On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote: > One member of this mailing list, in a private exchange, noted that > he had asked his bank for their certificate's fingerprint. My > response was that I was astonished he found someone who knew what > he was talking about.
I spent quite some time and effort, on an early Internet Banking project some years ago, convincing a bank to publish the SSL fingerprint for the service via a number of out-of-band channels. I suggested they print the details somewhere on their advertising for the service (even amongst the rest of the inevitable small print), on the terms and conditions paperwork, perhaps on people's bank statements, add a menu item to the telephone voice-response system to read the fpr, etc etc. There were also to be instructions and pointers to this amongst the 'security information' help docs. There was some discussion about it all, especially around changing the printed material if certs were renewed/replaced, but they eventually went for a reference to the IVR key reading (which could be changed) from a number of the other places. A couple of years later, I asked them to go through IVR logs and find out how many times the fingerprint had been read out: they figured, discounting internal test calls, perhaps just over a dozen since the project went live. We never expected it to be used much. Even so, if this helped those few people who wanted to check, I felt it was a worthwhile service. -- Dan.
pgpuee8FKUVTn.pgp
Description: PGP signature