1. 12
  1.  

    1. 2

      I don’t see how much security is added by that. OK, so it stores my CC number in the secret zone and then the browser asks for it to be sent to the merchant, right? I assume they can’t be so dumb to just forward the CC number to the browser, so the secure OS must handle that on its own. But how does the OS know where to send the info? The browser tells it. The browser could tell it to send the money anywhere. I can see it being made to work, but it involves a lot more work by the user to re-verify that all the addresses and values are correct inside the secure zone. And if you’re just going to click OK, what’s the point?

      Personally, I just use the Amazon app instead of the browser. That alone moves my credentials beyond the reach of most browser exploits.

      1. 2

        It’s all part of the game.

        1. 2

          Alas, I can’t tell if by game you mean “multiple layers of defense in depth security” or “security sideshow checkbox checking”.

          1. 3

            Ah, by security game, I mean security theatrics. This strikes me as one of those things that makes a nice marketing bullet point, but does little to nothing to actually secure the system. For example,

            The browser could tell it to send the money anywhere. I can see it being made to work, but it involves a lot more work by the user to re-verify that all the addresses and values are correct inside the secure zone.

            As an Android user, I’m not even sure I could do that, except maybe with a specially modified browser that I trusted. If I wanted any level of security out of a mobile device, Android would not be the choice for me. (In fact, I don’t know that there are many good choices, short of something like a Zaurus loaded with OpenBSD, and then you still have the firmware attack surface to consider.)