banks and ssl fingerprints

Daniel Carosone dan at geek.com.au
Sun Feb 13 00:09:02 EST 2005


On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
> One member of this mailing list, in a private exchange, noted that
> he had asked his bank for their certificate's fingerprint.  My
> response was that I was astonished he found someone who knew what
> he was talking about.

I spent quite some time and effort, on an early Internet Banking
project some years ago, convincing a bank to publish the SSL
fingerprint for the service via a number of out-of-band channels.

I suggested they print the details somewhere on their advertising for
the service (even amongst the rest of the inevitable small print), on
the terms and conditions paperwork, perhaps on people's bank
statements, add a menu item to the telephone voice-response system to
read the fpr, etc etc. There were also to be instructions and pointers
to this amongst the 'security information' help docs.  There was some
discussion about it all, especially around changing the printed
material if certs were renewed/replaced, but they eventually went for
a reference to the IVR key reading (which could be changed) from a
number of the other places.

A couple of years later, I asked them to go through IVR logs and find
out how many times the fingerprint had been read out: they figured,
discounting internal test calls, perhaps just over a dozen since the
project went live.

We never expected it to be used much. Even so, if this helped those
few people who wanted to check, I felt it was a worthwhile service.

--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050213/1c2299ec/attachment.pgp>


More information about the cryptography mailing list