[messaging] abusing u2f

Tom Ritter tom at ritter.vg
Fri Mar 25 13:31:06 PDT 2016

On 25 March 2016 at 15:23, Joseph Birr-Pixton <jpixton at gmail.com> wrote:
> On 25 March 2016 at 18:07, elijah <elijah at riseup.net> wrote:
>> On 03/25/2016 05:33 AM, Tom Ritter wrote:
>>> In the web browser context, I'm pretty sure you don't control the app
>>> id - it's determined from the origin in the web browser and passed to
>>> the dongle.  If you could control it, it would be trivial to do
>>> cooperative cross-origin tracking.
>> I think that is correct, although I am puzzled why the javascript API
>> lets you specify the app id.
> You can either specify your origin (this is checked by the
> extension/browser, I assume!), or alternatively a URI that can be HTTP
> GET'd to yield a list of equivalent origins and identities of native
> apps that are allowed to claim the same appId.

The "list of equivalent origins" when I read the spec did _not_ allow
other web origins. This was a hard "No". It only worked with mobile
apps.  Has this been relaxed?  If so, it's a major privacy problem.


More information about the Messaging mailing list