W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Roberto Peon <grmocg@gmail.com>
Date: Wed, 28 Mar 2012 13:43:04 +0200
Message-ID: <CAP+FsNfVneiMx0Qo8PAGogLDczOqnpdwMpXjgL=a9fcCZxVADA@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: Henry Story <henry.story@bblfish.net>, "Adrien W. de Croy" <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Ensuring security of the endpoints is probably outside the purvue of the
WG, however interesting it is.

That being said,  we should probably assume that the hosts aren't
compromised because otherwise it really doesn't matter what we do.

Our task is thus to somehow secure the communications channel. If you make
SSL implementation optional on the server side, you suffer from a downgrade
attack whereby an intermediary (potentially malicious), denies you all
security on the communications channel.
If this decision is made, it must be made by the client for the
client<->intermediary connection.

-=R

On Wed, Mar 28, 2012 at 1:04 PM, Willy Tarreau <w@1wt.eu> wrote:

> On Wed, Mar 28, 2012 at 12:15:31PM +0200, Henry Story wrote:
> > > From: "Henry Story" <henry.story@bblfish.net>
> > >>
> > >> So your argument is stronger, since you argue that a lot of computers
> are malware
> > >> infested. Of course there the thing to do is for banks to add other
> methods of
> > >> verification or notification,
> > >>
> > > you're right on this count.  One of my banks used to rely just on
> > > SSL/TLS.
> > >
> > > Now I have to carry a watch-word around... in fact 3 of them for my 3
> > > banks.
> >
> > They could also just use systems such as those they use for credit
> cards: to
> > look at usage patterns. Sending an SMS is also a good method, using a
> different
> > system.
>
> Believe me this is already been done. It looks like you have no idea
> what the malware market is right now. did you hear about Zitmo for
> instance. In short, malware in the mobile is already able to catch
> your SMS and to correlate them with your PC session. Malware in the
> browser is already able to record your soft cards after a few uses,
> or to take snapshots of the areas you click on the screen and decode
> virtual keyboards.
>
> It's not science-fiction, it's for real. Right now it's not a big issue
> only because banks resolve the issue pretty much in favor of the user.
> For how long will this last ? I have no idea.
>
> Sure we must secure the lower layer, but this is already been done
> everywhere the bad is done.
>
> Willy
>
>
>
Received on Wednesday, 28 March 2012 11:43:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT