Yeah, that meddling Balfanz just HAD to get in there and mess everything up. Without him, we could have called this the PoNy Protocol...
Google and Microsoft boffins playing nicely together to stop replay attacks in their tracks
Google and Microsoft engineers have pooled their efforts to propose a protection against what are known as "replay attacks". These occur when an attacker steals something like a victim's OAuth token and uses it to impersonate them to access otherwise secured resources. The Token Binding Protocol is the next instalment in the …
Wednesday 10th October 2018 13:39 GMT Anonymous Coward
Friday 12th October 2018 21:24 GMT Michael Wojcik
Re: Why it looks to me like..
Why are you storing certificates in an HSM?
Keys you store in an HSM. Certificates are supposed to be public. That's the whole point of certificates.
And the proposal suggests using keys stored in an HSM. They're not reinventing that wheel; they're suggesting you use it.
Wednesday 10th October 2018 15:45 GMT Anonymous Coward
I think the even bigger problem is.....
users access tokens being handed out to world+dog by the likes of Facebook.
You can even find the API's for grabbing users access tokens inside repackaged apps on third party app stores that are known for delivering malware/adware.
(Remember the Cambridge Survey?)
Thursday 11th October 2018 13:31 GMT Tree
Never pay on a computer
The real problrm is online payments. Never sign into your bank's website. Do not even get a password for it. Too many risks. You can do telephone banking more securely. On the other hand, it is best to enter the branch. Cash is king--not Google or Microsoft. I don't trust them with my wallet.