- From: Michael Duffy <mduffy215@gmail.com>
- Date: Thu, 18 Apr 2019 09:54:19 -0500
- To: public-web-bluetooth@w3.org
- Message-ID: <CAFTyS6Nrrb0aZiQS5eoq1uX4d5psw+cN_pRQiwc5-hp_nuoVJw@mail.gmail.com>
I have a suggestion that would greatly enhance Web Bluetooth security.
A key use case for Web Bluetooth is to create a communication channel
between a web application and a mobile application. By passing the domain
from the web application as meta-data (preferably in an unhackable way) the
mobile application will be able to provide programmatic confirmation that
the user is on the right website ("www.chase.com" not "www.chaze.com"). The
capability to securely send the domain would help a great deal in
preventing phishing scams. *This added security will be well worth the
effort; and the effort should be fairly simple (the domain is already
passed to the pairing screen).*
This would need to be some sort of meta-data process call; simply calling a
JavaScript method from the web page to sendDomain("Domain Name") would of
course not be secure.
The first stated goal of the Web Bluetooth Community Group Charter is,
"Allow websites to communicate with devices in a secure and
privacy-preserving way." Sending the domain from the web application to the
mobile application would enhance both security and privacy.
Received on Friday, 19 April 2019 13:48:54 UTC