WingNews logo WingNews
top | item 30444660

(no title)

bqe | 4 years ago

Why this is interesting: a major defense against mass account takeovers (ATOs) at large scale companies has been fingerprinting browsers. You as a normal user see this most when you use something like reCaptcha, but it's actually happening on nearly every login flow for major websites. By blocking automation like evilginx, you stop a lot of phishing and credential stuffing attacks against your users.

Using VNC here is super clever. This means that the "automation" part of the phishing attack is actually a browser just like the user is using, so you can't fingerprint it. In fact, the victim is really typing in their password into a real Google login page, but the attacker is logging everything through VNC. It's going to be very hard for Google (or anyone else) to detect this.

The solution to this (like all phishing attacks), is still WebAuthn. However, many of us in security were hoping we could get by with bandaids like fingerprinting until WebAuthn was more widespread.

discuss

order

Spivak|4 years ago

I really don't get the hype about WebAuthn. It's only real protection against phishing is that credentials are associated with a particular domain which has been a feature of every password-manager, including the OS/browser built-in ones since forever. The thing requesting the password -- (i.e. the browser) is still the ultimately the source of trust. The treat model these things protect against is so narrow, and now narrower since phones have built-in secure storage, that it can't be worth the effort compared to a marketing push for people to use Bitwarden, Lastpass, 1Password, KeypassX, Browsers, or iCloud password saving. And if you really care about accidental logging of plaintext passwords PAKE already has your back.

If we have the political capital to somehow get everyone on-board with changing their flow I really don't see why it should be webauthn. It's ultimately just a key stored somewhere controlled by the client presenting it, but with more red tape, pseudo-drm, and ewaste.

^ If you're in a high-security setting then go for it, but for the masses nah.