top | item 44180117

(no title)

kennu | 9 months ago

At minimum, the government gets a "ping" when identified citizens visit adult sites requiring the age check, so they can keep a record. In worse scenarios, maybe some identifier leaks through that can also identify which site they visited. And of course, the identification apps can be hacked through supply chain attacks etc.

discuss

fulafel|9 months ago

Without knowing the specifics, this is not necessarily the case. It could be implemented without needing to ping "the government". As a strawman idea, there could be a monthly refreshed distributed database of booleans per citizen identity and accessed through a keyed hash.

rvnx|9 months ago

There is a very possible attack. Open a porn website, buy ad traffic in France, once users are here, claim identity needs to be verified. In the background, start the process to open a bank account in one of these online banks and act as a relay in the verification process.

ffsm8|9 months ago

Is that an actual thread model, and or are you just making stuff up?

I'm asking because even oauth would make this kind of attack vector impossible, as the referrer and redirect urls are verified - and I sincerely doubt they're so incompetent not to do something similar in such a context.

Aissen|9 months ago

No, that would defeat the entire point, and any such system should be fought indeed. It's possible to build systems that explicitly do not have this property.