Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Channel-Bound Cookies #68

Open
dentarg opened this issue Nov 28, 2017 · 0 comments
Open

Channel-Bound Cookies #68

dentarg opened this issue Nov 28, 2017 · 0 comments
Labels
enhancement

Comments

@dentarg
Copy link
Member

dentarg commented Nov 28, 2017

http://www.browserauth.net/channel-bound-cookies

We call an HTTP connection over TLS an HTTPS channel. When such an HTTPS channel uses Token Binding, the server can bind its cookies to the HTTPS channel by associating them with the client's public Token Binding key, and ensuring that the cookies are only ever used over HTTPS channels authenticated with that public (client) key.

This means that if such a channel-bound cookie is ever stolen off a client's machine, that cookie won't be able to authenticate an HTTP session to the server from other machines. This includes man-in-the-middle attackers that inject themselves into the connection between client and server, perhaps by tricking users into clicking through certificate-mismatch warnings: such a man-in-the-middle will have to generate its own HTTPS channel with the server, which won't match the channel that the cookie is bound it.

See also https://www.google.com/chrome/browser/privacy/whitepaper.html#tls
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dentarg