On 30/11/13 5:54 PM, Paul Hoffman wrote: > > > +1. Stephen's response (that a bank can't currently know if there is a > TLS proxy in HTTP/1.1) ignores what Yoav said, which is that such a > bank could detect that by forcing client auth. Of course they won't do > that, but they of course also won't have to because then they would be > forced to not have internet banking. Banks weight costs. They compare the cost of fraud through proxies against the cost of not having Internet banking against the cost of getting all users of Internet banking to use (bank-issued?) certificates. In most of the world, banks have chosen to live with the fraud. If this proposal were to adopted and implemented in browsers and proxies, we would be giving banks a fourth choice: Allow Internet banking only in the absence of a proxy. Mostly today this means forcing people to do their Internet banking at home, or using a phone with a cellular internet connection. This adds some inconvenience for the user, because they have to either wait until they're home, or force the phone to use the cellular connection by disabling wifi. The question is if giving them this choice is a good thing or not.
Received on Sunday, 1 December 2013 09:22:44 UTC