simon-friedberger
commented
8 months ago The proposal seems sound but it's not clear that it is a good investment of engineering time. I've added some comments here: https://github.com/WICG/dbsc/issues/13
Open MrBrain295 opened 11 months ago
simon-friedberger
commented
8 months ago The proposal seems sound but it's not clear that it is a good investment of engineering time. I've added some comments here: https://github.com/WICG/dbsc/issues/13
simon-friedberger
commented
8 months ago This should also be aligned with Microsoft trying to do something similar in https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BindingContext/explainer.md
april
commented
3 months ago I am only a former Mozillian so please take my requests with the proper weighting, but I would love to see Mozilla support DBSC (or the related Microsoft standard.)
Over here at Dropbox we have been seeing an increasing prevalence of malware that steals cookie sessions from cookie stores, and a technology such as DBSC would go a long ways towards mitigating the impact this has on our users.
Thanks, and hope y'all are well. :)
Request for Mozilla Position on an Emerging Web Specification
@-mention GitHub accounts): @kristianmonsenOther information
In their words "Device Bound Session Credentials (DBSC) aims to reduce account hijacking caused by cookie theft. It does so by introducing a protocol and browser infrastructure to maintain and prove possession of a cryptographic key. The main challenge with cookies as an authentication mechanism is that they only lend themselves to bearer-token schemes. On desktop operating systems, application isolation is lacking and local malware can generally access anything that the browser itself can, and the browser must be able to access cookies. On the other hand, authentication with a private key allows for the use of system-level protection against key exfiltration."