[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
weak links in DigiCash system
-----BEGIN PGP SIGNED MESSAGE-----
Jerod, I'm forwarding your message to a couple of lists. I thought you
made good points. Of course DigiCash is only running a demo, but still--
why demo poor security? I think it doesn't make a good impression.
Bryce, signatures at end
- ------- Forwarded Message
To: [email protected]
cc: [email protected], [email protected]
Subject: Security in your ecash project.
Date: Tue, 26 Sep 1995 17:00:15 -0600
From: Jerod D Netherton <[email protected]>
I have a couple of problems/complaints with your ecash project.
When I was sent my Acct ID and Passwd they were sent to me plain text
instead of being PGP-encrypted first. This means that some malicious
hacker could have intercepted the e-mail message and stolen the
free cyber-bucks you were so generous as to give me. Second, on the
WWW-page where one downloads the software it does not seem to do a secure
connection between my browser and your server (on netscape there is
a small key in the lower-left hand corner that is supposed to show when
one is securely connected to a secure server). So someone could sniff my
password from the transaction when I GET the software. Also When I'm
buying/selling things it would be smart for all parties involved to
be using PGP, and I think you should stress this point more in your page.
Otherwise this is another vulnerable point in your system IMHO.
Thank you for your time.
/\ The Scottish Claymore of All CyberSpace UgradLab DumpMeister
/\ Watcher of Anime. Addictor to Muds. WebMaster of OAA at CU!
< E A N O R JaDuN Comes. Shade and Sweet Water
\/ Yuri, Miyu, Nene, Ranma-chan, Ryoko, B-ko!
\/ Anime, Chivalry, and Physics Forever!!!! Finger for PGP Key
Email:[email protected] Phone:(303)786-8311 Pager:(303)610-1203
http://ugrad-www.cs.colorado.edu/~netherto/Home.html Lab:(303)492-6207
- ------- End of Forwarded Message
signatures follow
To strive, to seek, to find and not to yield.
[email protected] http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Automatic PGP clearsigning under Unix with Bryce's Auto-PGP v1.0
iQCVAwUBMGiNz/WZSllhfG25AQHFMAQApc6Td8e6bQsBqpCU+EnfbYhueJthyYPS
rkHfFrenHNwG/MCEFtwXBBxEQP3yyvnY2qD9RrrhC3cN0HcFw2jE8r++2Y3Z9H7u
dJuIKodi2LP8POoW6dJPlW93N5E/+LhuCZvfqe78T2bIl20GIYQ5x0UUTm+APo2f
MLu6wUEAHTE=
=ofwj
-----END PGP SIGNATURE-----