On Mon, Nov 23, 2015 at 8:01 PM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > Like shown in the upper part of this one-page document > http://webpki.org/papers/permissions.pdf > which I published after the workshop which I also attended. > Yes, this is a very good depiction of the sorts of user interfaces that people have tried to add in order to expose these tokens to browsers. These sorts of interfaces are extremely confusing and do not provide enough context or make things clear enough for users to make meaningful security decisions. Without solving the same-origin problem they immediately opt users into many decisions they are not prepared to make, and also expose users to a whole class of cross-origin attacks which are not possible with systems based on origin-bound certificates/credentials. The modern solutions to this sort of problem are built on the same-origin policy as a first principle, and thereby mitigate the majority of cross-origin attacks by design. See: http://www.browserauth.net/ http://www.browserauth.net/origin-bound-certificates http://www.browserauth.net/channel-bound-cookies U2F was designed this way and would work very well with the system described above. -- Tony Arcieri
Received on Tuesday, 24 November 2015 04:14:09 UTC