undefined | Better HN

0 pointsperihelions9mo ago0 comments

If the bank and the website collude, they can de-anonymize attestation requests by correlating their two views of the interaction—the timestamps and various device fingerprints. It's impossible to make strong security guarantees against this threat model—imperfect statistical ones, at best.

Your version makes this trivial, since per your other comment, you expect the bank to insist on seeing the same IP address as the website, as an anti-fraud measure. ("If your IP doesn't match what you had at the bank, the RP rejects you.")

0 comments

3 comments · 1 top-level

jwally9mo ago· 2 in thread

Salt and hash the IP or something so the RP can see the user's IP is the same as the bank's; but not necessarily _what_ the IP is...?

perihelionsOP9mo ago

You want the website to (1) look at a visitor's IP address, and (2) compare a cryptographic hash of that same IP address, to test for equality? Did you forget that (1) they have that IP address to begin with?

jwally9mo ago

Given the static nature of most residential IP addresses, what stops this from happening today?

If I subpoena facebook, google, chase, and pornhub - I can unmask who you are by correlating your IP and profile info. If I want higher certainty, I can further narrow down time windows.

j / k navigate · click thread line to collapse