Greetings! In thinking about the attacks prompting for credentials to access SSO credentials in browsers, I am wondering if the fix is in the interface to each type of storage container for credentials, e.g. OASIS PKCS#11, W3C WebAuthn, and maybe OAuth if that has been hit as well by these attacks, called "Browser in the Browser". https://www.techrepublic.com/article/browser-in-the-browser-attacks-arise/
Is there a way in the browser for an organization to configure (or can there be in those interfaces) the only permitted addresses to prompt and allow access to the interface, so not just the password is needed? It seems like the best place to fix it even though each organization would have to enter an allow list. The alternative would be deny lists of all the malicious sites performing this activity and that won't catch everything. Is this being discussed already somewhere? Hopefully. Perhaps there are other ideas? Thank you. -- Best regards, Kathleen
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
