Re: Requirement for Payment Platforms - Trusted GUI from Anders Rundgren on 2013-11-01 (public-webpayments@w3.org from November 2013)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 01 Nov 2013 05:14:45 +0100
To: "David I. Lehn" <dil@lehn.org>
CC: Web Payments CG <public-webpayments@w3.org>
Message-ID: <52732AB5.6080202@gmail.com>

On 2013-11-01 02:32, David I. Lehn wrote:
> On Tue, Oct 22, 2013 at 8:08 AM, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
>> For payment operations you ought to have a trusted GUI.
>> It would be nice to get a list of possible options for achieving this.
>>
> 
> The problem with most GUIs is that an attacker can emulate what the
> GUI looks like and intercept your secure data.  You could show secrets
> (pictures, etc, etc) that are only accessible via the trusted GUI.
> But then you have to make sure users understand how and why to set
> that up properly, and ensure that they are trained to notice if those
> secrets do not appear.  That seems like the hard part.

Exactly.  I would go further and claim that it is impossible.

If we stick to payments, there is actually a working method which
is already established since years back for some smart cards:

It builds on the idea that the important thing is inside of the card
that can only be activated through an authorization code coming from
a terminal that the _card_ trusts.  If a user accidentally inserts
his/her card in a "bad" terminal, the owner of the bad terminal may indeed
get the authorization code but won't be able to exploit this knowledge
except by stealing the card which is not an Internet-scale attack [*].

I have outlined such a scheme in a recently upgraded paper where the
payment terminal is an enhanced browser and the card [presumably] is
an embedded secure element:

http://webpki.org/papers/PKI/pki-webcrypto.pdf

The alternative seems to be installing trusted payment applications but I don't
think the payment industry generally trust users (or browser vendors...) for
performing such decisions.  With the devised scheme they don't have to.  I also
do not believe that payment networks suddenly will "unite" on a single trusted
application.  Such decisions are left to the market (where it IMO belongs).

Anders

*] for some security folks this limitation is unacceptable but they are IMO
   living in a theoretical world where you have personal PIN-pad readers

Related: http://xkcd.com/538

> 
> -dave
>

Received on Friday, 1 November 2013 04:15:20 UTC