WebAuthn and phishing - Githubissues

adrianhopebailie / modal-window

A proposed Web API to invoke a modal window dialogue

Other

8 stars 6 forks source link

WebAuthn and phishing #10

Open cyberphone opened 4 years ago

cyberphone commented 4 years ago

WebAuthn deals with phishing by using domain-constrained tokens. With modal-window the domain-constraint is effectively disabled. If you would like to use a direct mode (similar to client-side TLS certificate) for payments or authentication the design could benefit from also supplying the certificate path of the calling domain. As an example, this is a part of Google's PaymentRequest for Android. Certificate data would then typically be hashed into signed assertions.

BTW, it is not clear to me how WebAuthn can be used from a modal-window since WebAuthn is activated from the Window object, unless the Window object (or a new property) as well as associated code is meant to security-wise belong to the Service Worker domain. I guess this is already the case?

Anyway, the utility of modal-window IMO stands or falls with the integration of WebAuthn.

rsolomakhin commented 4 years ago

WebAuthn deals with phishing by using domain-constrained tokens. With modal-window the domain-constraint is effectively disabled.

Could you elaborate on this more, please? If there's some reading material on this topic that you could provide, that would be appreciated.

... unless the Window object (or a new property) as well as associated code is meant to security-wise belong to the Service Worker domain.

Typically the web security boundary is the origin. If a Window and a Service Worker are from the same origin, then they should be able to share data, such as through the messaging interface.

Anyway, the utility of modal-window IMO stands or falls with the integration of WebAuthn.

I agree that WebAuthn should work correctly with a modal-window.

cyberphone commented 4 years ago

I'm no expert on WebAuthn but the idea was (for privacy reasons), to have one (or more) keys for each domain. That is, WebAuthn keys are protected from being shared among domains.

Usually a window object has the origin of the invoked web server. In this case it would rather inherit the origin of the service worker. Maybe that's entirely obvious. Anyway, this means that WebAuthn keys indeed can be shared which would be great for emulating X.509 authentication. Another possibility for key sharing is the scheme used by the Open Banking Wallet: https://www.youtube.com/watch?v=OWn8sg7Oy3I&t=295

Yes, the modal-window could be a very powerful addition to the Web! It must obviously be handled with care 🙂