W3C home > Mailing lists > Public > public-webpayments@w3.org > April 2013

Re: Web Keys and HTTP Signatures

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 19 Apr 2013 14:34:51 -0400
Message-ID: <51718E4B.1050902@digitalbazaar.com>
To: Norbert Bollow <nb@bollow.ch>
CC: Web Payments CG <public-webpayments@w3.org>
On 04/18/2013 12:31 PM, Norbert Bollow wrote:
> Manu Sporny <msporny@digitalbazaar.com> wrote:
>> The attack is only possible if a message is passed over a
>> non-secure channel, right? That is, the spec is clear about passing
>> all messages over HTTPS. Granted, that's not an excuse for the
>> approach taken and it should be fixed, but the attack is only
>> possible if messages are sent over an insecure channel, correct?
> 
> Saying "use HTTPS!" does not assure having a channel that is secure
> in every respect. Trustworthy security requires careful arguments
> based on specific security properties.

Agreed. I don't think anyone was making this statement, though. :)

Passing the information over HTTPS while not implementing the fix would
open a sender up to an attacker that is the server. That is, you could
send the signed request over HTTPS, but then the server could re-write
your request and forward it on to some other server. This would be very
bad from a Web Payments perspective.

So, the answer is, the vulnerability would result in a real-world
problem over HTTPS as well.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/
Received on Friday, 19 April 2013 18:35:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:03:31 UTC