[bgidley]

You can prevent MITM from the browser - you 'simply' use Whitebox Crypto to create a secured channel - (shameless plug Irdeto who I work for sell this as solution https://irdeto.com/payments-and-banking/cloakedjs-code-prote...)

In that case even if you MITM it - all the bad guy gets is encrypted (AES) data. Whitebox does sound a bit like black magic, but it's widely deployed (over 5 billion devices for Irdeto's) and add a nice layer to ensure that you're actually talking to the end users browser, and it's your code that's running on it.

[icebraining]

Snake-oil. If I MITM, I'll just add my own code that copies the plain-text to my server, I don't need to break any encryption. It's nothing more than an obfuscation layer.

[bgidley]

We did think of that :) - we can detect your tampering with the forms we protect. But that said it doesn't stop everything if you can install a keylogger, or get the user to enter data somewhere else we can't stop it and it does depend on where in the user journey you try and protect things, as someone else here has pointed out if any of the journey is HTTP (or HTTPS being MITM) then they can send the user somewhere else.

However I'd also argue you don't actually need to stop people grabbing the data. Noticing achieves a large chunk of that, as (for example) I can notify the credit card system it's happened.

If you want to see exactly what it does and doesn't do see https://resources.irdeto.com/payments-banking/solution-overv...

[icebraining]

Frankly, regarding MITM, that paper is just nonsense. How can it "ensure contents of a message are secure on the 'wire', by encrypting with a secondary scheme between the JavaScript client and the server", when you can't even guarantee that the signing and encryption code isn't tampered with in-flight?

And you can't guarantee that you can notify either, and for the same reason. The code that leaves your server won't be the code that actually runs on the client - it'll be a mutated version that will say "everything is OK" and acts normally to your server while it sends all the data somewhere else.

Nothing has changed since [1] was written; I don't see how that is anything but DRM promising more than it can deliver.

[1] https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

[dfc]

I am confused, initially you said "you can prevent MITM" now you say "doesnt stop everything...(HTTPS being MITM)". So your claim is that your product can or can not prevent MITM?

[bgidley]

It can prevent MITM IF it's loaded in client page (defining MITM as network interception).

It can't stop keyloggers, people looking over your shoulder, malware in the browser (MITB)/plugins as it still sits within the browser sandbox. It can in some cases detect that, and in some cases hinder it.

An attacker can stop it loading by MITM the connection, but then the site can't work against it's APIs as the solution also verifies as data goes into those API's the encryption is present and the code isn't tampered. If it's tampered a business rule is applied to decide what to do, either stop the messages, OR pass it back to risk management systems (very common in finance).