Tor & WebAuthn

[mahnunchik]

I've just leave it here.

Multiple expected origins allows to use .onion domain in additional to standard one. But WebAuthn feature is disabled in most popular Tor browser:

• https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40223
• https://gitlab.torproject.org/legacy/trac/-/issues/26614

I don't know how to move this feature forward, but it would be awesome to have SimpleWebAuthn working in tor.

[akanass]

If feature is disabled in the browser, this library won't do miracle, it just allows to communicate with the standard API of the browser so if this API does not exist then nothing can be done.

[mahnunchik]

Yep, I understand it. But maybe somebody know how to force Tor team to enable that security important feature.

[akanass]

Tor browsers are primarily used for the dark web, not standard browsing. If the creators of the WebAuthn standard did not want to integrate it into this type of browser, it is because there is a reason behind it since they are not intended for the general public and do not have the necessary layers to communicate with this kind of API.

I think the request is not obvious and does not have too much use for this library.

We will let @MasterKale judge for himself

[MasterKale]

At first blush WebAuthn and Tor might actually compliment each other. WebAuthn as an API is a little finicky to work with because of its privacy considerations - if implemented correctly I don't see why .onion sites couldn't benefit from its security.

There's really nothing to be done here, though. I appreciate you linking to their discussion on enabling it, I'll follow along at least and maybe if they enable it in a future release I can test compatibility with SimpleWebAuthn 🤔