Channel-Bound Cookies Implementation in nginx

[aleroot@…]

Hi,
I've just had a look at this post about a Chrome security vulnerability that allows to steal cookies, and since a possible mitigation to this technique of stealing cookies would be having TLS Channel-Bound Cookies (​http://www.browserauth.net/channel-bound-cookies), I was wondering if there is any plan to implement this feature into nginx.

It would be particularly useful in a reverse-proxy configuration, so that nginx could validate the cookie before sending to the backed app.

[Maxim Dounin]

It doesn't look like something nginx should / can do automatically, especially given

Unlike traditional TLS client authentication, Token Binding with channel-bound cookies keeps the TLS terminators in a datacenter out of the trusted computing base. The TLS terminator simply sends information about the client's public Token Binding key and the cookie downstream, where the application logic makes sure that those two match. Just like in traditional cookie-based systems, the TLS terminator can't mint valid cookies, and hence can't impersonate users at will.

in the linked document. Though support to pass Token Binding key to the application might make sense, once it is supported by OpenSSL and browsers. It doesn't seem to be widely supported though, and an experimental implementation was recently removed from Chrome, see ​https://crbug.com/467312 and ​https://crbug.com/875046.