Skip to main content
SpringerLink
Log in

Enabling Secure Web Payments with GNU Taler

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10076))

Abstract

GNU Taler is a new electronic online payment system which provides privacy for customers and accountability for merchants. It uses an exchange service to issue digital coins using blind signatures, and is thus not subject to the performance issues that plague Byzantine fault-tolerant consensus-based solutions.

The focus of this paper is addressing the challenges payment systems face in the context of the Web. We discuss how to address Web-specific challenges, such as handling bookmarks and sharing of links, as well as supporting users that have disabled JavaScript. Web payment systems must also navigate various constraints imposed by modern Web browser security architecture, such as same-origin policies and the separation between browser extensions and Web pages. While our analysis focuses on how Taler operates within the security infrastructure provided by the modern Web, the results partially generalize to other payment systems.

We also include the perspective of merchants, as existing systems have often struggled with securing payment information at the merchant’s side. Here, challenges include avoiding database transactions for customers that do not actually go through with the purchase, as well as cleanly separating security-critical functions of the payment system from the rest of the Web service.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Details of the protocol are documented at https://api.taler.net/.

  2. 2.

    Given numerous TLS protocol and implementation flaws as well as X.509 key management incidents in recent years [15], one cannot generally assume that the security provided by TLS is adequate under all circumstances.

  3. 3.

    https://github.com/frozeman/bitcoin-browser-wallet.

  4. 4.

    http://hackingdistributed.com/2016/08/04/byzcoin/.

  5. 5.

    This can happen when privacy conscious users delete their cookies. Also, some user agents (such as the TOR browser) do not support persistent (non-session) cookies.

  6. 6.

    As previously said, this deposit request is aimed to exchange coins for bank money, and it is made by a merchant after successfully receiving coins from a wallet during the payment process.

  7. 7.

    Auditors are typically run by financial regulatory bodies of states.

  8. 8.

    The search query “verifiedbyvisa.com legit” is so common that, when we entered “verifiedbyvisa” into a search engine, it was the suggested auto-completion.

References

  1. Chiptan/cardtan: What you see is what you sign (2016). http://www.kobil.com/solutions/identity-access-card-readers/chiptan/

  2. EMVCO (2016). http://www.emvco.com/

  3. Bahack, L.: Theoretical Bitcoin attacks with less than half of the computational power (draft). IACR Cryptology ePrint Archive 2013, 868 (2013). http://eprint.iacr.org/2013/868

  4. Beigel, O.: What Bitcoin exchanges won’t tell you about fees (2015). https://www.cryptocoinsnews.com/what-bitcoin-exchanges-wont-tell-you-about-fees/. Accessed 10 Feb 2016

  5. Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in cryptology, pp. 199–203. Springer, New York (1983)

    Chapter  Google Scholar 

  6. Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, Heidelberg (1990). doi:10.1007/0-387-34799-2_25

    Google Scholar 

  7. Constine, J.: After the Regretsy and Diaspora account freezes, we’ve lost confidence in PayPal, December 2011. http://techcrunch.com/2011/12/06/paypal-account-freeze/

  8. Dold, F., Totakura, S.H., Müller, B., Burdges, J., Grothoff, C.: Taler: taxable anonymous libre electronic reserves

    Google Scholar 

  9. Dominguez, K.M.: Does central bank intervention increase the volatility of foreign exchange rates? Working Paper 4532, National Bureau of Economic Research, November 1993. http://www.nber.org/papers/w4532

  10. Dunn, J.E.: Eurograbber SMS trojan steals 36 million from online banks, December 2012. http://www.techworld.com/news/security/eurograbber-sms-trojan-steals-36-million-from-online-banks-3415014/

  11. Ehrenberg, B.: How much is your personal data worth? April 2014. http://www.theguardian.com/news/datablog/2014/apr/22/how-much-is-personal-data-worth

  12. Eyal, I., Sirer, E.G.: Majority is not enough: bitcoin mining is vulnerable. CoRR abs/1311.0243 (2013). http://arxiv.org/abs/1311.0243

  13. Green, M., Miers, I.: Bolt: anonymous payment channels for decentralized currencies. Cryptology ePrint Archive, Report 2016/701 (2016). http://eprint.iacr.org/2016/701

  14. Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on Bitcoin’s peer-to-peer network. In: Proceedings of the 24th USENIX Conference on Security Symposium, SEC 2015, pp. 129–144. USENIX Association, Berkeley, CA, USA (2015). http://dl.acm.org/citation.cfm?id=2831143.2831152

  15. Holz, R.: Empirical analysis of Public Key Infrastructures and investigation of improvements. Ph.D. thesis, TU Munich (2014)

    Google Scholar 

  16. Jeffries, A.: Why don’t economists like Bitcoin? (2013). http://www.theverge.com/2013/12/31/5260534/krugman-bitcoin-evil-economists. Accessed 28 Feb 2016

  17. Jones, R.: Cap on card fees could lead to lower prices for consumers, July 2015. http://www.theguardian.com/money/2015/jul/27/cap-on-card-fees-retailers

  18. van Kersteren, A.: Cross-origin resource sharing, January 2014. http://www.w3.org/TR/cors/

  19. Lewis, N.: Bitcoin is a junk currency, but it lays the foundation for better money (2013). http://www.forbes.com/sites/nathanlewis/2013/05/09/bitcoin-is-a-junk-currency-but-it-lays-the-foundation-for-better-money/. Accessed 28 Feb 2016

  20. Malmo, C.: Bitcoin is unsustainable (2015). https://www.cryptocoinsnews.com/what-bitcoin-exchanges-wont-tell-you-about-fees/. Accessed 10 Feb 2016

  21. Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: Anonymous distributed e-cash from Bitcoin. In: IEEE Symposium on Security and Privacy (SP), pp. 397–411. IEEE (2013)

    Google Scholar 

  22. Murdoch, S.J., Anderson, R.: Verified by Visa and MasterCard SecureCode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14577-3_27. https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

    Chapter  Google Scholar 

  23. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)

    Google Scholar 

  24. NYA International: Cyber extortion risk report 2015, October 2015. http://www.nyainternational.com/sites/default/files/nya-publications/151027_Cyber_Extortion_Risk_Report_2015_0.pdf

  25. Perlman, M.: The Invention of Capitalism: Classical Political Economy and the Secret History of Primitive Accumulation. Duke University Press Books (2000)

    Google Scholar 

  26. Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks. Springer, New York (2013). http://arxiv.org/abs/1107.4524

    Google Scholar 

  27. IBI research: Digitalisierung der gesellschaft 2014 – aktuelle einschätzungen und trends (2014). http://www.ecommerce-leitfaden.de/digitalisierung-der-gesellschaft-2014.html

  28. Riley, M., Elgin, B., Lawrence, D., Matlack, C.: Missed alarms and 40 million stolen credit card numbers: how target blew it, March 2013. http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

  29. Rundle, G.: The humble credit card is now a political tool, October 2011. http://www.crikey.com.au/2011/10/25/rundle-humble-credit-card-now-a-political-tool-just-ask-wikileaks/

  30. Stallman, R.: How much surveillance can democracy withstand? WIRED (2013)

    Google Scholar 

  31. Sweney, M.: City AM becomes first UK newspaper to ban ad blocker users, October 2015. http://www.theguardian.com/media/2015/oct/20/city-am-ban-ad-blocker-users

  32. Szent-Ivanyi, T.: Wie firmen ihre kassen manipulieren, August 2015. http://www.fr-online.de/wirtschaft/steuerhinterziehung-wie-firmen-ihre-kassen-manipulieren-,1472780,31535960.html

  33. Trautman, L.J.: Virtual currencies: Bitcoin & what now after Liberty Reserve, Silk Road, and Mt. Gox? Richmond J. Law Technol. 20(4) (2014)

    Google Scholar 

  34. Volckart, O.: Early beginnings of the quantity theory of money and their context in polish and prussian monetary policies, c. 1520–1550. Economic Hist. Rev. 50(3), 430–449 (1997). http://www.jstor.org/stable/2599810

    Article  Google Scholar 

  35. W3c: Web payments payment flows, February 2016. https://github.com/w3c/webpayments/tree/gh-pages/PaymentFlows

  36. Wright, S.: PCI DSS A Practical Guide to Implementing and Maintaining Compliance. 3rd edn. It Governance Ltd. (2011)

    Google Scholar 

Download references

Acknowledgements

This work benefits from the financial support of the Brittany Region (ARED 9178) and a grant from the Renewable Freedom Foundation. We thank Bruno Haible for his financial support enabling us to participate with the W3c payment working group. We thank the W3C payment working group for insightful discussions about Web payments. We thank Krista Grothoff and Neal Walfield for comments on an earlier draft of the paper. We thank Gabor Toth for his help with the implementation.

Author information

Authors and Affiliations

  1. Inria Rennes - Bretagne Atlantique, Rennes, France

    Jeffrey Burdges, Florian Dold, Christian Grothoff & Marcello Stanisci

Authors
  1. Jeffrey Burdges
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Florian Dold
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christian Grothoff
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marcello Stanisci
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christian Grothoff .

Editor information

Editors and Affiliations

  1. Universities of Paris 8 and Paris 13, LAGA, Paris, France

    Claude Carlet

  2. University of Waterloo, Waterloo, Ontario, Canada

    M. Anwar Hasan

  3. CRRao AIMSCS, Hyderabad, India

    Vishal Saraswat

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Burdges, J., Dold, F., Grothoff, C., Stanisci, M. (2016). Enabling Secure Web Payments with GNU Taler. In: Carlet, C., Hasan, M., Saraswat, V. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2016. Lecture Notes in Computer Science(), vol 10076. Springer, Cham. https://doi.org/10.1007/978-3-319-49445-6_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49445-6_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49444-9

  • Online ISBN: 978-3-319-49445-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation