This has to be dealt with at the container interface for non-browser interfaces too, right?
If there are OASIS and W3C WebAuthn active participants, it would be helpful to figure out the best place to deal with this issue. Thank you and sorry for a second message. Best regards, Kathleen On Mon, Apr 11, 2022 at 3:35 PM Kathleen Moriarty < kathleen.moriarty.i...@gmail.com> wrote: > Greetings! > > In thinking about the attacks prompting for credentials to access SSO > credentials in browsers, I am wondering if the fix is in the interface to > each type of storage container for credentials, e.g. OASIS PKCS#11, W3C > WebAuthn, and maybe OAuth if that has been hit as well by these attacks, > called "Browser in the Browser". > https://www.techrepublic.com/article/browser-in-the-browser-attacks-arise/ > > > Is there a way in the browser for an organization to configure (or can > there be in those interfaces) the only permitted addresses to prompt and > allow access to the interface, so not just the password is needed? It > seems like the best place to fix it even though each organization would > have to enter an allow list. The alternative would be deny lists of all the > malicious sites performing this activity and that won't catch everything. > > Is this being discussed already somewhere? Hopefully. Perhaps there are > other ideas? > > Thank you. > -- > > Best regards, > Kathleen > -- Best regards, Kathleen
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
