Y
Hacker News
new
|
ask
|
show
|
jobs
by
StavrosK
3108 days ago
The spoofing site could just pretend your U2F was valid and get your password, although it couldn't really do anything with it anyway.
1 comments
u801e
3107 days ago
The spoofing site wouldn't/shouldn't be able to pass the browser validation of the TLS server side certificate.
link
StavrosK
3107 days ago
Why not? How hard is it to get a cert for a domain that looks like paypal-businesscenter.com?
link
cjwhite
3107 days ago
Moreover, the browser could remember the expected shared secret based on its and the server's RSA exchange.
link