> > There are probably other questions Mozilla Core Team should ask to > > themselves : > > > > - Having a greater/larger HID Support, outside the FIDO U2F scope ? > > (This allows web services to communicate with HID devices - i.e. > > that's how some cryptocurrencies hardware wallets are using HID > > Chrome interface) > > > > Are you thinking of something like WebUSB? > (https://reillyeon.github.io/webusb/)? This is something we've looked at > a bit but we're still trying to wrap our heads around the security > implications.
No. I am thinking about something like: https://developer.chrome.com/apps/hid but that's outside the pure FIDO U2F scope: it is a reminder that Chrome already allows wep pages/JS to communicate with HID non-U2F device and that Mozilla will have to chose on their side if the HID API will be restricted to U2F usage or not. > - Have TLS Channel ID Binding support. (Oh, this is really important) > > When you'll check FIDO U2F specifications, you'll see that TLS Channel > > ID Binding is an important part of the security against attacks like > > SSL Proxy and similar MITM attacks. This part is not mandatory. But > > Google servers are using this and Chrome supports it. So... please > > REALLY consider implementing it: it will bring higher security and > > probably will give a chance too in the future to be accepted as a > > supported browser on Google servers (I am not from Google so I can't > > speak on their behalf but this should be a rational requirements there). > > This is the only way to provide a full anti-phishing solution. > > > > My understanding is that Channel ID is being superseded by token binding > (https://datatracker.ietf.org/wg/tokbind/charter/), so if we do > something in this area, it's more likely we would do token binding > than channel ID, > I expect. Hi, I don't think this is exactly something that you can freely chose... As you read FIDO U2F specifications, you'll see that added security is provided by TLS channel binding. Search "Channel Binding" inside https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-glossary.html and again here https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-security-ref.html That's a great -nearly perfect- existing solution, and IMHO Firefox should probably implement this feature for better security and for better compatibility with servers that are implementing the server side (like google servers). http://tools.ietf.org/html/draft-balfanz-tls-channelid-01 http://www.ietf.org/rfc/rfc5056.txt http://www.ietf.org/rfc/rfc5929.txt _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
