[messaging] abusing u2f
Tom Ritter
tom at ritter.vg
Fri Mar 25 13:31:06 PDT 2016
On 25 March 2016 at 15:23, Joseph Birr-Pixton <jpixton at gmail.com> wrote:
> On 25 March 2016 at 18:07, elijah <elijah at riseup.net> wrote:
>> On 03/25/2016 05:33 AM, Tom Ritter wrote:
>>
>>> In the web browser context, I'm pretty sure you don't control the app
>>> id - it's determined from the origin in the web browser and passed to
>>> the dongle. If you could control it, it would be trivial to do
>>> cooperative cross-origin tracking.
>>
>> I think that is correct, although I am puzzled why the javascript API
>> lets you specify the app id.
>
> You can either specify your origin (this is checked by the
> extension/browser, I assume!), or alternatively a URI that can be HTTP
> GET'd to yield a list of equivalent origins and identities of native
> apps that are allowed to claim the same appId.
The "list of equivalent origins" when I read the spec did _not_ allow
other web origins. This was a hard "No". It only worked with mobile
apps. Has this been relaxed? If so, it's a major privacy problem.
-tom
More information about the Messaging
mailing list