[clug] Internet banking and browser compatibility
Alex Satrapa
grail at goldweb.com.au
Sun Feb 15 23:35:35 GMT 2009
On 15/02/2009, at 16:09 , Francis Whittle wrote:
> No, no, my SOMB card doesn't have my date of birth on it.
Is your SOMB card in the same wallet as your driver's licence or PUB
card?
> Personally I don't see what's wrong with SSL. Just generate a unique
> certificate for every user of the online banking service, and "bam!
> security" (at least in comparison).
That's a great idea for people who only ever do their Internet banking
from one terminal. It's totally impractical for every other situation.
How do I use Internet banking from my office once I've got an SSL
certificate for my browser at home? How do I stop the person who just
broke into my house from clearing out my bank account before I get home?
Note that I wouldn't recommend using Internet banking from the office
in the first place since so many workplaces these days are installing
HTTPS proxies that do stupid stuff like generate certificates for the
sites that you're visiting on the fly, so your browser will happily
report that the hostname and certificate match. This renders using
your own laptop invalid, since it's the network that is maliciously
intercepting your communications.
RSA style authenticators still don't address the man-in-the-middle
issue of someone intercepting your request for a transfer of $1000
between your cheque account and home loan, and turning that in to a
request for a transfer of $10000 from your cheque account to an
institution outside your bank...
So now I'm off to figure out how to save a certificate for a HTTPS
site so that my browser can check the certificate presented by the
site against the "known good" certificate, and refuse to connect if
the certificate changes.
Alex
More information about the linux
mailing list