Feature request: Token Binding Protocol #2083
Labels
Comments
|
+1 |
Sjord
added a commit
to Sjord/caniuse
that referenced
this issue
May 11, 2017
Token binding is a feature to assign a unique ID to a TLS connection. Using a public-private keypair the client proves that only he is the owner of that unique ID. By binding cookies to this unique ID, session hijacking becomes impossible. Currently only Chrome supports this behind a flag, as far as I know. This can be tested using the URL https://unbearable-bc.ping-eng.com:3000/open/headers. If that shows the Sec-Token-Binding header, the feature is supported. Fixes Fyrd#2083
Merged
|
+1 |
|
Token binding specs are now proposed standard RFCs 8471, 8472, and 8473: http://self-issued.info/?p=1924 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Token Binding Protocol is a new authentication mechanism, currently a draft and implemented in Chrome and Windows 10 (I think this means Edge, but I'm not sure).
Resources:
[1] Slides with quick explanation: https://www.ietf.org/proceedings/91/slides/slides-91-uta-2.pdf
[2] Article with more details, it also mentions it's implemented in Chrome and Windows 10: http://security-architect.com/token-bindings-to-gear-up-authentication-assurance/
[3] Repository with the draft specs: https://github.com/TokenBinding/Internet-Drafts
The text was updated successfully, but these errors were encountered: