[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BofA+Netscape




| Lads,
| 
| I thought many of you would be interested in the text of this story. I'm
| wondering if anyone has any comments on the excryption mechanism (i.e.
| "eavesdropping" protection) being used.

	It my personal feeling that Netscape doesn't have the right
talent mix to develop secure software.  For example, they may well get
the RSA parts right, and then store the passphrase in a text file,
'for ease of use.'  The RSA is secure, but the system is not secure if
usnauthorized people using your machine is a possibility.

	Writing secure software is a difficult and tricky buisness
that requires a lot of effort; early versions of Mosaic had problems.

	Netscape really needs to develop a threat model that allows
them to assess the severity of potential problems.  It is my guess
that they have not done so, although, I'd be pleased to hear I'm
wrong.

	Everyone's favorite company, First Virtual, seems to have
developed a threat model that allows them to offload allmost all risk
and security problems to their customers.  It may not be a good
solution, but at least they have considered how the security of their
system intersects the real world.  Just integrating RSA does not do
that.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
						       -Hume