馃懡 gnuserland

Ok this is just a pure curiosity...

But how much would be safe doing Online Banking on Gemini?

Just forget about authentication and let us pretend that we use a super protect method...

Thanks 馃榿

1 year ago 路 馃憤 krixano, bavarianbarbarian

Actions

馃憢 Join Station

10 Replies

馃懡 skoob

As I understand it, not only does TLS encrypt the response from the server to the client, but also the whole url sent from the client to the server. Only the domain name is exposed to dns to get an IP address, then the complete url is sent encrypted to the server. This means that user input given the Gemini way (in the url) is protected.

So yeah, it totally could be done. 路 1 year ago

馃懡 lykso

Heh, I just realized I've been fixated on authentication when you specifically said to forget about it. 馃槄

Yeah, TLS is TLS, and Gemini browsers are without a doubt simpler (and therefore easier to get right) than Web browsers. 路 1 year ago

馃懡 lykso

@stacksmith I know, 2FA via SMS is not especially secure and should be avoided in favor of TOTP or FIDO U2F if possible. Within the context of "(at least as) secure as the Web," though... yeah, most banks still offer this as an option, AFAICT it's still fairly common to use this despite the problems with it, and you could also do this with Gemini. 路 1 year ago

馃懡 lykso

@gnuserland Why would the bank provide the certificate? Just hook your Gemini browser into your Gnome keyring or whatever interface you prefer for interacting with kernel secrets so you can use the same mechanism you use to protect your other "at rest" secrets (e.g., email passwords) to protect your client certs as well. Then, if you want 2FA and/or server-side passwords on top (or even instead of) of client certs, do the 2FA/password prompt flow, issue some single-use or time-limited tokens, and require them when requesting authenticated URLs. (Ideally they'd be single-use, per link, and time-bound, IMO.) 路 1 year ago

馃懡 stacksmith

2FA using phones has led to disasters in the past. 路 1 year ago

馃懡 gnuserland

@lykso... 馃槀

Anyway I though you can have access with a certificate provided by your bank, than you have to put a password, when you hit enter you receive a text with a code, you put the code and you finally log in... :D 路 1 year ago

馃懡 lykso

I would personally love to do my banking over Gemini, if only to get away from all the horrific, browser-wrecking Javascript crap my bank foists on me. Would have been a lot easier/possible for me to automate certain workflows as well with a simplified interface like the one Gemini offers. 路 1 year ago

馃懡 lykso

No less safe than doing it over the web in most cases, I'd think (unless your bank offers FIDO 2FA; there's no reason Gemini clients couldn't support that, mind you, but none do presently). Perhaps safer due to the smaller client-side attack surface.

The only thing that gives me pause regarding certificate-based authentication is how client certificates are currently handled by most clients. Client certificates are generally stored unencrypted, which means that someone may steal your identity and access all your accounts just by copying this unencrypted file off your computer.

But you could still do password authentication plus 2FA via SMS or TOTP without special client code. 路 1 year ago

馃懡 gnuserland

@bavarianbarbarian 馃ぃ馃ぃ馃ぃ 路 1 year ago

馃懡 bavarianbarbarian

As a former paranoid Unix sysadmin I consider every IT stuff as unsecure, if you can avoid it, do it. I worked in nuclear powerplants, for major german ISPs, bleeding edge development and so on. Trust ia a weakness, anytime. 路 1 year ago