Abstract
GNU Taler is a new electronic online payment system which provides privacy for customers and accountability for merchants. It uses an exchange service to issue digital coins using blind signatures, and is thus not subject to the performance issues that plague Byzantine fault-tolerant consensus-based solutions.
The focus of this paper is addressing the challenges payment systems face in the context of the Web. We discuss how to address Web-specific challenges, such as handling bookmarks and sharing of links, as well as supporting users that have disabled JavaScript. Web payment systems must also navigate various constraints imposed by modern Web browser security architecture, such as same-origin policies and the separation between browser extensions and Web pages. While our analysis focuses on how Taler operates within the security infrastructure provided by the modern Web, the results partially generalize to other payment systems.
We also include the perspective of merchants, as existing systems have often struggled with securing payment information at the merchant’s side. Here, challenges include avoiding database transactions for customers that do not actually go through with the purchase, as well as cleanly separating security-critical functions of the payment system from the rest of the Web service.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Details of the protocol are documented at https://api.taler.net/.
- 2.
Given numerous TLS protocol and implementation flaws as well as X.509 key management incidents in recent years [15], one cannot generally assume that the security provided by TLS is adequate under all circumstances.
- 3.
- 4.
- 5.
This can happen when privacy conscious users delete their cookies. Also, some user agents (such as the TOR browser) do not support persistent (non-session) cookies.
- 6.
As previously said, this deposit request is aimed to exchange coins for bank money, and it is made by a merchant after successfully receiving coins from a wallet during the payment process.
- 7.
Auditors are typically run by financial regulatory bodies of states.
- 8.
The search query “verifiedbyvisa.com legit” is so common that, when we entered “verifiedbyvisa” into a search engine, it was the suggested auto-completion.
References
Chiptan/cardtan: What you see is what you sign (2016). http://www.kobil.com/solutions/identity-access-card-readers/chiptan/
EMVCO (2016). http://www.emvco.com/
Bahack, L.: Theoretical Bitcoin attacks with less than half of the computational power (draft). IACR Cryptology ePrint Archive 2013, 868 (2013). http://eprint.iacr.org/2013/868
Beigel, O.: What Bitcoin exchanges won’t tell you about fees (2015). https://www.cryptocoinsnews.com/what-bitcoin-exchanges-wont-tell-you-about-fees/. Accessed 10 Feb 2016
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in cryptology, pp. 199–203. Springer, New York (1983)
Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, Heidelberg (1990). doi:10.1007/0-387-34799-2_25
Constine, J.: After the Regretsy and Diaspora account freezes, we’ve lost confidence in PayPal, December 2011. http://techcrunch.com/2011/12/06/paypal-account-freeze/
Dold, F., Totakura, S.H., Müller, B., Burdges, J., Grothoff, C.: Taler: taxable anonymous libre electronic reserves
Dominguez, K.M.: Does central bank intervention increase the volatility of foreign exchange rates? Working Paper 4532, National Bureau of Economic Research, November 1993. http://www.nber.org/papers/w4532
Dunn, J.E.: Eurograbber SMS trojan steals 36 million from online banks, December 2012. http://www.techworld.com/news/security/eurograbber-sms-trojan-steals-36-million-from-online-banks-3415014/
Ehrenberg, B.: How much is your personal data worth? April 2014. http://www.theguardian.com/news/datablog/2014/apr/22/how-much-is-personal-data-worth
Eyal, I., Sirer, E.G.: Majority is not enough: bitcoin mining is vulnerable. CoRR abs/1311.0243 (2013). http://arxiv.org/abs/1311.0243
Green, M., Miers, I.: Bolt: anonymous payment channels for decentralized currencies. Cryptology ePrint Archive, Report 2016/701 (2016). http://eprint.iacr.org/2016/701
Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on Bitcoin’s peer-to-peer network. In: Proceedings of the 24th USENIX Conference on Security Symposium, SEC 2015, pp. 129–144. USENIX Association, Berkeley, CA, USA (2015). http://dl.acm.org/citation.cfm?id=2831143.2831152
Holz, R.: Empirical analysis of Public Key Infrastructures and investigation of improvements. Ph.D. thesis, TU Munich (2014)
Jeffries, A.: Why don’t economists like Bitcoin? (2013). http://www.theverge.com/2013/12/31/5260534/krugman-bitcoin-evil-economists. Accessed 28 Feb 2016
Jones, R.: Cap on card fees could lead to lower prices for consumers, July 2015. http://www.theguardian.com/money/2015/jul/27/cap-on-card-fees-retailers
van Kersteren, A.: Cross-origin resource sharing, January 2014. http://www.w3.org/TR/cors/
Lewis, N.: Bitcoin is a junk currency, but it lays the foundation for better money (2013). http://www.forbes.com/sites/nathanlewis/2013/05/09/bitcoin-is-a-junk-currency-but-it-lays-the-foundation-for-better-money/. Accessed 28 Feb 2016
Malmo, C.: Bitcoin is unsustainable (2015). https://www.cryptocoinsnews.com/what-bitcoin-exchanges-wont-tell-you-about-fees/. Accessed 10 Feb 2016
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: Anonymous distributed e-cash from Bitcoin. In: IEEE Symposium on Security and Privacy (SP), pp. 397–411. IEEE (2013)
Murdoch, S.J., Anderson, R.: Verified by Visa and MasterCard SecureCode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14577-3_27. https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
NYA International: Cyber extortion risk report 2015, October 2015. http://www.nyainternational.com/sites/default/files/nya-publications/151027_Cyber_Extortion_Risk_Report_2015_0.pdf
Perlman, M.: The Invention of Capitalism: Classical Political Economy and the Secret History of Primitive Accumulation. Duke University Press Books (2000)
Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks. Springer, New York (2013). http://arxiv.org/abs/1107.4524
IBI research: Digitalisierung der gesellschaft 2014 – aktuelle einschätzungen und trends (2014). http://www.ecommerce-leitfaden.de/digitalisierung-der-gesellschaft-2014.html
Riley, M., Elgin, B., Lawrence, D., Matlack, C.: Missed alarms and 40 million stolen credit card numbers: how target blew it, March 2013. http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Rundle, G.: The humble credit card is now a political tool, October 2011. http://www.crikey.com.au/2011/10/25/rundle-humble-credit-card-now-a-political-tool-just-ask-wikileaks/
Stallman, R.: How much surveillance can democracy withstand? WIRED (2013)
Sweney, M.: City AM becomes first UK newspaper to ban ad blocker users, October 2015. http://www.theguardian.com/media/2015/oct/20/city-am-ban-ad-blocker-users
Szent-Ivanyi, T.: Wie firmen ihre kassen manipulieren, August 2015. http://www.fr-online.de/wirtschaft/steuerhinterziehung-wie-firmen-ihre-kassen-manipulieren-,1472780,31535960.html
Trautman, L.J.: Virtual currencies: Bitcoin & what now after Liberty Reserve, Silk Road, and Mt. Gox? Richmond J. Law Technol. 20(4) (2014)
Volckart, O.: Early beginnings of the quantity theory of money and their context in polish and prussian monetary policies, c. 1520–1550. Economic Hist. Rev. 50(3), 430–449 (1997). http://www.jstor.org/stable/2599810
W3c: Web payments payment flows, February 2016. https://github.com/w3c/webpayments/tree/gh-pages/PaymentFlows
Wright, S.: PCI DSS A Practical Guide to Implementing and Maintaining Compliance. 3rd edn. It Governance Ltd. (2011)
Acknowledgements
This work benefits from the financial support of the Brittany Region (ARED 9178) and a grant from the Renewable Freedom Foundation. We thank Bruno Haible for his financial support enabling us to participate with the W3c payment working group. We thank the W3C payment working group for insightful discussions about Web payments. We thank Krista Grothoff and Neal Walfield for comments on an earlier draft of the paper. We thank Gabor Toth for his help with the implementation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Burdges, J., Dold, F., Grothoff, C., Stanisci, M. (2016). Enabling Secure Web Payments with GNU Taler. In: Carlet, C., Hasan, M., Saraswat, V. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2016. Lecture Notes in Computer Science(), vol 10076. Springer, Cham. https://doi.org/10.1007/978-3-319-49445-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-49445-6_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49444-9
Online ISBN: 978-3-319-49445-6
eBook Packages: Computer ScienceComputer Science (R0)