Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Essentially it borrows the protections from TLS. Here's a link to the relevant part of the spec: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fid...

(Sorry if this comes across as RTFM, but I figured the source is better than my attempt at explaining)



Not at all, the specification is indeed very clear. Thanks for the link!


Channel ID has been depreciated and replaced by Token Binding but I'm sure U2F sites don't use either. The real protection is quite simple: incorporating the origin (domain name) in the protocol. So phishers would get a bad response from the token.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: