Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Token Binding Protocol #2083

Open
imgx64 opened this issue Nov 12, 2015 · 3 comments
Open

Feature request: Token Binding Protocol #2083

imgx64 opened this issue Nov 12, 2015 · 3 comments

Comments

@imgx64
Copy link

@imgx64 imgx64 commented Nov 12, 2015

Token Binding Protocol is a new authentication mechanism, currently a draft and implemented in Chrome and Windows 10 (I think this means Edge, but I'm not sure).

Resources:
[1] Slides with quick explanation: https://www.ietf.org/proceedings/91/slides/slides-91-uta-2.pdf
[2] Article with more details, it also mentions it's implemented in Chrome and Windows 10: http://security-architect.com/token-bindings-to-gear-up-authentication-assurance/
[3] Repository with the draft specs: https://github.com/TokenBinding/Internet-Drafts

@equalsJeffH
Copy link

@equalsJeffH equalsJeffH commented Jan 29, 2016

+1

Sjord added a commit to Sjord/caniuse that referenced this issue May 11, 2017
Token binding is a feature to assign a unique ID to a TLS connection. Using a public-private keypair the client proves that only he is the owner of that unique ID. By binding cookies to this unique ID, session hijacking becomes impossible.

Currently only Chrome supports this behind a flag, as far as I know.

This can be tested using the URL https://unbearable-bc.ping-eng.com:3000/open/headers. If that shows the Sec-Token-Binding header, the feature is supported.

Fixes Fyrd#2083
@Fyrd Fyrd reopened this Jan 30, 2018
@jethrogb
Copy link

@jethrogb jethrogb commented Mar 1, 2018

+1

@equalsJeffH
Copy link

@equalsJeffH equalsJeffH commented Oct 10, 2018

Token binding specs are now proposed standard RFCs 8471, 8472, and 8473: http://self-issued.info/?p=1924

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants