Closed
Bug 1494738
Opened 7 years ago
Closed 2 years ago
Web Authentication - Mandate minimum Challenge state space / length
Categories
(Core :: DOM: Web Authentication, enhancement, P2)
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | affected |
People
(Reporter: jcj, Unassigned)
References
Details
(Whiteboard: [webauthn][webauthn-interop])
The WebAuthn spec uses loose language to demand that challenges used in WebAuthn be random to protect from replay attacks [0]. Right now Firefox relies on the server to provide good randomness, but we should do some basic checks (e.g., that it's not empty or really small). There's a SHOULD sentence suggesting 16 bytes, and I think we could just check that we have at least 8 bytes and bail if not.
[0] https://w3c.github.io/webauthn/#cryptographic-challenges
|
Reporter | |
Updated•7 years ago
|
Component: DOM: Device Interfaces → DOM: Web Authentication
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•