[messaging] abusing u2f

Joseph Birr-Pixton jpixton at gmail.com
Fri Mar 25 13:23:30 PDT 2016

On 25 March 2016 at 18:07, elijah <elijah at riseup.net> wrote:
> On 03/25/2016 05:33 AM, Tom Ritter wrote:
>> In the web browser context, I'm pretty sure you don't control the app
>> id - it's determined from the origin in the web browser and passed to
>> the dongle.  If you could control it, it would be trivial to do
>> cooperative cross-origin tracking.
> I think that is correct, although I am puzzled why the javascript API
> lets you specify the app id.

You can either specify your origin (this is checked by the
extension/browser, I assume!), or alternatively a URI that can be HTTP
GET'd to yield a list of equivalent origins and identities of native
apps that are allowed to claim the same appId.

> Regardless, I mostly have in mind non-browser applications (Soledad is
> currently written in Python).
> To the question of why not just use random seed stored on a thumb drive?
> In summary:

Some more things in this vein:

* U2F devices are typically harder to duplicate. This isn't a
fundamental part of U2F, but the devices I've seen so far are either
just USB-connected smartcards (Plug-Up) or have smartcard-class
microcontrollers inside (Yubico).

* Plugging a USB stick into a modern computer will transfer
unpredictable amounts of the USB drive's contents. Like in the page
cache, search indices, backup systems, etc.


More information about the Messaging mailing list