- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Sun, 17 Sep 2023 02:41:30 +0000
- To: public-webauthn@w3.org
Preventing extensions from intercepting WebAuthn calls is not going to win points from people like 1Password and Dashlane who have to use that method on desktops. If the attacker controls the user agent completely there are lots of ways to get a valid challenge from a RP. I have grease monkey scripts that do that for debugging. Stoping Trojans from performing WebAuthn on the users computer without being detected is where resources should be applied. We have known this for a long time and make slow progress as it is hard and platforms don't see it being exploited in practice. I have often heard the argument that once you have malware with that level of access on a users computer all guarantees around authentication security are gone anyway. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1722374230 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 17 September 2023 02:41:32 UTC