Contact emails
nha...@chromium.org, awha...@chromium.org, van...@chromium.org
Spec
http://datatracker.ietf.org/doc/draft-ietf-tokbind-protocol/
http://datatracker.ietf.org/doc/draft-popov-tokbind-negotiation/
http://datatracker.ietf.org/doc/draft-ietf-tokbind-https/
Summary
Token Binding allows a site to cryptographically bind bearer tokens (such as Cookies) to the TLS layer, so that if a cookie is stolen, it can't be replayed by an attacker unless the attacker also has possession of the user's Token Binding private key for that site. A more detailed threat model for Token Binding is described at https://docs.google.com/document/d/1ywYxiFT2A-BaTi6z45nqY9F4Ot5bk1_n-IACW1yK2g8. This is continuing work of the already-launched Channel ID feature in chrome. Token Binding has been behind a flag since M50, the subject of a Finch experiment for Canary and Dev since M51, and plans to go on by default in M58.
Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/jTwWj2Y_IPM/7tOHWa34C6EJ
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
Token Binding includes an HTTP request header, which can be viewed in the Network tab of DevTools. Nothing else is provided for developers to debug Token Binding. Some concerns have been raised about Token Binding, https://docs.google.com/document/d/11lZGt584NbaJKGPVg080UjHv0DzanlyKgfsRp933AwA describes some of those concerns and comments on them.
Interoperability and Compatibility Risk
If support for Token Binding is removed from Chrome, then users who have tokens that were bound to a Token Binding key may need to obtain new bearer tokens (generally this will look like needing to reauthenticate to that site). I am assuming that sites will always have support for connections that do not support Token Binding, either for older browsers that lack Token Binding support, or for users who are behind a MitM, such as those using antivirus software or at an enterprise.
It is possible that some servers may choose to require Token Binding (and provide no access to protected resources without a valid Sec-Token-Binding header). Doing so would be hostile to users using browsers that don’t support Token Binding, or users who are behind a MitM (antivirus or enterprise). An operator of such a server might relax this hostility slightly by checking the User-Agent string in the request and only requiring Token Binding if the UA supports Token Binding (note that this is insecure because the UA string could be changed by a MitM). In this case, removing support from Chrome for Token Binding could break the expectations of site operators who don’t update the list of UAs that support Token Binding.
It is possible that most of the uses of Token Binding will be for enterprises. If adoption of Token Binding is mostly in enterprises, we will have very little insight into its use from client-side logging when making a decision to deprecate and remove it.
OWP launch tracking bug
Feature bug: crbug.com/467312
Launch bug: crbug.com/596699
Entry on the feature dashboard
https://www.chromestatus.com/feature/5097603234529280
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACdeXiKbBGhNHtHRSWj5TSX1FpksEy8dXHgvM-6Q8J9ftvpo8g%40mail.gmail.com.
One thing that I noticed was that it doesn't look like the Fetch spec has been updated - https://github.com/whatwg/fetch/issues/30 is still open and it looks like a ton of feedback remains unaddressed in https://github.com/whatwg/fetch/pull/325Basically, a part of the spec is missing. I'm not sure how to evaluate what Chrome implemented against that, or how we might expect others to implement. Do you know if this is being addressed?
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
The portions of Token Binding that are currently implemented don't work with 0-RTT, but there is a plan to make Token Binding work with 0-RTT.Everything but the JS API in the Fetch PR is implemented (I think): Token Binding is not used when in privacy mode, which should match the language in the Fetch PR to not do Token Binding when credentials=false.
--
https://annevankesteren.nl/