W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Iframes and credit card security

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Tue, 16 Aug 2016 10:33:40 +0100
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-Id: <3C4D2225-3C35-4D5B-8923-B11DF16963CE@craigfrancis.co.uk>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Thanks for confirming Anders,

I think Apple are in quite a unique position with their solution, as they aren't handling traditional credit card data - it's almost to the point where the attacker could see/alter the data going by, and it would be fairly useless to them.

So I think we agree that IFRAMEs cannot be fixed, and that any websites that do use an IFRAME, will need to be treated to the same amount of scrutiny as any other website that handles credit card information (even if that's a basic check that they aren't doing anything stupid).

Craig





> On 16 Aug 2016, at 06:02, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> On 2016-08-16 01:11, Craig Francis wrote:
> 
>> Personally I think "assuming the correct iframe has been opened" is the problem,
> > and because most websites are doing things like running out of date versions of WordPress,
> > they need to have at least a basic check that things "seem to be ok".
> 
> Apple have addressed the client-side of payment-security both with respect to the merchant and the user in a pretty elegant way:
> https://developer.apple.com/videos/play/wwdc2016/703/
> 
> Other payment providers will not be able to provide such solutions in foreseeable time.  Fixing IFRAMEs is unlikely to be the answer.
> 
> Anders
> 
Received on Tuesday, 16 August 2016 09:34:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC