Anders,
On 1/1/2013 12:47, Anders Rundgren wrote:
Although the recent CA failures cast a shadow over the web they have
AFAIK not led to any major losses for anybody. The credit-card system
OTOH is a major source of losses and hassles. IMO the only parties
that can fix it are the browser vendors. In the EU and Asia hundreds
of millions of EMV-cards are in circulation but since there is no
useful system on the Internet these cards are still equipped with
mag-strip and CCV "passwords" printed in clear on the back of the
cards which makes them subject to attacks in spite of the chip.
Are you sure that internet use is the only reason for the mag-stripe and
CCV passwords being on the card ?
Are 100% of the physical card readers EMV capable in EU and Asia ?
It's not clear to me how any single browser vendor could design a
solution for this, given the huge variety of browsing devices nowadays.
Even the hardware on those devices is quite different, let alone software.
Developing card readers that physically can connect to all those
devices, as well as software stacks for each OS and browser, is going to
be a very expensive task.
A much less expensive and simpler approach might be some kind of
universal standalone device that provides power to the card, and allows
doing some challenge/response type authentication with the card,
resulting in a dynamic number that the user could enter into any SSL web
form.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
