- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 2 Dec 2013 08:02:39 +0100
- To: Yoav Nir <synp71@live.com>
- Cc: Paul Hoffman <paul.hoffman@gmail.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, HTTP Group <ietf-http-wg@w3.org>
On Sun, Dec 01, 2013 at 11:22:22AM +0200, Yoav Nir wrote: > On 30/11/13 5:54 PM, Paul Hoffman wrote: > > > > > >+1. Stephen's response (that a bank can't currently know if there is a > >TLS proxy in HTTP/1.1) ignores what Yoav said, which is that such a > >bank could detect that by forcing client auth. Of course they won't do > >that, but they of course also won't have to because then they would be > >forced to not have internet banking. > Banks weight costs. They compare the cost of fraud through proxies > against the cost of not having Internet banking against the cost of > getting all users of Internet banking to use (bank-issued?) > certificates. In most of the world, banks have chosen to live with the > fraud. You're almost correct, Yoav. Banks don't care about proxies since it's not where the fraud happens. The fraud happens exclusively in the browser since there are millions of compromised browsers for just maybe one or two compromised proxies. And indeed it's just a matter of balancing costs : cost of accepting fraud vs cost of blocking it vs cost of closing access. > If this proposal were to adopted and implemented in browsers and > proxies, we would be giving banks a fourth choice: Allow Internet > banking only in the absence of a proxy. Mostly today this means forcing > people to do their Internet banking at home, or using a phone with a > cellular internet connection. This adds some inconvenience for the user, > because they have to either wait until they're home, or force the phone > to use the cellular connection by disabling wifi. The question is if > giving them this choice is a good thing or not. It's their problem. I know at least one bank who will not use this because offering secure access to their users wherever they are is more important than anything else. The less internet access they have, the more people go to street agencies, meaning they have to pay people for staying open at extra hours. In parallel, whatever a compromised proxy could do, a malware already does in the browser, so by protecting against malware, banks already protect against compromised proxies. So better accept everyone and try to offer them some protection than blocking them for no benefit. At least I'm sure that's how it will be received. Willy
Received on Monday, 2 December 2013 07:03:10 UTC