Re: Prevent "proxyfying" PKCS#11

Tue, 29 Sep 2015 01:56:57 -0700

Personally, I don't think authenticating the scanner is an issue. I can see the document physically being scanned in the scanner. 
And I can see the resulting image in the java applet on my screen.
If the document that appears is not what I scanned, I would simply not submit it. I'm not worried about authenticating my scanner. 


My bank feels differently, however.  They won't allow users to just 
upload any random JPG file - it has to be input directly from a scanner, 
or through a mobile phone's camera. It probably doesn't make that much 
sense - any human being who can upload a fake check JPG could probably 
also print it, and then scan it or take a picture of it with the mobile 
phone.



This security measure really only prevents an automated program from 
generating and submitting the fake check JPG, until they can fake a 
phone camera or a Twain scanner in software, which is a bit more involved.


Julien

On 9/29/2015 01:23, helpcrypto helpcrypto wrote:

Julien: you and me have "at the end" the same problem.

Java Web applets are passing away and we are looking for alternatives.


If you are just talking about "scanning", there 3 options AFAIK to do that:
  - From web invoke 127.0.0.1:port application(service) which listens on
port X and do all the job with the twain scanner
  - From the Web invoke myscan:// application protocol (look for registering
protocols on system at Google) and although you'll get a warning dialog,
the application could twain-scan and send result to a server
  - Forget about twain. The trust-chain of scanning is broken, but you can
scan over network and the upload JPG to your webform :P


If you are somehow worried about security (ie: "certified scanning") then
we are both "on the same problem".

Developing your own twain driver for network scanners will be -probably-
much more expensive that using xane or buying a USB new one.
You still have the scanner-web issue, but that can be solved easily (using
option #1+random number/token)


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to