W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 28 Mar 2012 13:04:31 +0200
To: Henry Story <henry.story@bblfish.net>
Cc: "Adrien W. de Croy" <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20120328110431.GA29257@1wt.eu>
On Wed, Mar 28, 2012 at 12:15:31PM +0200, Henry Story wrote:
> > From: "Henry Story" <henry.story@bblfish.net>
> >> 
> >> So your argument is stronger, since you argue that a lot of computers are malware
> >> infested. Of course there the thing to do is for banks to add other methods of
> >> verification or notification,
> >> 
> > you're right on this count.  One of my banks used to rely just on
> > SSL/TLS.
> > 
> > Now I have to carry a watch-word around... in fact 3 of them for my 3
> > banks.
> 
> They could also just use systems such as those they use for credit cards: to
> look at usage patterns. Sending an SMS is also a good method, using a different
> system.

Believe me this is already been done. It looks like you have no idea
what the malware market is right now. did you hear about Zitmo for
instance. In short, malware in the mobile is already able to catch
your SMS and to correlate them with your PC session. Malware in the
browser is already able to record your soft cards after a few uses,
or to take snapshots of the areas you click on the screen and decode
virtual keyboards.

It's not science-fiction, it's for real. Right now it's not a big issue
only because banks resolve the issue pretty much in favor of the user.
For how long will this last ? I have no idea.

Sure we must secure the lower layer, but this is already been done
everywhere the bad is done.

Willy
Received on Wednesday, 28 March 2012 11:05:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT