Re: Requirement for Payment Platforms - Trusted GUI from Goss, Brian C., M.D. on 2013-11-01 (public-webpayments@w3.org from November 2013)

From: Goss, Brian C., M.D. <Goss.Brian@mayo.edu>
Date: Fri, 1 Nov 2013 02:06:57 +0000
To: "David I. Lehn" <dil@lehn.org>
CC: Anders Rundgren <anders.rundgren.net@gmail.com>, Web Payments CG <public-webpayments@w3.org>
Message-ID: <D0CB0A0F-8104-4846-8CC6-535AA6A6485F@mayo.edu>

Can one ever really trust their own systems? In the post NSA revelation world, can we even trust our hardware?

> On Oct 31, 2013, at 8:33 PM, "David I. Lehn" <dil@lehn.org> wrote:
> 
> On Tue, Oct 22, 2013 at 8:08 AM, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
>> For payment operations you ought to have a trusted GUI.
>> It would be nice to get a list of possible options for achieving this.
> 
> The problem with most GUIs is that an attacker can emulate what the
> GUI looks like and intercept your secure data.  You could show secrets
> (pictures, etc, etc) that are only accessible via the trusted GUI.
> But then you have to make sure users understand how and why to set
> that up properly, and ensure that they are trained to notice if those
> secrets do not appear.  That seems like the hard part.
> 
> -dave
>

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Friday, 1 November 2013 02:07:21 UTC