On Tue, May 02, 2006 at 12:25:06PM +0200, Christian Boltz wrote:
Banks _should_ check the user agent string - I'd call it a security feature. However, there should be a "I know what I am doing" link.
No, this does not make sense at all. There are two things that are important when you want to do secure online transactions: 1. You want to prevent that other people can listen to your communication. This is assured by using a string cipher for the SSL connection. Although there _might_ be some relation between some browser versions and their capabilities to use certain types of ciphers you should check for the actual cipher used and not whether the user is using a tool you _suspect_ to be able to do something. 2. You want to prevent that the user is talking to a server other than the bank's server. Failing here is either a result of an uneducated end user (not checking the correctness of the URL, not checking the certificate, installing a trojan horse by accident) or it is a broken implementation that falsely claims correctness of a certificate that is not. In the first case a check is completely useless. In the second case it is even harmful because a user that talks to the original server might feel perfectly secure when he receives some warnings about security problems. He might think that he is perfectly secure when he does not get warned about security problems but someone that makes you use a faked server will most likely never give you a security warning whatever you do. Robert -- Robert Schiele Tel.: +49-621-181-2214 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de "Quidquid latine dictum sit, altum sonatur."