Re: [webauthn] Why does WebAuthn require a challenge when asking the client to register a new credential? (#1355) from Marek Ciupak via GitHub on 2021-08-28 (public-webauthn@w3.org from August 2021)

From: Marek Ciupak via GitHub <sysbot+gh@w3.org>
Date: Sat, 28 Aug 2021 08:33:02 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-907594021-1630139580-sysbot+gh@w3.org>

Do challenge and origin help to protect against attack during registration ceremony in any way if "none" attestation method is used?

I mean, I think the origin and challenge are not signed (during registration with "none" attestation method) in any way and could be easily swapped by javascript (due to xss) or man in the middle (phishing side controlled by an attacker) without swapping the public key or credential id.

Am I not seeing something?

-- 
GitHub Notification of comment by marekciupak
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1355#issuecomment-907594021 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 28 August 2021 08:33:04 UTC