Open Bug 1363987 Opened 5 years ago Updated 4 years ago

Token binding support

Categories

(Core :: Networking: HTTP, enhancement, P5)

53 Branch
enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: sjoerd-mozilla, Unassigned)

Details

(Whiteboard: [necko-would-take])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170504105526

Steps to reproduce:

Token binding <https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/> provides an identifier that is unique to the client. This identifier is bound to a public-private keypair, where the client proves ownership of the private key by signing a value during the TLS handshake. This makes it harder for attackers to steal this identifier and impersonate users, compared to cookies or JavaScript values.

This issue is meant to track the status of this feature in Firefox.
J.C. Jones commented on Firefox' position on token binding in <https://github.com/whatwg/fetch/pull/325>:

> As of now [27 Jun 2016], we'd happily review patches to implement it, but it's not on the implementation priorities list for the next few months.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Severity: normal → enhancement
Whiteboard: [necko-would-take]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.