PSM/Chinese Banking: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 11: Line 11:
== Description of Mozilla China's CCB solution ==
== Description of Mozilla China's CCB solution ==


* Several plugins are used:
* Multiple plugins are installed:
** From Li: "They use a separate ActiveX control for any operation that they think should be protected – login, inputing a $$ amount for transaction, etc. So they would use a good number of these controls in a typical online banking session."
** One or more are used to communicate with the smart card.
* An extension specific to ccb.com.cn is used to improve the PSM client certificate selection UI, to show more information about each certificate (e.g. validity period) in the list, and to expand the identity token's list of certificates in the tree.  
* An extension specific to ccb.com.cn is used to improve the PSM client certificate selection UI, to show more information about each certificate (e.g. validity period) in the list, and to expand the identity token's list of certificates in the tree.  
* CCB's helper package installs a CCB-bank-specific root certificate; the exact technical reason for this isn't clear yet. This has possible negative security implications for non-CCB websites.
* CCB's helper package installs a CCB-bank-specific root certificate; the exact technical reason for this isn't clear yet. This has possible negative security implications for non-CCB websites.
Line 21: Line 23:


* Stop installing the CCB-bank-specific root and disable it on users' computers.
* Stop installing the CCB-bank-specific root and disable it on users' computers.
  There are two kinds of server certificates, one's CA is VeriSign,the other's CA
  is CCB. You can get it by visiting the two links below:
  https://ibsbjstar.ccb.com.cn/app/V5/CN/STY1/login.jsp
  https://ca3.ccb.com.cn/
  Why CCB uses two different kinds of server certificates, it's not clear yet.
  So, when accessing links like https://ca3.ccb.com.cn, Fx will throw an exception,
  so does IE. CCB's helper package adds "CCB CA ROOT" certificate into Fx and
  IE's  certificates trusting list to avoid it.
* Remove the need for CCB's extension that improves the PSM client certificate selection UI, by making those UI improvements inside the base UI.
* Remove the need for CCB's extension that improves the PSM client certificate selection UI, by making those UI improvements inside the base UI.
  It would be great.
* Drivers for identity tokens used by Chinese banks can be bundled with the browser and/or downloaded automatically on demand.
* Drivers for identity tokens used by Chinese banks can be bundled with the browser and/or downloaded automatically on demand.
  The helper serves not only for Fx but also other browsers including IE.
  I don't think it's practical to include all kinds of drivers in to our browser.
* Try to reduce or eliminate the use of plugins for UI, as much as possible. Providing an open-source HTML/CSS/JS reference implementation of these UI improvements (with a liberal license) might accelerate this.
* Try to reduce or eliminate the use of plugins for UI, as much as possible. Providing an open-source HTML/CSS/JS reference implementation of these UI improvements (with a liberal license) might accelerate this.
  I totally agree, but it depends on the bank sides.
* For UI plugins that cannot be replaced, develop open-source versions that we can ship in an extension bundled with Firefox China Edition.
* For UI plugins that cannot be replaced, develop open-source versions that we can ship in an extension bundled with Firefox China Edition.
  I don't think CCB would agree with it. CCB regards all the codes as commercial 
  confidential.


== Open Questions / Action Items ==
== Open Questions / Action Items ==
Line 30: Line 46:
# Improve communication between Mozilla China and Platform/PSM. bsmith is willing (eager, even) to go to Beijing if that would be helpful.
# Improve communication between Mozilla China and Platform/PSM. bsmith is willing (eager, even) to go to Beijing if that would be helpful.
# Coordinate a video/screen-sharing meeting between Mozilla China and Platform/PSM (bsmith and kaie), so that Platform/PSM can better understand the problem.
# Coordinate a video/screen-sharing meeting between Mozilla China and Platform/PSM (bsmith and kaie), so that Platform/PSM can better understand the problem.
# Have Platform/PSM help Mozilla China with any improvements that Mozilla China wants to make to Gecko to support their needs.
# What is the exacty purpose of CCB's root certificate? After installing the helper package, if we remove the root certificate from the certificate database using the Certificate Manager UI, then what specific parts of the website break?
# What is the exacty purpose of CCB's root certificate? After installing the helper package, if we remove the root certificate from the certificate database using the Certificate Manager UI, then what specific parts of the website break?
# What protocols and/or APIs are being used for the security of the bank? Are they using standard SSL client authentication? Are they using a solution with an API similar to the one used in Korea?
# What protocols and/or APIs are being used for the security of the bank? Are they using standard SSL client authentication? Are they using a solution with an API similar to the one used in Korea?
##They are using standard SSL client authentication
# Wei mentioned that CCB uses three vendors for identity tokens. Who are these three vendors?
# Wei mentioned that CCB uses three vendors for identity tokens. Who are these three vendors?
## [Vendor name]: [contact information] [links to vendor's website(s)]
## [watchdata]: [contact information] [http://www.watchdata.com/]
## [Vendor name]: [contact information] [links to vendor's website(s)]
## [bdtech]: [contact information] [http://www.bdtech.com.cn/en/]
## [Vendor name]: [contact information] [links to vendor's website(s)]
## [HuaDaZhiBao]: [contact information] [http://www.bhz.com.cn/en/]
# Get somebody in Mountain View (e.g. bsmith) access to a CCB bank account and hardware identity token, so that Platform/PSM can better support Mozilla China's efforts.
# Get somebody in Mountain View (e.g. bsmith) access to a CCB bank account and hardware identity token, so that Platform/PSM can better support Mozilla China's efforts.
# There are several plugins in the CCB helper package. What are these plugins and what do they do?:
# There are several plugins in the CCB helper package. What are these plugins and what do they do?:
## [filename] [Description of plugin's purpose]
## [npCCBEnckey.dll] [password input control instead of W3C password input]
## [filename] [Description of plugin's purpose]
## [npCCBInfoScan.dll] [check users' laptop enviroment, OS version, Firefox version, IE version and so on]
## [filename] [Description of plugin's purpose]
## [npCCBNetSignCom.dll] [signing transaction data]
## [filename] [Description of plugin's purpose]
## [npdmwritecert.dll] [update certificate into bdtech's smart card, provided by bdtech.]
## [filename] [Description of plugin's purpose]
## [npdmccbplugin.dll] [read infomation from bdtech's smart card, provided by bdtech.]
## [filename] [Description of plugin's purpose]
## [npHDZBCertCtrl.dll] [update certificate into HuaDaZhiBao's smart card, provided by HuaDaZhiBao.]
## [npHDZBSNCtrl.dll] [read infomation from HuaDaZhiBao's smart card, provided by HuaDaZhiBao.]
## [npWDImportCertCtrl.dll] [update certificate into watchdata's smart card, provided by watchdata.]
## [npwdkctrl.dll] [read infomation from watchdata's smart card, provided by watchdata.]


= Generalized Solution for Other Banks =
= Generalized Solution for Other Banks =
Line 51: Line 72:
* What other banks are willing/eager to work with us to get Firefox working with their site?
* What other banks are willing/eager to work with us to get Firefox working with their site?
* If the other banks' websites work similarly, and if we can minimize the number of closed-source plugins that are needed for the CCB solution, then we can probably greatly accelerate the enabling of Firefox compatibility on other banks' websites.
* If the other banks' websites work similarly, and if we can minimize the number of closed-source plugins that are needed for the CCB solution, then we can probably greatly accelerate the enabling of Firefox compatibility on other banks' websites.
= Other Payment Systems =
* Taobao/Alipay: In its original form, it is not compatible with Firefox either, but Mozilla China collaborated on an addon for Firefox. People have to install that addon manually.

Latest revision as of 09:46, 18 May 2011

Today

  • Most Chinese banks use ActiveX controls and are thus inoperable in Firefox.
  • Mozilla China has been working with CCB (ccb.com.cn) to enable its website to work with Firefox 3.6 and 4.0, using add-ons.
  • Many banks are using USB identity tokens and/or smartcards.
  • A very large majority of users are using Windows XP, which does not have built-in drivers for identity tokens, unlike Windows 7. (TODO: How many banks' identity tokens are plug-n-play in Windows 7.) These drivers use the Windows CryptoAPI CSP interface to expose the certificates on the identity token to applications that use CryptoAPI. However, Mozilla products currently do not use CryptoAPI; we have our own solution based on PKCS#11.
  • Some banks are using security tokens from multiple manufacturers, which may require different drivers and/or CSP/PKCS#11 DLLs.

CCB Bank

Description of Mozilla China's CCB solution

  • Multiple plugins are installed:
    • From Li: "They use a separate ActiveX control for any operation that they think should be protected – login, inputing a $$ amount for transaction, etc. So they would use a good number of these controls in a typical online banking session."
    • One or more are used to communicate with the smart card.
  • An extension specific to ccb.com.cn is used to improve the PSM client certificate selection UI, to show more information about each certificate (e.g. validity period) in the list, and to expand the identity token's list of certificates in the tree.
  • CCB's helper package installs a CCB-bank-specific root certificate; the exact technical reason for this isn't clear yet. This has possible negative security implications for non-CCB websites.
  • One or more PKCS#11 modules are installed, to enable access to the hardware identity token from within Gecko.

Possible immediate improvements

Note: This is just a list of *possible* improvements, because we do not know enough about the current solution yet. Some or all of these improvements might be unrealistic.

  • Stop installing the CCB-bank-specific root and disable it on users' computers.
 There are two kinds of server certificates, one's CA is VeriSign,the other's CA
 is CCB. You can get it by visiting the two links below:
 https://ibsbjstar.ccb.com.cn/app/V5/CN/STY1/login.jsp
 https://ca3.ccb.com.cn/ 
 Why CCB uses two different kinds of server certificates, it's not clear yet.
 So, when accessing links like https://ca3.ccb.com.cn, Fx will throw an exception,
 so does IE. CCB's helper package adds "CCB CA ROOT" certificate into Fx and 
 IE's  certificates trusting list to avoid it.
  • Remove the need for CCB's extension that improves the PSM client certificate selection UI, by making those UI improvements inside the base UI.
 It would be great.
  • Drivers for identity tokens used by Chinese banks can be bundled with the browser and/or downloaded automatically on demand.
 The helper serves not only for Fx but also other browsers including IE.
 I don't think it's practical to include all kinds of drivers in to our browser.
  • Try to reduce or eliminate the use of plugins for UI, as much as possible. Providing an open-source HTML/CSS/JS reference implementation of these UI improvements (with a liberal license) might accelerate this.
 I totally agree, but it depends on the bank sides.
  • For UI plugins that cannot be replaced, develop open-source versions that we can ship in an extension bundled with Firefox China Edition.
 I don't think CCB would agree with it. CCB regards all the codes as commercial  
 confidential.

Open Questions / Action Items

  1. Improve communication between Mozilla China and Platform/PSM. bsmith is willing (eager, even) to go to Beijing if that would be helpful.
  2. Coordinate a video/screen-sharing meeting between Mozilla China and Platform/PSM (bsmith and kaie), so that Platform/PSM can better understand the problem.
  3. Have Platform/PSM help Mozilla China with any improvements that Mozilla China wants to make to Gecko to support their needs.
  4. What is the exacty purpose of CCB's root certificate? After installing the helper package, if we remove the root certificate from the certificate database using the Certificate Manager UI, then what specific parts of the website break?
  5. What protocols and/or APIs are being used for the security of the bank? Are they using standard SSL client authentication? Are they using a solution with an API similar to the one used in Korea?
    1. They are using standard SSL client authentication
  6. Wei mentioned that CCB uses three vendors for identity tokens. Who are these three vendors?
    1. [watchdata]: [contact information] [1]
    2. [bdtech]: [contact information] [2]
    3. [HuaDaZhiBao]: [contact information] [3]
  7. Get somebody in Mountain View (e.g. bsmith) access to a CCB bank account and hardware identity token, so that Platform/PSM can better support Mozilla China's efforts.
  8. There are several plugins in the CCB helper package. What are these plugins and what do they do?:
    1. [npCCBEnckey.dll] [password input control instead of W3C password input]
    2. [npCCBInfoScan.dll] [check users' laptop enviroment, OS version, Firefox version, IE version and so on]
    3. [npCCBNetSignCom.dll] [signing transaction data]
    4. [npdmwritecert.dll] [update certificate into bdtech's smart card, provided by bdtech.]
    5. [npdmccbplugin.dll] [read infomation from bdtech's smart card, provided by bdtech.]
    6. [npHDZBCertCtrl.dll] [update certificate into HuaDaZhiBao's smart card, provided by HuaDaZhiBao.]
    7. [npHDZBSNCtrl.dll] [read infomation from HuaDaZhiBao's smart card, provided by HuaDaZhiBao.]
    8. [npWDImportCertCtrl.dll] [update certificate into watchdata's smart card, provided by watchdata.]
    9. [npwdkctrl.dll] [read infomation from watchdata's smart card, provided by watchdata.]

Generalized Solution for Other Banks

Open Questions

  • How similar are other Chinese banks' websites to CCB's?
  • What other banks are willing/eager to work with us to get Firefox working with their site?
  • If the other banks' websites work similarly, and if we can minimize the number of closed-source plugins that are needed for the CCB solution, then we can probably greatly accelerate the enabling of Firefox compatibility on other banks' websites.

Other Payment Systems

  • Taobao/Alipay: In its original form, it is not compatible with Firefox either, but Mozilla China collaborated on an addon for Firefox. People have to install that addon manually.
Retrieved from "https://wiki.mozilla.org/index.php?title=PSM/Chinese_Banking&oldid=309960"