Re: Payment App spec implementations from Manu Sporny on 2017-03-20 (public-payments-wg@w3.org from March 2017)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Mon, 20 Mar 2017 14:09:47 -0400
To: public-payments-wg@w3.org
Message-ID: <5fe8463b-fff5-d77d-b892-78b626471cec@digitalbazaar.com>

On 03/10/2017 03:55 AM, Michiel de Jong wrote:
> But I cannot think of a way to make it secure enough to use it in 
> production: If a legitimate payment app can include a script that 
> allows it to register itself, then a malicious website can also 
> install itself as a payment app, without the user's consent.

Unless the polyfill site has been compromised, I don't see how this
could happen. We're diving into the weeds, but we've done this sort of
polyfill before for the Verifiable Claims work and are fairly certain
that we can deal with this particular security concern.

There are other more pressing security concerns, but ones that we feel
are manageable given Mozilla's deployment experience with Persona and
our deployment experience with the Verifiable Claims polyfill.

I'm not asserting that we will definitely want to make this a
production-cabable polyfill... just that we think that it's possible and
would like to try (since it's going to be helpful for Payment App
developers to have it).

> Also, if a legitimate webshop can include the polyfill script to 
> launch the 'choose payment method' dialog and redirect the user to 
> their preferred payment app, then a malicious website can also 
> redirect the user to the user's installed payment app and request 
> payment without getting the user's consent first.

I think you may be assuming that there is no polyfill site in the
middle, and in that case, you are right, which is why you'd have to have
a polyfill site in the middle and ensure that polyfill site isn't
compromised (as is the case with many other services on the web... think
Gmail, Facebook, Twitter, Paypal, etc.)

> What if instead of a polyfill, we were to create a browser plugin?

We explored that approach, and while it would be easier to make secure,
it is not a universal solution. The person that is browsing will have to
install a plugin and the numbers of plugin installations have always
been pretty dismal for anyone that isn't Adobe.

Perhaps the Chairs could put aside some time to talk about a polyfill
for Payment Apps at the WPWG face-to-face, and if that doesn't happen,
those of us that need this to work to make progress w/ Payment Apps can
do so during hallway discussion.

--  manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Rebalancing How the Web is Built
http://manu.sporny.org/2016/rebalancing/

Received on Monday, 20 March 2017 18:10:14 UTC