[Advanced-java] Sensitive Data -> StringgetParameter(String
)Alternative
Nikolaos Giannopoulos
nikolaos at solmar.ca
Mon May 5 16:08:30 2003
Carlo,
Excellent feedback - comments inline...
> -----Original Message-----
> From: advanced-java-bounces@lists.xcf.berkeley.edu
> [mailto:advanced-java-bounces@lists.xcf.berkeley.edu]On Behalf Of Carlo
>
>
> What we have had to do in the past is actually encrypt
> the sensitive data on the browser with an applet (in addition
> to HTTPS). Here is the process:
And although this is a more iron-clad solution - as it protects data
end-to-end - there are some issues for its general adoption IMO. I'll
re-use some comments from my reply to Martin's post (as they apply here for
somewhat similar reasons):
"...unless any solution can be easily integrated to a browser
HTML/CSS/JavaScript OR JSP mechanism its just not going to help very much
i.e. a solution that offers "more" security at the cost of nobody using it
is more secure but with very little OR zero value."
"In the end, I totally welcome any solution that will make things more
secure as long as it doesn't create a greater hassle for the customer e.g.
Java applets and plug-ins are out for numerous reasons as history has
already shown i.e. Security considerations must always be balanced against
other considerations and unfortunately for e-commerce ease of use is a big
one to balance against."
> Many banks use this technique to protect user passwords/pins
> within their on-line banking applications.
Interesting. In Canada, I know of no bank that actually utilizes Java
applets to do this. Is this "use" for customers OR for bank employees? If
its for employees I can understand and can envision it but if its for
customers doing online banking I just don't see it happening.
Out of curiosity - which banks do you know of that employ this?
The way I see it Java applets have very limited use for Internet settings
(Intranet settings are another story) and can't fathom that a bank would
adopt such a strategy especially in light of Java applets questionable
future in the "windoze" browser.
--Nikolaos