Comments (8)
Should the Browser API be restricted to HTTPS-only environments?
Yes, we want the attack surface as small as we can make it while delivering on the important use cases. I can't think of an advantage that HTTP-only brings other than a potential reduction in cost for buying an HTTPS certificate (and hopefully that's going away soon w/ Let's Encrypt).
from webpayments.
I think consumers are becoming more aware of the little lock icon in the
location bar. They WANT things to be "secure", even as they don't really
know what that means. So yes, require HTTPS. Why not?
On Tue, Dec 1, 2015 at 10:39 PM, Manu Sporny [email protected]
wrote:
Should the Browser API be restricted to HTTPS-only environments?
Yes, we want the attack surface as small as we can make it while
delivering on the important use cases. I can't think of an advantage that
HTTP-only brings other than a potential reduction in cost for buying an
HTTPS certificate (and hopefully that's going away soon w/ Let's Encrypt).—
Reply to this email directly or view it on GitHub
#20 (comment).
Shane McCarron
[email protected]
from webpayments.
TAG recommends end-to-end encryption:
http://www.w3.org/2001/tag/doc/encryption-finding/
"This includes the use of TLS for transport encryption as well as applications that enable user-to-user encryption."
from webpayments.
as well as applications that enable user-to-user encryption.
I'm gonna nitpick on the TAG finding. While the abstract mentions user-to-user encryption, I don't really see it discussed in the body of the finding.
I think there are two types of encryption that we are talking about here:
- Connection encryption (such as TLS) that secures the communication channel.
- Message encryption that secures the messages in the event that the communication channel is compromised.
I'm a strong +1 for the first item because it's fairly automatic these days and Web developers using the Web Payments API won't be dramatically affected by it.
I'm a bit more concerned about the second item because if we start encrypting messages, that means Web developers may have to start encrypting and decrypting them (added complexity on most Web devs using the payments API). We do want to enable things like encrypted card tokens, etc., and we may want to enable parts of the messages to be encrypted in special cases, but I think we should stay far away from requiring all messages to be fully encrypted.
So +1 for enabling parts of Web Payments messages to be encrypted (like card tokens). -1 for requiring any top-level Web Payments messages to be encrypted (like payment responses).
from webpayments.
So +1 for enabling parts of Web Payments messages to be encrypted (like card tokens). -1 for requiring any top-level Web Payments messages to be encrypted (like payment responses).
Strong +1
Data in messages will be encrypted or signed as defined by the payment method.
The payments browser API should only be available in a secure context.
from webpayments.
I hear @adrianhopebailie (and perhaps others) saying "If it's meant to be encrypted, the Web app and
the Payment app will both do what's necessary."
This sounds about right if the Web app and the payment app are the endpoints, and they can
encrypt and decrypt the message data. The spec probably should say that the Web application and
the payment app SHOULD secure message data.
Aside: The flow diagrams could aid us in seeing whether there are steps in the transaction where the messages must be secured.
It also sounds like we would want to advise those who want to do encryption to at least consider using the W3C WebCrypto spec (as an informative reference):
http://www.w3.org/TR/WebCryptoAPI/
I do not have any sense yet that a stronger requirement to use WebCrypto for all encryption is appropriate.
from webpayments.
I think HTTPS should be default even considering Web Crypto API.
but allow switching to HTTP with user consent.
On Thu, Dec 10, 2015 at 2:58 AM, ianbjacobs [email protected]
wrote:
I hear @adrianhopebailie https://github.com/adrianhopebailie (and
perhaps others) saying "If it's meant to be encrypted, the Web app and
the Payment app will both do what's necessary."This sounds about right if the Web app and the payment app are the
endpoints, and they can
encrypt and decrypt the message data. The spec probably should say that
the Web application and
the payment app SHOULD secure message data.Aside: The flow diagrams could aid us in seeing whether there are steps in
the transaction where the messages must be secured.It also sounds like we would want to advise those who want to do
encryption to at least consider using the W3C WebCrypto spec (as an
informative reference):
http://www.w3.org/TR/WebCryptoAPI/I do not have any sense yet that a stronger requirement to use WebCrypto
for all encryption is appropriate.—
Reply to this email directly or view it on GitHub
#20 (comment).
Mountie Lee
PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : [email protected]
Twitter : mountielee
from webpayments.
Migrated to w3c/payment-request#22
from webpayments.
Related Issues (20)
- [Payment apps] How can we optimize user experience when there is only one match? HOT 1
- Pull filters out of payment method data HOT 2
- Overview document figure 5 HOT 13
- Propose a payment method specification that includes an example of field level security HOT 1
- propose to add encoding attribute to data set HOT 18
- European market - Security concerns HOT 10
- [Tokenized Card Payment] Replace usage of 'last4' with 'suffix' HOT 8
- [Tokenized Card Payment] TokenCardRequest should inherit from BasicCardRequest HOT 3
- 3D secure support HOT 4
- Sepamail WebIDL syntax and algorithms HOT 4
- Payment Method Manifest spec - should enable country specific app discovery HOT 9
- Fingerprint and version metadata (in Web App Manifest spec) HOT 36
- Should the WPWG develop a cryptocurrency payment method specification HOT 14
- Adopt a "test as you commit" policy HOT 10
- Just a question, curious HOT 1
- Visual Identity for Web Payments HOT 14
- Specify both pickup and delivery addresses in a single payment request HOT 2
- QR use cases HOT 5
- Proposal to restore charter text around UI being out of scope HOT 10
- Pagos alex
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webpayments.