Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Project Development
Re: SSL logs as proof of money transfer for p2p exchanges
by
waxwing
on 04/11/2013, 22:50:43 UTC
Quote from: PeFro on November 04, 2013, 09:05:34 PM
I just tested it for 2 banks.

For netbank.de it works just fine.
For sparkasse.de it doesn´t...

this is the last part of the log:

Code:
7N  m1inihttp received /page_marked?accno=397686700&sum=%E2%88%9229,44&time=1383598717 request2
.A0ttempt no:1 to find HTML in our trace.
0.1:28182
OUT 127.0.0.1:52180
Amount not found in HTML
Attempt no:2 to find HTML in our trace
Amount not found in HTML
sending failure. Reason: Data not found in HTML

the amount I entered was 29,44, so.. not sure why it´s garbled in the log while the account no is fine

Edit: Ok, my fault (kinda)... I didn´t enter 29,44 but -29,44, as that was the way it was stated. Imho this should be processed either way.
Indeed it looks like you entered a minus sign; the garbled part is an encoded form of the minus character.
Did you copy/paste the minus sign or enter it manually? I guess the latter and that's why it's failed.
However you're definitely right that we have to be careful how we deal with the user input, and we're looking into it. Your input is much appreciated.

Quote
Now maybe a stupid question... what exactly does this prove?
Is it a problem that, e.g. I can send a transaction to one of my own bank accounts and put the actual target account number (whom I´m supposed to pay) just in the comments field of the transaction? Paysty does find the actual target account number in the html but does it recognize that this is not the account number money is send to?
Paysty is only verifying that what you enter into the 'accno' and 'sum' boxes actually appears somewhere in the html of the page. So of course you're right you could enter anything that appears somewhere on the page, not necessarily the true account number for example. This is just a first stage verification - the real point is as follows: if there's a dispute between buyer and seller, the escrow can (if you choose to give it) take the ssl key(s) specifically associated with that html page, and decrypt that one page and read it.
The protection of your privacy is based on doing a kind of "reset" of the ssl connection and then reloading the page. This means the escrow will never be able to see anything except that one page.
Does it make sense? Obviously a more detailed explanation will be given in the future.