W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Yet another trusted proxy suggestion

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Fri, 29 Nov 2013 11:38:04 +0000
Message-ID: <52987C9C.6070309@cs.tcd.ie>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
CC: Yoav Nir <synp71@live.com>, HTTP Group <ietf-http-wg@w3.org>


On 11/29/2013 09:45 AM, Nicolas Mailhot wrote:
> 
> Le Jeu 28 novembre 2013 10:37, Stephen Farrell a écrit :
> 
> Hi Stephen,
> 
>> Let me ask one of the possibly many hard questions: say I'm a bank,
>> wouldn't the result of your proposal be that I'd not be able to
>> turn on HTTP/2.0 because e.g. one of my regulators somewhere would
>> forbid me agreeing to exposing my customer's credentials to one
>> or more such proxies?
> 
> In theory you would be right in practical terms banks care about money and
> it's quite clear they've accepted imperfect systems for a long time as
> long as the costs of cleaning up after incidents are lower than fixing
> technical or organisational problems (see all the not-quite-secured
> webshops or credit card systems on the market; the banks love that revenue
> and don't look too hard on security).

Credit card transaction processing is quite different
from Internet banking in terms of risk IMO.

But even for credit card transactions, I would think
that the PCI-DSS standard might have to change to
cater for the kinds of proxying being discussed here.
v3 of that from this month says that cardholder data
must be encrypted when sent over "open, public networks"
so that'd be badly impacted by proxies that were not
authenticated by the payment processor as being within
an enterprise, and how could that kind of authentication
happen? (I've no idea.) From a quick read of PCI-DSSv3
I would guess that they do assume TLS as being e2e as
well, but that its possible that they might consider
an enterprise proxy as ok.

But again, cardholder data is less sensitive than
credentials for Internet banking.

> Besides, all they have to do is to send one-time authorization codes via
> other channels for any operation they perceive dangerous. That's what my
> bank and Visa do today for example and that was loads easier for them than
> to try drilling password discipline in all their customers (and let's be
> honest: TLS is useless without a good password)

So your answer is that that bank has to fairly radically
change their login system due to the existence of such a
proxy? I'd not include that amongst the set of credible
answers;-)

> So unless a bank representative states the contrary, all my technical
> experience screams its a non-problem.

Mine disagrees. I don't think denying the real requirements
for e2e confidentiality that some sites have for some data
is at all credible.

S.

> 
> Regards,
> 
Received on Friday, 29 November 2013 11:38:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC