Why does every discussion of “how do you trust a website on first visit” get redirected to “here’s how to trust a website you’ve already visited?”
I understand it’s the larger security problem because there are far more return visits than first visits. But that doesn’t mean it is the only security problem online.
What is the web equivalent of walking into a store for the first time and feeling confident I won’t get assaulted or robbed?
Most of my banking I bootstrapped from a physical interaction. The one provider I haven't had any physical interaction with I validated on the Financial Services Register: https://www.fca.org.uk/firms/financial-services-register
And if someone's managed to break gov.uk then I've got bigger problems.
I'll note, though, that most of the time I'm going to be using a credit card and it'll be obvious fairly quickly if whatever goods or services I've ordered don't appear. It's only really if I'm making multi-year investments (or going completely off the correct payment rails) that it's catastrophic if I make a mistake. See also: https://bam.kalzumeus.com/archive/no-payments-are-final/
I worry a lot about making credit card transactions with websites I don't have stable credentials on, and always opt to pay via Amazon or (gak) Paypal if it's my first time buying somewhere, unless they're using Stripe.
Is there anything you check for to confirm that it is Stripe? I was deceived last week, paying for something via something that looked like an embedded Stripe payment form.
> Is there anything you check for to confirm that it is Stripe?
You check the domain name in the address bar.
Embedded forms aren't safe—one must assume that the surrounding page has access to anything entered into the form, so you're not just giving your CC data to Stripe, you're also giving it to whatever site embedded the form. If you don't trust the merchant with your credit card, the only safe system is the one where you're directed to a top-level page hosted by Stripe to enter the payment details.
I think the flows are different. If I want to open up an account at amalgamatedbank.com, I probably type it in or I come from Google. Unless something is super wrong with my machine and someone's built an incredibly convincing bank website that matches what I would expect, I'm probably fine.
Now think about coming back to that site after I've made an account. I may be coming from an email, a push notification, a text message, a targeted ad, etc. The risk is a lot higher because I'm not initiating the flow by using a trusted search engine or typing it myself.
Or like, to be more succinct, it's because MITM rarely happens and phishing happens constantly.
The point of the authentication systems I'm talking about, which address specifically the concern of the parent comment, is that financial transactions don't generally happen on first visits to websites, and "transactions" on your first visit to chase.com.phishing.xyz should be blocked by something like WebAuthn, not the EV policies of a TLS CA.
financial transactions don't generally happen on first visits to websites
every time i switch computers, reinstall or whatever i get a new first visit. seems to me that first visits are more likely than just the first time when signing up for that account.
This is what tptacek is talking about. If you have an account with a website that you have already verified, it’s possible for the website to authenticate you in a way that can’t be fooled like a person can. Basically it’s like 2FA that only works on the original website. Of course not every site has deployed this yet. But the solution exists.
If you don’t log in, or don’t have an account, though, it obviously can’t help you.
here a usb key is given to me by the bank, so i only get one. and it requires some invasive proprietary driver to use too.
if i loose it then i am stuck until i can go to the bank to get a new one
“Financial transactions don't generally happen on first visits to websites” is just a description of how things are today, it doesn’t help us think about how things could be or could have been.
Any purchase is a financial transaction; not sure why you zeroed in on banking. Those happen during first visits offline all the time.
I'm responding to the specific concern raised on the thread, not presenting my unified theory of authentication. WebAuthn is a better solution to "authenticating connections to services we have long-term relationships with, regardless of our relationships to particular websites" than anything in the TLS protocol could be.
I understand it’s the larger security problem because there are far more return visits than first visits. But that doesn’t mean it is the only security problem online.
What is the web equivalent of walking into a store for the first time and feeling confident I won’t get assaulted or robbed?