Y
Hacker News
new
|
ask
|
show
|
jobs
by
cjwhite
3104 days ago
It also seems that would help with not giving out passwords to spoofing sites
1 comments
StavrosK
3104 days ago
The spoofing site could just pretend your U2F was valid and get your password, although it couldn't really do anything with it anyway.
link
u801e
3104 days ago
The spoofing site wouldn't/shouldn't be able to pass the browser validation of the TLS server side certificate.
link
StavrosK
3104 days ago
Why not? How hard is it to get a cert for a domain that looks like paypal-businesscenter.com?
link
cjwhite
3103 days ago
Moreover, the browser could remember the expected shared secret based on its and the server's RSA exchange.
link