- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 17 May 2019 10:48:56 +0000
- To: public-webauthn@w3.org
@gmandyam I'm not sure what problem you're trying to solve. Is it that locally hosted applications can successfully create assertions for arbitrary RP IDs if the user permits a self-signed server certificate? Because in that case I don't see why loopback addresses should be special. If I can edit a victim's hosts file to add `google.com = 127.0.0.1` and host a self-signed application on the victim's machine, then I can just as well add `google.com = 174.28.13.83` and host the same self-signed application at that IP address. The latter is in fact an easier attack since I need to do less on the victim's machine. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204#issuecomment-493411234 using your GitHub account
Received on Friday, 17 May 2019 10:48:58 UTC