Re: Feature Request: Enhance Security by Sending Domain as Meta-data from Anders Rundgren on 2019-04-19 (public-web-bluetooth@w3.org from April 2019)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 19 Apr 2019 17:09:24 +0200
To: Michael Duffy <mduffy215@gmail.com>, public-web-bluetooth@w3.org
Message-ID: <dfbd9a34-64e8-1dab-ce1d-3fd74f7259b7@gmail.com>

Hi Michael,

I'm not a W3C member but I'm subscribed to this list so I take the liberty to respond as well :-)
This is rather close to what I have suggested for Web NFC; that is, creating a secure(r) connection between a mobile "App" and a Web page:
https://github.com/cyberphone/qr-replacement#a-better-qr

According to the Web NFC folks this kind of application is not interesting.

Other people claim that FIDO2/WebAuth already addresses this issue.  This actually correct:
https://www.blog.google/technology/safety-security/your-android-phone-is-a-security-key/
The only snag is that it presumes that the whole market converts to FIDO.

I have proposed something similar to your proposal but limited to payments:
https://github.com/w3c/payment-request/issues/865

IMO the FIDO way of doing this is the optimal solution since it also "wakes up" the proper application.

Cheers,
Anders

On 2019-04-18 16:54, Michael Duffy wrote:
> I have a suggestion that would greatly enhance Web Bluetooth security.
> 
> A key use case for Web Bluetooth is to create a communication channel between a web application and a mobile application. By passing the domain from the web application as meta-data (preferably in an unhackable way) the mobile application will be able to provide programmatic confirmation that the user is on the right website ("www.chase.com <http://www.chase.com>" not "www.chaze.com <http://www.chaze.com>"). The capability to securely send the domain would help a great deal in preventing phishing scams. *This added security will be well worth the effort; and the effort should be fairly simple (the domain is already passed to the pairing screen).*
> 
> This would need to be some sort of meta-data process call; simply calling a JavaScript method from the web page to sendDomain("Domain Name") would of course not be secure.
> 
> The first stated goal of the Web Bluetooth Community Group Charter is, "Allow websites to communicate with devices in a secure and privacy-preserving way." Sending the domain from the web application to the mobile application would enhance both security and privacy.
>

Received on Friday, 19 April 2019 15:11:40 UTC