Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No one has mentioned the coolest feature of U2F/Fido auth: TLS Channel IDs.

Via an internal Chrome extension ("cryptotoken"), authentication state & the handshake can be bound to a specific TLS session -- preventing cookie theft. Incredibly cool: http://www.browserauth.net/channel-bound-cookies



This is indeed a cool feature. I hadn't been aware of it until now. I see that Dirk Balfanz from Google published a IETF draft a couple years ago.

I need to digest the security implications, but it seems like a nice mitigation to session theft.


until tls session resumption gets more common and someone comes up with a "tls session resumption is not in fact secure" :(

there were some talks in 2013 about this in various sec conferences




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: