Hacker News new | ask | show | jobs
by exabrial 3037 days ago
I wish channel bound tokens were mandatory in the u2f spec, or a browser key was part of the auth request to the token, for exactly this reason. U2f is "optionally" unphishable.
2 comments
eximius 3036 days ago
FIDO discussed this on their site. It's optional so corporate firewalls that perform MITM can continue to work with U2F.
link
exabrial 3036 days ago
... sigh.
link
eximius 3035 days ago
I mean, if you want a standard for everyone, it's hard to ignore where most people work.
link
Buge 3036 days ago
How would that help? Couldn't the webusb simply lie to the u2f device about what the channel is?
link
exabrial 3036 days ago
Go take a look at token bound channels. It sure could but it'd be completely useless to do so.
link
Buge 3036 days ago
I know a bit about token bound channels. But the u2f device only talks to Chrome via usb. So anything that the legitimate chrome could say to the u2f device (negotiating tokens, channels, etc) can now be done by the attacker via webusb. So I would think the attacker can get the u2f device's signature on the attacker's channel.

It should be just as if you unplugged your u2f device from your machine and plugged it into the attacker's machine.

link