[messaging] abusing u2f

elijah elijah at riseup.net
Fri Mar 25 11:07:06 PDT 2016

On 03/25/2016 05:33 AM, Tom Ritter wrote:

> In the web browser context, I'm pretty sure you don't control the app
> id - it's determined from the origin in the web browser and passed to
> the dongle.  If you could control it, it would be trivial to do
> cooperative cross-origin tracking.

I think that is correct, although I am puzzled why the javascript API
lets you specify the app id.

Regardless, I mostly have in mind non-browser applications (Soledad is
currently written in Python).

To the question of why not just use random seed stored on a thumb drive?
In summary:

* with u2f, you get access to a wide variety of devices. although these
are not available yet, there will probably be bracelets, rings, watches,
etc that communicate via NFC.

* if u2f takes off, many users are likely to have a u2f device already,
so it would be nice to take advantage of that.

* for browser based apps, it is a smoother and more secure user
experience to use u2f than to require that they load a file from a usb

* for non-browser apps, you could possibly create hard-to-guess app ids
in order to make password attempts very expensive.


More information about the Messaging mailing list