undefined | Better HN

0 pointsexabrial8y ago0 comments

Go take a look at token bound channels. It sure could but it'd be completely useless to do so.

0 comments

Buge8y ago

I know a bit about token bound channels. But the u2f device only talks to Chrome via usb. So anything that the legitimate chrome could say to the u2f device (negotiating tokens, channels, etc) can now be done by the attacker via webusb. So I would think the attacker can get the u2f device's signature on the attacker's channel.

It should be just as if you unplugged your u2f device from your machine and plugged it into the attacker's machine.

j / k navigate · click thread line to collapse

0 comments

Buge8y ago

It should be just as if you unplugged your u2f device from your machine and plugged it into the attacker's machine.

j / k navigate · click thread line to collapse