[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bank transactions on Internet



At 04:31 PM 4/8/96 -0700, you wrote:
>I agree with Jim at SFNB that the encryption made possible by VeriSign
>server certificates is an integral part of remote banking on the Web.
>However, I would encourage Security First and other banks looking at the Web
>to focus increased attention on client certificates AND to migrate away from
>their dependence on user passwords.

        I brought this up with SFNB a month or so ago (when I opened my
account) and the word then was that client side certificates would be
avaible within a month or so, my time guestimate (based on what they were
saying) was half-a-year.

>Admittedly, client certificate
>functionality has not yet been available but it will probably be standard by
>mid-1996.

        Let's hope so, I am not keeping significant funds in that account
until I have a certificate.

>Yes---it is true that security is never absolute.

        I hope Eric Young does attempt to crack a 40-bit SFNB session as he
mentioned on cpx today.

>As Michael Karlin of SFNB noted and subsequently corrected, Netscape caches
>passwords.

        I suspected this, and was further exposed because of a common
problem with using Netscape and the like from student accounts (with a big
10M quota), say on MIT's athena, where I like my disk cache to reside in the
workstations /tmp . I wipe(d) it whenever I log out, but I'm sure others
sprinkled their passwords in a million "public" cache's before SFNB stuck
the tag no-cache tag in. 

OBJava: do java applets have access to the cache, would it be possible to
write one of the little nasties that keep an eye on the cache?

>Additionally, people tend to use a single password for 10 or more of their
>relationships and one compromise, compromises all.

        Indeed! How many people use their easily crack "ftp:/etc/passwds"
password for SFNB?

_______________________
Regards,            The best way to have a good 
                    idea is to have lots of ideas. - Linus Pauling
Joseph  Reagle      http://farnsworth.mit.edu/~reagle/home.html
[email protected]      E0 D5 B2 05 B6 12 DA 65  BE 4D E3 C1 6A 66 25 4E