W3C home > Mailing lists > Public > public-payments-wg@w3.org > July 2016

Re: Encrypting basic card data

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Mon, 11 Jul 2016 17:04:45 +0100
Message-ID: <CA+eFz_L1oYkCS5_NWcQfMUByXuOpyqZ=Fbf5td8CKC73t_EKWw@mail.gmail.com>
To: Adrian Bateman <adrianba@microsoft.com>
Cc: Payments WG <public-payments-wg@w3.org>
Agreed, this has started here and I'd encourage anyone with input to add it
to this page:
https://github.com/w3c/webpayments/wiki/Security-and-Privacy-Considerations

On 11 July 2016 at 16:40, Adrian Bateman <adrianba@microsoft.com> wrote:

> > On Mon, Jul 11, 2016 at 10:43:17, Adrian Hope-Bailie wrote:
> > I'm hearing:
> >
> > Let's not do this in v1, it may imply more security than is actually
> > being provided and we haven't actually identified the threat properly to
> > evaluate it's value.
> >
> > Rather, let's work out a comprehensive solution for v2 that fully
> > mitigates a MiM threat
>
> I don't see a rush to do more in v1 unless we discover something that
> makes implementations
> more vulnerable than current sites. I think the encryption can be used for
> a functional
> scenario but I'm worried about saying it increases security without saying
> against what
> threat.
>
> More broadly, though, I've heard several people mention MITM attacks but I
> haven't yet
> understood who is the attacker and what are they attacking. It seems like
> some people
> are trying to mitigate against users changing the payment request. Others
> against
> malicious client side code. Others against network listeners. We need to
> enumerate the
> threats, understand the vulnerabilities, and address them with appropriate
> mitigations.
>
> Today, I believe we have equivalent security to typical online checkout
> forms but if
> someone has a scenario that shows that isn't true then we need to review
> it.
>
> Ade.
>
Received on Monday, 11 July 2016 16:05:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 11 July 2016 16:05:58 UTC