W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Yet another trusted proxy suggestion

From: Yoav Nir <synp71@live.com>
Date: Sun, 1 Dec 2013 11:22:22 +0200
Message-ID: <BLU0-SMTP376147C8340E6CC707169FFB1EB0@phx.gbl>
To: Paul Hoffman <paul.hoffman@gmail.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, HTTP Group <ietf-http-wg@w3.org>
On 30/11/13 5:54 PM, Paul Hoffman wrote:
>
>
> +1. Stephen's response (that a bank can't currently know if there is a 
> TLS proxy in HTTP/1.1) ignores what Yoav said, which is that such a 
> bank could detect that by forcing client auth. Of course they won't do 
> that, but they of course also won't have to because then they would be 
> forced to not have internet banking.
Banks weight costs. They compare the cost of fraud through proxies 
against the cost of not having Internet banking against the cost of 
getting all users of Internet banking to use (bank-issued?) 
certificates. In most of the world, banks have chosen to live with the 
fraud.

If this proposal were to adopted and implemented in browsers and 
proxies, we would be giving banks a fourth choice: Allow Internet 
banking only in the absence of a proxy. Mostly today this means forcing 
people to do their Internet banking at home, or using a phone with a 
cellular internet connection. This adds some inconvenience for the user, 
because they have to either wait until they're home, or force the phone 
to use the cellular connection by disabling wifi. The question is if 
giving them this choice is a good thing or not.




Received on Sunday, 1 December 2013 09:22:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC