[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

weak links in DigiCash system




-----BEGIN PGP SIGNED MESSAGE-----

Jerod, I'm forwarding your message to a couple of lists.  I thought you
made good points.  Of course DigiCash is only running a demo, but still--
why demo poor security?  I think it doesn't make a good impression.


Bryce, signatures at end


- ------- Forwarded Message

To: [email protected]
cc: [email protected], [email protected]
Subject: Security in your ecash project.
Date: Tue, 26 Sep 1995 17:00:15 -0600
From: Jerod D Netherton <[email protected]>

I have a couple of problems/complaints with your ecash project.
When I was sent my Acct ID and Passwd they were sent to me plain text
instead of being PGP-encrypted first.  This means that some malicious
hacker could have intercepted the e-mail message and stolen the
free cyber-bucks you were so generous as to give me.  Second, on the
WWW-page where one downloads the software it does not seem to do a secure
connection between my browser and your server (on netscape there is
a small key in the lower-left hand corner that is supposed to show when
one is securely connected to a secure server).  So someone could sniff my
password from the transaction when I GET the software.  Also When I'm
buying/selling things it would be smart for all parties involved to
be using PGP, and I think you should stress this point more in your page.
Otherwise this is another vulnerable point in your system IMHO.
Thank you for your time.

  /\ The Scottish Claymore of All CyberSpace      UgradLab DumpMeister
 /\  Watcher of Anime.  Addictor to Muds.      WebMaster of OAA at CU!
<    E  A  N  O  R       JaDuN Comes.            Shade and Sweet Water
 \/               Yuri, Miyu, Nene, Ranma-chan, Ryoko, B-ko!
  \/ Anime, Chivalry, and Physics Forever!!!!	    Finger for PGP Key
Email:[email protected]  Phone:(303)786-8311   Pager:(303)610-1203
http://ugrad-www.cs.colorado.edu/~netherto/Home.html Lab:(303)492-6207

- ------- End of Forwarded Message

signatures follow

To strive, to seek, to find and not to yield.

[email protected]   http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Automatic PGP clearsigning under Unix with Bryce's Auto-PGP v1.0

iQCVAwUBMGiNz/WZSllhfG25AQHFMAQApc6Td8e6bQsBqpCU+EnfbYhueJthyYPS
rkHfFrenHNwG/MCEFtwXBBxEQP3yyvnY2qD9RrrhC3cN0HcFw2jE8r++2Y3Z9H7u
dJuIKodi2LP8POoW6dJPlW93N5E/+LhuCZvfqe78T2bIl20GIYQ5x0UUTm+APo2f
MLu6wUEAHTE=
=ofwj
-----END PGP SIGNATURE-----