W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Yet another trusted proxy suggestion

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Fri, 29 Nov 2013 10:45:43 +0100
Message-ID: <db00ec257fc5f414a8ca316da908d0c3.squirrel@arekh.dyndns.org>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Cc: "Yoav Nir" <synp71@live.com>, "HTTP Group" <ietf-http-wg@w3.org>

Le Jeu 28 novembre 2013 10:37, Stephen Farrell a écrit :

Hi Stephen,

> Let me ask one of the possibly many hard questions: say I'm a bank,
> wouldn't the result of your proposal be that I'd not be able to
> turn on HTTP/2.0 because e.g. one of my regulators somewhere would
> forbid me agreeing to exposing my customer's credentials to one
> or more such proxies?

In theory you would be right in practical terms banks care about money and
it's quite clear they've accepted imperfect systems for a long time as
long as the costs of cleaning up after incidents are lower than fixing
technical or organisational problems (see all the not-quite-secured
webshops or credit card systems on the market; the banks love that revenue
and don't look too hard on security).

Besides, all they have to do is to send one-time authorization codes via
other channels for any operation they perceive dangerous. That's what my
bank and Visa do today for example and that was loads easier for them than
to try drilling password discipline in all their customers (and let's be
honest: TLS is useless without a good password)

So unless a bank representative states the contrary, all my technical
experience screams its a non-problem.


Nicolas Mailhot
Received on Friday, 29 November 2013 09:46:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:20 UTC