>>>>> "Josh" == Josh Howlett <[log in to unmask]> writes:
>>
>> An attacker can MITM the non-tls site and capture the
>> authentication, replaying it to gain access to the TLS site as
>> the authenticated user.
Josh> Why don't the GSS EAP channel bindings prevent that attack?
I don't think we get enough information to do real channel bindings from
the browser.
We could at least have an https yes or no cb flag.
|