[messaging] abusing u2f
elijah
elijah at riseup.net
Fri Mar 25 11:07:06 PDT 2016
On 03/25/2016 05:33 AM, Tom Ritter wrote:
> In the web browser context, I'm pretty sure you don't control the app
> id - it's determined from the origin in the web browser and passed to
> the dongle. If you could control it, it would be trivial to do
> cooperative cross-origin tracking.
I think that is correct, although I am puzzled why the javascript API
lets you specify the app id.
Regardless, I mostly have in mind non-browser applications (Soledad is
currently written in Python).
To the question of why not just use random seed stored on a thumb drive?
In summary:
* with u2f, you get access to a wide variety of devices. although these
are not available yet, there will probably be bracelets, rings, watches,
etc that communicate via NFC.
* if u2f takes off, many users are likely to have a u2f device already,
so it would be nice to take advantage of that.
* for browser based apps, it is a smoother and more secure user
experience to use u2f than to require that they load a file from a usb
volume.
* for non-browser apps, you could possibly create hard-to-guess app ids
in order to make password attempts very expensive.
-elijah
More information about the Messaging
mailing list