[clug] Internet banking and browser compatibility

[Alex Satrapa]

On 15/02/2009, at 16:09 , Francis Whittle wrote:

> No, no, my SOMB card doesn't have my date of birth on it.

Is your SOMB card in the same wallet as your driver's licence or PUB  
card?

> Personally I don't see what's wrong with SSL.  Just generate a unique
> certificate for every user of the online banking service, and "bam!
> security" (at least in comparison).

That's a great idea for people who only ever do their Internet banking  
from one terminal. It's totally impractical for every other situation.

How do I use Internet banking from my office once I've got an SSL  
certificate for my browser at home? How do I stop the person who just  
broke into my house from clearing out my bank account before I get home?

Note that I wouldn't recommend using Internet banking from the office  
in the first place since so many workplaces these days are installing  
HTTPS proxies that do stupid stuff like generate certificates for the  
sites that you're visiting on the fly, so your browser will happily  
report that the hostname and certificate match. This renders using  
your own laptop invalid, since it's the network that is maliciously  
intercepting your communications.

RSA style authenticators still don't address the man-in-the-middle  
issue of someone intercepting your request for a transfer of $1000  
between your cheque account and home loan, and turning that in to a  
request for a transfer of $10000 from your cheque account to an  
institution outside your bank...

So now I'm off to figure out how to save a certificate for a HTTPS  
site so that my browser can check the certificate presented by the  
site against the "known good" certificate, and refuse to connect if  
the certificate changes.

Alex