Primary eng (and PM) emails
Links to other Intents threads
Intent to Implement: https://groups.google.com/a/chromium.org/d/topic/blink-dev/jTwWj2Y_IPM/discussion
Intent to Ship (take 1): https://groups.google.com/a/chromium.org/d/topic/blink-dev/r4zE8RKB6l4/discussion
Intent to Ship (take 2): https://groups.google.com/a/chromium.org/d/topic/blink-dev/C-iuVJeDGkk/discussion
Summary
Token Binding is a feature that has been behind a flag for over two years and has never shipped. (No Intent to Ship for Token Binding ever got approved.) I plan to remove all code related to this unused feature.
Motivation
After weighing the security benefit of Token Binding against the engineering costs, maintenance costs, web compatibility risk, and adoption, it does not make sense to ship this feature.
Interoperability and Compatibility Risk
There is little risk to removing this feature. It has never been on by default, and there has been little industry adoption. Edge is the only other browser that supports Token Binding; Chrome will behave as any other browser that does not support Token Binding.
Edge: Supported, negative to removal
Firefox: not supported
Safari: not supported
Alternative implementation suggestion for web developers
Depending on the use case that a site operator had for Token Binding, there are other technologies that can be used. For protecting cookies against XSS, the HttpOnly flag can be used. For providing a cryptographic assertion that both peers are on the same connections, TLS client certificates can be used. Some use cases might be able to use WebCrypto.
Usage information from UseCounter
No information from UseCounter. Based on the Net.TokenBinding.Support UMA histogram, less than 00.01% of HTTPS requests on Stable had Token Binding attempted. This indicates that very few people flipped the flag in about:flags for Token Binding.
Entry on the feature dashboard
https://www.chromestatus.com/feature/5097603234529280
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACdeXiLPsBgXXwjAenkFEGPLwWxeGbEC6tfA8JFkFpvoD0qmJg%40mail.gmail.com.
Quoting bcampbell via blink-dev <blin...@chromium.org>:
>
> I would like to respectfully ask (or maybe beg) that removal be
> reconsidered.
I agree with Brian (bcampbell) and request that token binding support
not be removed, per Brian's rationale below.
Also, W3C WebAuthn has a dependency on token binding (TB)
<https://www.w3.org/TR/webauthn/#dom-collectedclientdata-tokenbinding>.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACvaWvYPJuxpUumqp7OHxyeTiCATUsn6g202Mnu1rXNK0BuQuQ%40mail.gmail.com.
Evaluating Token Binding's security benefits involved considering how tokens might get stolen (since it's stated goal is to prevent token theft). Client malware seems to be the most-often cited example in Token Binding discussions, yet this is outside the scope of Chrome's threat model. The most likely relevant scenarios for token theft within Chrome's threat model are XSS and rogue extensions. For XSS, we have other better tools than Token Binding. Rogue extensions is an interesting issue that gets into broader interactions between Token Binding and the web platform.
For providing a cryptographic assertion that both peers are on the same connections, TLS client certificates can be used. Some use cases might be able to use WebCrypto.
Users of the web platform (for better or worse) expect cookies (and other credentials) to be bearer tokens. This is reflected in Apps and Extensions APIs that expose cookies and OAuth tokens, as well as in developer tools. A successful launch of Token Binding would need to address how Apps and Extensions would be able to use bound tokens to avoid breaking existing legitimate use cases.
This requires extensive work both to the Extensions platform and for the Extension authors. A rogue extension would also be able to make use of the modified APIs to continue to exercise the tokens it would have stolen, meaning that in all likelihood the problem of token theft via rogue extensions isn't best solved by Token Binding, but by some other change to the extension ecosystem.
Developer tools also break with Token Binding, for example "Copy as cURL" and intercepting proxies (e.g. Fiddler, Charles Proxy).
A valuable purpose of token binding is that it provides proof of possession of cookies and (perhaps more importantly) access tokens. A cookie is typically considered homogenous state (which may represent authentication and access) for a domain, but tokens are often used in a more heterogenous manner. It is incredibly useful to have a way to know that an API request came from the client, and not from some other (possibly compromised) API endpoint that accepts the same token.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACvaWvYPJuxpUumqp7OHxyeTiCATUsn6g202Mnu1rXNK0BuQuQ%40mail.gmail.com.
Token Binding is primarily a standardised version of Chrome's Channel ID feature.Channel ID has not been behind a flag.Looking at my "all cookies and site data" shows dozens and dozens of sites (many related to Google) are using Channel ID.Is Channel ID also going to be switched off?If Google's multi-year multi-site experience with Channel ID hadn't shown any security benefit then removing Token Binding would be understandable, but I haven't seen anyone state that.--James Manger
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+unsubscribe@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/aae298e0-29ff-42c5-980e-7d0ef97ebc51%40chromium.org.
Channel ID is indeed being removed:
Cheers,Ryan
On Thu, Aug 30, 2018 at 11:53 PM, <c79...@gmail.com> wrote:
Token Binding is primarily a standardised version of Chrome's Channel ID feature.Channel ID has not been behind a flag.Looking at my "all cookies and site data" shows dozens and dozens of sites (many related to Google) are using Channel ID.Is Channel ID also going to be switched off?If Google's multi-year multi-site experience with Channel ID hadn't shown any security benefit then removing Token Binding would be understandable, but I haven't seen anyone state that.--James Manger
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/aae298e0-29ff-42c5-980e-7d0ef97ebc51%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJ_4DfREGvbmFHSe%3D9tEC_jgkob6zTyhfK76PYCKJF78nCYgYA%40mail.gmail.com.