- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Fri, 29 Nov 2013 10:45:43 +0100
- To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
- Cc: "Yoav Nir" <synp71@live.com>, "HTTP Group" <ietf-http-wg@w3.org>
Le Jeu 28 novembre 2013 10:37, Stephen Farrell a écrit : Hi Stephen, > Let me ask one of the possibly many hard questions: say I'm a bank, > wouldn't the result of your proposal be that I'd not be able to > turn on HTTP/2.0 because e.g. one of my regulators somewhere would > forbid me agreeing to exposing my customer's credentials to one > or more such proxies? In theory you would be right in practical terms banks care about money and it's quite clear they've accepted imperfect systems for a long time as long as the costs of cleaning up after incidents are lower than fixing technical or organisational problems (see all the not-quite-secured webshops or credit card systems on the market; the banks love that revenue and don't look too hard on security). Besides, all they have to do is to send one-time authorization codes via other channels for any operation they perceive dangerous. That's what my bank and Visa do today for example and that was loads easier for them than to try drilling password discipline in all their customers (and let's be honest: TLS is useless without a good password) So unless a bank representative states the contrary, all my technical experience screams its a non-problem. Regards, -- Nicolas Mailhot
Received on Friday, 29 November 2013 09:46:19 UTC