- From: Eric Stern via GitHub <sysbot+gh@w3.org>
- Date: Tue, 01 Oct 2024 23:04:41 +0000
- To: public-webauthn@w3.org
Gotcha, thanks for all of the clarification! Under the context of "be aware this is a non-malicious scenario where it can occur, but probably still let it fail" this seems like a fine addition. I do fear that if an RP attempts to permit such requests to go through anyway, a meddling party (though not necessarily one that could MITM things - once that's in play, basically all bets are off) might be able to create some sort of side-channel attack if the RP tries to detect and allow this. E.g. a bad actor on the same network could cause enough traffic to get request C1 to hang, then attempt some sort of replay attack. To be clear, this fear is entirely based on a gut reaction, not any sort of actual cryptographic assessment. If challenges have a proper timeout, it seems entirely infeasible that the bad actor could do anything in the necessary time window (without nation-state resources, at least). -- GitHub Notification of comment by Firehed Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2172#issuecomment-2387234005 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 1 October 2024 23:04:42 UTC