Re: [webauthn] Protect against TLS MiTM by including TLS cert chain in signature (#391)

(I don't even know if I can reply to this alias...)
Thanx for the info and the countermeasure proposal info but please please
pleaaaaaase tell Chrome Developers to bring Token Binding support back.

On Sat, Feb 23, 2019 at 2:05 PM Mart Sõmermaa via GitHub <sysbot+gh@w3.org>
wrote:

> Is there really a need to include the certificate chain? As far as I can
> see and as suggested in the mailing list, certificate fingerprint is
> sufficient. Here's a detailed proposal for including it in `clientDataJSON`
> with a semi-formal proof that it mitigates the attack:
>
>
> https://gitlab.com/mrts/webauthn-additions/wikis/Mitigation-for-man-in-the-middle-attack-against-WebAuthn-by-a-powerful-attacker
>
> And here's the successful attack scenario:
>
> https://gitlab.com/mrts/webauthn-additions/wikis/Man-in-the-middle-attack-against-WebAuthn-by-a-powerful-attacker
>
> See also discussion in the mailing list. Any feedback regarding the
> proposal would be greatly appreciated.
>
> Note that this is no longer only a theoretical issue in the light of the
> recent ICANN alert regarding attacks on the Domain Name System:
> https://www.icann.org/news/announcement-2019-02-15-en
>
> Use of Token Binding would protect the authentication flow against
> man-in-the-middle attacks. However, Token Binding is not widely supported
> by browsers, Chrome is deprecating it and proxy usage is problematic; the
> server application can see if token binding is missing but it is not
> obvious if that is malicious or a proxy has stripped it off. So as of now,
> two years later, there is no protection against this attack by browsers and
> nothing concrete is on horizon (please correct me if I'm wrong).
>
> What was the rationale of closing this during the weekly call?
>
> --
> GitHub Notification of comment by mrts
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/391#issuecomment-466646815 using
> your GitHub account
>
>