[web-bluetooth] Feature Request: Enhance Security by Sending Domain as Meta-data (#435) from mduffy215 via GitHub on 2019-04-18 (public-web-bluetooth-log@w3.org from April 2019)

From: mduffy215 via GitHub <sysbot+gh@w3.org>
Date: Thu, 18 Apr 2019 14:14:53 +0000
To: public-web-bluetooth-log@w3.org
Message-ID: <issues.opened-434793059-1555596892-sysbot+gh@w3.org>

mduffy215 has just created a new issue for https://github.com/WebBluetoothCG/web-bluetooth:

== Feature Request:  Enhance Security by Sending Domain as Meta-data ==
I have a suggestion that would greatly enhance Web Bluetooth security.

A key use case for Web Bluetooth is to create a communication channel between a web application and a mobile application.  By passing the domain from the web application as meta-data (preferably in an unhackable way) the mobile application will be able to provide programmatic confirmation that the user is on the right website ("www.chase.com" not "www.chaze.com").  The capability to securely send the domain would help a great deal in preventing phishing scams.  **This added security will be well worth the effort; and the effort should be fairly simple (the domain is already passed to the pairing screen).**

This would need to be some sort of meta-data process call; simply calling a JavaScript method from the web page to sendDomain("Domain Name") would of course not be secure.

The first stated goal of the Web Bluetooth Community Group Charter is, "Allow websites to communicate with devices in a secure and privacy-preserving way."  Sending the domain from the web application to the mobile application would enhance both security and privacy. 




Please view or discuss this issue at https://github.com/WebBluetoothCG/web-bluetooth/issues/435 using your GitHub account

Received on Thursday, 18 April 2019 14:14:55 UTC