Contact emails
nha...@chromium.org, awha...@chromium.org, van...@chromium.org
Specs
http://datatracker.ietf.org/doc/draft-ietf-tokbind-protocol/Summary
Token Binding allows a site to cryptographically bind bearer tokens (such as Cookies) to the TLS layer, so that if a cookie is stolen, it can't be replayed by an attacker unless the attacker also has possession of the user's Token Binding private key for that site. This is continuing work of the already-launched Channel ID feature in chrome. Token Binding has been behind a flag since M50, the subject of a Finch experiment for Canary and Dev in M51, and plans to go on by default in M52.Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/jTwWj2Y_IPM/7tOHWa34C6EJ
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
Token Binding includes an HTTP request header, which can be viewed in the Network tab of DevTools. Nothing else is provided for developers to debug Token Binding.
Interoperability and Compatibility Risk
Low risk. Token Binding is nearing working group last call in the IETF - editorial changes are still being made, but the technical details have settled down. If future changes are made to the spec, it has version negotiation built in to accommodate that.
OWP launch tracking bug
Feature bug: crbug.com/467312
Launch bug: crbug.com/596699
Entry on the feature dashboard
https://www.chromestatus.com/feature/5097603234529280
Debuggability
Token Binding includes an HTTP request header, which can be viewed in the Network tab of DevTools. Nothing else is provided for developers to debug Token Binding.
Interoperability and Compatibility Risk
Low risk. Token Binding is nearing working group last call in the IETF - editorial changes are still being made, but the technical details have settled down. If future changes are made to the spec, it has version negotiation built in to accommodate that.
- Because of this desire, the security properties of Token Binding have been cryptographically weakened in order to accommodate hardware binding on older devices. In particular, the WG has decided to permit the use of RSA-2048 PKCS#1 v1.5, which arguably should not be used in new standards (as compared with RSA-PSS or ECDSA).
--
https://annevankesteren.nl/