Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAuthn and phishing #10

Open
cyberphone opened this issue Jan 28, 2020 · 2 comments
Open

WebAuthn and phishing #10

cyberphone opened this issue Jan 28, 2020 · 2 comments

Comments

@cyberphone
Copy link

WebAuthn deals with phishing by using domain-constrained tokens. With modal-window the domain-constraint is effectively disabled. If you would like to use a direct mode (similar to client-side TLS certificate) for payments or authentication the design could benefit from also supplying the certificate path of the calling domain. As an example, this is a part of Google's PaymentRequest for Android. Certificate data would then typically be hashed into signed assertions.

BTW, it is not clear to me how WebAuthn can be used from a modal-window since WebAuthn is activated from the Window object, unless the Window object (or a new property) as well as associated code is meant to security-wise belong to the Service Worker domain. I guess this is already the case?

Anyway, the utility of modal-window IMO stands or falls with the integration of WebAuthn.
@rsolomakhin
Copy link
Collaborator

WebAuthn deals with phishing by using domain-constrained tokens. With modal-window the domain-constraint is effectively disabled.

Could you elaborate on this more, please? If there's some reading material on this topic that you could provide, that would be appreciated.

... unless the Window object (or a new property) as well as associated code is meant to security-wise belong to the Service Worker domain.

Typically the web security boundary is the origin. If a Window and a Service Worker are from the same origin, then they should be able to share data, such as through the messaging interface.

Anyway, the utility of modal-window IMO stands or falls with the integration of WebAuthn.

I agree that WebAuthn should work correctly with a modal-window.

@cyberphone
Copy link
Author

I'm no expert on WebAuthn but the idea was (for privacy reasons), to have one (or more) keys for each domain. That is, WebAuthn keys are protected from being shared among domains.

Usually a window object has the origin of the invoked web server. In this case it would rather inherit the origin of the service worker. Maybe that's entirely obvious. Anyway, this means that WebAuthn keys indeed can be shared which would be great for emulating X.509 authentication. Another possibility for key sharing is the scheme used by the Open Banking Wallet: https://www.youtube.com/watch?v=OWn8sg7Oy3I&t=295

Yes, the modal-window could be a very powerful addition to the Web! It must obviously be handled with care 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rsolomakhin @cyberphone