[16901] in cryptography@c2.net mail archive
banks and ssl fingerprints
daemon@ATHENA.MIT.EDU (Daniel Carosone)
Wed Feb 16 08:09:58 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 13 Feb 2005 16:09:02 +1100
From: Daniel Carosone <dan@geek.com.au>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: Amir Herzberg <herzbea@macs.biu.ac.il>,
Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
Mail-Followup-To: "Steven M. Bellovin" <smb@cs.columbia.edu>,
Amir Herzberg <herzbea@macs.biu.ac.il>,
Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <20050210232446.C8FAA3C025A@berkshire.machshav.com>
--MAH+hnPXVZWQ5cD/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
> One member of this mailing list, in a private exchange, noted that
> he had asked his bank for their certificate's fingerprint. My
> response was that I was astonished he found someone who knew what
> he was talking about.
I spent quite some time and effort, on an early Internet Banking
project some years ago, convincing a bank to publish the SSL
fingerprint for the service via a number of out-of-band channels.
I suggested they print the details somewhere on their advertising for
the service (even amongst the rest of the inevitable small print), on
the terms and conditions paperwork, perhaps on people's bank
statements, add a menu item to the telephone voice-response system to
read the fpr, etc etc. There were also to be instructions and pointers
to this amongst the 'security information' help docs. There was some
discussion about it all, especially around changing the printed
material if certs were renewed/replaced, but they eventually went for
a reference to the IVR key reading (which could be changed) from a
number of the other places.
A couple of years later, I asked them to go through IVR logs and find
out how many times the fingerprint had been read out: they figured,
discounting internal test calls, perhaps just over a dozen since the
project went live.
We never expected it to be used much. Even so, if this helped those
few people who wanted to check, I felt it was a worthwhile service.
--
Dan.
--MAH+hnPXVZWQ5cD/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)
iD8DBQFCDuDuEAVxvV4N66cRAq8YAKCBjTOBrnz3AxmsyjKCAmGEoeC9EACfZ6Jc
qkthz2XHU831zLnSfdqH12k=
=Z+8L
-----END PGP SIGNATURE-----
--MAH+hnPXVZWQ5cD/--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
