Collaborate Disseminate
I’m not entirely convinced of the importance of verifying the authenticator attestation, and I’ve asked a question about it, I’m open to it, and if you want, you can post an answer at that question, but this one is specifically about "… Continue reading How does it "allow a malicious website to obtain valid credentials." – WebAuthn
Previously some good fellow explained the importance of verifying the public key created and offered by authenticators.
As before, given the complexity of a FULL implementation of RP operation, I believe it’s possible that some aspect may … Continue reading Suggestions for implementing a simplified subset of WebAuthn Relaying Party Operation
Through reading the WebAuthn spec and related MDN docs, I understand that unlike "certificate signing requests", FIDO/Passkey can have various different attestation formats and verification methods/algorithms during public-key cr… Continue reading Will sky fall if I don’t verify `AuthenticatorAttestationResponse`?
The FIPS draft for Dilithium signature scheme (official name ML-DSA) had just been released not long ago. In the specification for skDecode (which is the subroutine that loads the private signing key) mentions that this procedure must be p… Continue reading Security implication of loading untrusted private keys
I’ve been reading about WebAuthn and try to write some code to exercise.
One thing I noticed is that the spec doesn’t seem to provide any way to verify the correctness of the public-key being create()’d other than through attestation. And … Continue reading WebAuthn does not guarantee public-key integrity other than trough attestation?
CVE-2023-24055 is a known vulnerability that enables an attacker to recover plaintext user credentials from the KeePass application.
However, due to the original KeePass being Windows-specific, I’ve been using a compatible "KeePass XC… Continue reading Is CVE-2023-24055 applicable to other password managers using the same format as the original KeePass?
I remember seeing comments saying that the financial industry wants to retain TLS 1.2, or some of its features – most notably the ability for a middlebox in a trusted setting to record the communication, if I recall correctly.
IETF had a d… Continue reading Has financial industry’s concerns with regard to TLS 1.3 been addressed? [closed]
As we know, NIST PQC project is at its 3rd round, with draft standard expected to arrive in the next (few) year(s).
An unfortunate fact is that, we’re not seeing many signature schemes general-purpose enough (in the sense that, the size of… Continue reading SSL/TLS Forward secrecy with 2 KEM public keys
Suppose there is a file hosting server, and most filenames are strings with mostly CJK characters. Transmitting those characters in HTTP GET requests requires encoding them using UTF-8 (x3 overhead) then URL-encode escaping (another x3 ove… Continue reading Additional verification, sanitization for CJK paths in URLs
In a CSRF defense based on checking forbidden headers, should I check Origin/Referer header against the ServerName configuration directive, or is it sufficient to simply check against the HTTP Host header? What are the characteristics of t… Continue reading Should I check Host header or ServerName for CSRF defense?