Re: Use Case 3.1 and Identifying a Server?

On 2013-03-11 13:09, Jeffrey Walton wrote:
> Hi All,
> 
> I was looking at use cases [0] and the past thread "Exposing TLS &
> Certificate Information in Javascript" [1]. I have a couple questions
> about use case '3.1. Banking Transactions':
> 
>> Park Jae-sang opens up a bank account with Gangnam Bank,
>> and wishes to log-in and engage in online transactions, including
>> account balance checking, online payments (with some automated
>> scheduled payments), and account transfers between domestic
>> and investment accounts.
> (1) how did Park Jae-sang acquire the banking application?

By surfing to the GB on-line bank, Park gets the banking application
directly in his/her browser without any installation process.


>> The first time Park logs in to the Gangnam Bank website
>> (Gangnam Bank's website from now on will be abbreviated
>> "GB") with a temporary verification code sent to his cell phone, the
>> bank asks him to ascertain if the browser he is using is not at a
>> kiosk; moreover, he is asked if it is a web browser and machine
>> configuration he will use often.... He confirms that it is.
> (2) how did Park Jae-sang verify the identity of GB?

If GB is phished all bets are off unless the user pays attention
to URLs and certificate warnings.  However, I would rather consider
the _succeeding_ logins and here client-side PKI do wonders because
it cannot be phished.  Well, you can of course by fooled to login to
a fake GB but the fake GB won't be able to reuse that login at the real
GB which makes this attack pretty useless.

That the fake GB still can acquire credit-card numbers is IMO not a TLS problem:
http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Mar/0010.html

> 
> Jeff
> 

Anders
> [0] https://dvcs.w3.org/hg/webcrypto-usecases/raw-file/tip/Overview.html
> [1] http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Feb/0000.html
> 
>

Received on Monday, 11 March 2013 13:05:05 UTC