One of the biggest holes on the Internet has just been plugged

Thank Microsoft and Google for working together on this

One of the biggest holes on the Internet has just been plugged

Thank Microsoft and Google for working together on this

We increasingly live in a digital world where we identify ourselves once and then receive an authorization token. This token can then be passed to trusted services, and where the user does not have to be re-authenticated.

It is a well-known secret that OAuth and other token-based systems have a massive problem — and where an authentication token can be stolen and then used for a replay attack.

It is well known that there are problems within security token replay. And so Microsoft and Google have collaborated in creating RFC 8471 (The Token Binding Protocol Version 1.0):

Overall it aims to remove the token replay:

At the core of the change is that the token is created with the details of the device or the device’s configuration integrated into the token. This makes it difficult to recreate the device conditions in order to use the token. RFC 4871 defines the creation of a public and a private key (and which could possibly be linked into a TPM (Trusted Platform Module) and linked to the private key built into the hardware. The private key is used to sign elements of the negotiation steps.

The RFC defines the linkage of HTTPS security cookies and OAuth tokens to the TLS layer. These tokens would then be difficult to recreate for replay attacks. With the TLS connection to a server, the client generates a key pair for each of the servers that they connect to.

There are two other related RFCs:

RFC 8472. TLS extension using the Token Binding Protocol.
RFC 8473. Application of the protocol to HTTP.

The updates, it is hoped, will not affect existing implementations.