W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Yet another trusted proxy suggestion

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 2 Dec 2013 08:02:39 +0100
To: Yoav Nir <synp71@live.com>
Cc: Paul Hoffman <paul.hoffman@gmail.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, HTTP Group <ietf-http-wg@w3.org>
Message-ID: <20131202070239.GN31597@1wt.eu>
On Sun, Dec 01, 2013 at 11:22:22AM +0200, Yoav Nir wrote:
> On 30/11/13 5:54 PM, Paul Hoffman wrote:
> >
> >
> >+1. Stephen's response (that a bank can't currently know if there is a 
> >TLS proxy in HTTP/1.1) ignores what Yoav said, which is that such a 
> >bank could detect that by forcing client auth. Of course they won't do 
> >that, but they of course also won't have to because then they would be 
> >forced to not have internet banking.
> Banks weight costs. They compare the cost of fraud through proxies 
> against the cost of not having Internet banking against the cost of 
> getting all users of Internet banking to use (bank-issued?) 
> certificates. In most of the world, banks have chosen to live with the 
> fraud.

You're almost correct, Yoav. Banks don't care about proxies since it's
not where the fraud happens. The fraud happens exclusively in the browser
since there are millions of compromised browsers for just maybe one or
two compromised proxies. And indeed it's just a matter of balancing costs :

  cost of accepting fraud vs cost of blocking it vs cost of closing access.

> If this proposal were to adopted and implemented in browsers and 
> proxies, we would be giving banks a fourth choice: Allow Internet 
> banking only in the absence of a proxy. Mostly today this means forcing 
> people to do their Internet banking at home, or using a phone with a 
> cellular internet connection. This adds some inconvenience for the user, 
> because they have to either wait until they're home, or force the phone 
> to use the cellular connection by disabling wifi. The question is if 
> giving them this choice is a good thing or not.

It's their problem. I know at least one bank who will not use this because
offering secure access to their users wherever they are is more important
than anything else. The less internet access they have, the more people go
to street agencies, meaning they have to pay people for staying open at
extra hours. In parallel, whatever a compromised proxy could do, a malware
already does in the browser, so by protecting against malware, banks
already protect against compromised proxies. So better accept everyone and
try to offer them some protection than blocking them for no benefit. At
least I'm sure that's how it will be received.

Willy
Received on Monday, 2 December 2013 07:03:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC