Author: Jeremy Spilman 2014-03-02 10:38:04
Published on: 2014-03-02T10:38:04+00:00
In a 2014 email exchange, Mike Hearn expressed concerns about the security risks associated with payment processors that allow open signups. He warned that a hacker who compromised a user's computer could sign up for a payment processor under a false identity, and wait until the user made a payment to someone else using the same processor. The hacker could then swap out the real payment request for one of their own, which would look identical to the user's Trezor device. This could be avoided by embedding additional information in the payment request, such as specific fields defined in an extension, which would be reliably shown in the user interface. However, there were difficulties in getting certificate authorities to allow additional fields in certificates, so a simpler solution might be to have a single field containing a delimited key/value string (in JSON format) that could be shown as additional lines of labeled text in the UI. Any additional fields should be hashed using the hash function specified in pki_type and signed by X509Certificates.certifcate private key.
Updated on: 2023-06-08T03:31:02.499059+00:00