W3C home > Mailing lists > Public > public-web-bluetooth@w3.org > April 2019

Re: Feature Request: Enhance Security by Sending Domain as Meta-data

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 19 Apr 2019 17:09:24 +0200
To: Michael Duffy <mduffy215@gmail.com>, public-web-bluetooth@w3.org
Message-ID: <dfbd9a34-64e8-1dab-ce1d-3fd74f7259b7@gmail.com>
Hi Michael,

I'm not a W3C member but I'm subscribed to this list so I take the liberty to respond as well :-)
This is rather close to what I have suggested for Web NFC; that is, creating a secure(r) connection between a mobile "App" and a Web page:

According to the Web NFC folks this kind of application is not interesting.

Other people claim that FIDO2/WebAuth already addresses this issue.  This actually correct:
The only snag is that it presumes that the whole market converts to FIDO.

I have proposed something similar to your proposal but limited to payments:

IMO the FIDO way of doing this is the optimal solution since it also "wakes up" the proper application.


On 2019-04-18 16:54, Michael Duffy wrote:
> I have a suggestion that would greatly enhance Web Bluetooth security.
> A key use case for Web Bluetooth is to create a communication channel between a web application and a mobile application. By passing the domain from the web application as meta-data (preferably in an unhackable way) the mobile application will be able to provide programmatic confirmation that the user is on the right website ("www.chase.com <http://www.chase.com>" not "www.chaze.com <http://www.chaze.com>"). The capability to securely send the domain would help a great deal in preventing phishing scams. *This added security will be well worth the effort; and the effort should be fairly simple (the domain is already passed to the pairing screen).*
> This would need to be some sort of meta-data process call; simply calling a JavaScript method from the web page to sendDomain("Domain Name") would of course not be secure.
> The first stated goal of the Web Bluetooth Community Group Charter is, "Allow websites to communicate with devices in a secure and privacy-preserving way." Sending the domain from the web application to the mobile application would enhance both security and privacy.
Received on Friday, 19 April 2019 15:11:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:57:55 UTC