- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Fri, 29 Nov 2013 11:38:04 +0000
- To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- CC: Yoav Nir <synp71@live.com>, HTTP Group <ietf-http-wg@w3.org>
On 11/29/2013 09:45 AM, Nicolas Mailhot wrote: > > Le Jeu 28 novembre 2013 10:37, Stephen Farrell a écrit : > > Hi Stephen, > >> Let me ask one of the possibly many hard questions: say I'm a bank, >> wouldn't the result of your proposal be that I'd not be able to >> turn on HTTP/2.0 because e.g. one of my regulators somewhere would >> forbid me agreeing to exposing my customer's credentials to one >> or more such proxies? > > In theory you would be right in practical terms banks care about money and > it's quite clear they've accepted imperfect systems for a long time as > long as the costs of cleaning up after incidents are lower than fixing > technical or organisational problems (see all the not-quite-secured > webshops or credit card systems on the market; the banks love that revenue > and don't look too hard on security). Credit card transaction processing is quite different from Internet banking in terms of risk IMO. But even for credit card transactions, I would think that the PCI-DSS standard might have to change to cater for the kinds of proxying being discussed here. v3 of that from this month says that cardholder data must be encrypted when sent over "open, public networks" so that'd be badly impacted by proxies that were not authenticated by the payment processor as being within an enterprise, and how could that kind of authentication happen? (I've no idea.) From a quick read of PCI-DSSv3 I would guess that they do assume TLS as being e2e as well, but that its possible that they might consider an enterprise proxy as ok. But again, cardholder data is less sensitive than credentials for Internet banking. > Besides, all they have to do is to send one-time authorization codes via > other channels for any operation they perceive dangerous. That's what my > bank and Visa do today for example and that was loads easier for them than > to try drilling password discipline in all their customers (and let's be > honest: TLS is useless without a good password) So your answer is that that bank has to fairly radically change their login system due to the existence of such a proxy? I'd not include that amongst the set of credible answers;-) > So unless a bank representative states the contrary, all my technical > experience screams its a non-problem. Mine disagrees. I don't think denying the real requirements for e2e confidentiality that some sites have for some data is at all credible. S. > > Regards, >
Received on Friday, 29 November 2013 11:38:35 UTC