On Mon, Feb 8, 2016 at 1:13 PM, Frederic Martin wrote: > > 1) From a security architect perspective. This is an official recommendation > that makes sens to prevent MITM attacks. FIDO U2F was created to > minimize/eliminate that kind of risk.
U2F itself addresses phishing. Token Binding (attempts) to address MITM, but it's worth noting that they are separate problems with separate solutions. U2F / FIDO are still able to handedly address the former problem, without requiring treatment of the latter - it merely establishes how they can be used cooperatively, but that's not intrinsically necessary, nor necessarily wise. > 2) Firefox users could be discriminated out of servers implementing this > protection. Hopefully, you can likely recognize why this represents a very troubling problem of Token Binding - it enables service providers greater control to discriminate against users, reducing user freedom and the role of the browser as the user's agent. While I think there's no disagreement that 'hostile' MITM is bad, there are plenty of cases where users intentionally and actively MITM themselves, for purposes that range from 'clearly legitimate' to 'questionable, but it's the user's call". In the case of "clearly legitimate", consider the work of security researchers and developers who wish to MITM themselves or their applications, in order to determine what data is leaking out. Any solution that actively prohibits this can end up undermining user's security. If you think this is academic, consider that many service providers consider it a form of DRM to employ - that is, preventing MITM - and as such, represent's a loss of user privilege. What if your favourite sites all required you to do this, or other forms of protection (such as hardware-attested token binding keys that reveal unique identifiers). While the idea is that token binding keys can be rotated, we've certainly seen sites, particularly video providers, use every available fingerprinting mechanism they can in order to restrict how and on which devices a user accesses a given service - I doubt we would want to see or encourage more of that. I think it's important to consider the harmful effects that Token Binding will have, and not just the positive. And that's why it's worthwhile to keep it under consideration, rather than commit. It is truly unfortunate that Chrome decided to launch this feature, without public discussion or review, and without concern for the implications of the ecosystem such as the one you raise - providers like Google using it to block out other browsers. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
