[web-nfc] "A Better Q"

cyberphone has just created a new issue for https://github.com/w3c/web-nfc:

== "A Better Q" ==
![betterqr](https://cloud.githubusercontent.com/assets/8044211/26775188/06881c3a-49d4-11e7-99f8-9d6d00f4999d.png)

Using QR codes on the Web together with mobile phones acting as Identity Tokens or Wallets has been a huge success.

There is essentially only one snag; you need to start a specific QR- or QR-enabled application in order to use such a system.

However, if you scratch a bit under the surface of these systems you will find that they suffer from a fairly ugly security flaw: _There is no secure binding between the page showing the QR-code and the QR-code itself_. This fact has recently been successfully exploited by criminals who with simple phishing scams have lured people logging in to their bank for "Important Information" giving the phisher access to the account rather than the user. There is currently no publicly documented workaround for this vulnerability.

Note: even the most advanced systems out there using _Security Elements_ and _Asymmetric Key Cryptography_ exhibit this problem.

AFAICT, a _Dedicated_, _Write-only_ Web NFC variant could be a great replacement for inconvenient and security-broken QR schemes.  I don't see that a strict enforcement of the Web Security Model would be necessary since the Web service doesn't get any information from the user (via NFC).



Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/128 using your GitHub account

Received on Monday, 5 June 2017 07:56:31 UTC