|
|
|
|
|
|
by ars_technician
4572 days ago
|
|
|
How? A phishing site can relay any of this information by acting as a client to the real site while prompting the end user for the requested credentials. The only way FIDO could prevent this would be to make the credentials dependent on the URL in the browser, but I don't see where it does this. |
|
|
MITM is still possible, but there are other ways to combat that, such as TLS Channel IDs [1] or Bearer Tokens [2].
[1] http://www.google.com/intl/en/chrome/browser/privacy/whitepa... [2] http://www.browserauth.net/