXLws_v0pnqEVpiYbZ+KC-RCE2jMxestVphkW4ZScJ+7KdA@mail.gmail.com>

On Fri, Feb 22, 2019 at 12:44 PM Mart Sõmermaa <mart.somermaa@gmail.com>
wrote:

> Thanks, that's exactly what I wanted to propose - to use the certificate
> fingerprint as an additional input in `clientDataJSON` for protection
> against man-in-the-middle attacks that the server-side application later
> verifies, this would be similar to TLS Client Certificate Authentication.
>
> The proposal is here:
>
> https://gitlab.com/mrts/webauthn-additions/wikis/Mitigation-for-man-in-the-middle-attack-against-WebAuthn-by-a-powerful-attacker
>
> Yes, this is a significant change in browsers. Do you think it is possible
> to propose this to browser working groups?
> Would there be a JavaScript API for accessing the verified certificate?
>
> In case you find the proposal valuable, how to proceed with this?
>

I believe this is https://github.com/w3c/webauthn/issues/391


Cheers

AGL

Received on Friday, 22 February 2019 22:45:40 UTC