[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: verisign digital id's for outlook <shudder>




>A quick question for all you security-savvy people.  Our IT instructor has
>asked the class to sign up for verisigns' 60-day trial of a class 1 digital
>id.
>
>I also understand that a well (poorly?) written activeX applet can grab my
>key basically without my knowledge (to speak nothing of the other myriad
>holes in win98/95)
>
>My question is, where the hell is the private key kept on the users box?
>How is it protected against attack?
 
It's protected by Microsoft asserting that it's protected.  There's also some
sort of attempt at encryption (easily broken, see
http://www.cs.auckland.ac.nz/~pgut001/breakms.txt), but in any case there are
enough security holes there that anything which manages to run on your system
(ActiveX, as you've mentioned) can grab your keys without a lot of trouble.
 
Peter.