[messaging] abusing u2f

Joseph Birr-Pixton jpixton at gmail.com
Fri Mar 25 13:52:59 PDT 2016


On 25 March 2016 at 20:31, Tom Ritter <tom at ritter.vg> wrote:
> The "list of equivalent origins" when I read the spec did _not_ allow
> other web origins. This was a hard "No". It only worked with mobile
> apps.  Has this been relaxed?  If so, it's a major privacy problem.

I don't think it has been relaxed. The other web origins are required
to share the same 'public parts' (like .com) plus at least one
'private part' (like example), such that www.example.com and
accounts.example.com can share, but not baddie.example2.com.

Cheers,
Joe


More information about the Messaging mailing list