1995-09-27 - weak links in DigiCash system
Header Data
From: Bryce Wilcox <wilcoxb@taussky.cs.colorado.edu>
To: ecm@ai.mit.edu
Message Hash: 7d1f575334b76acbbe06b0840fe53b846c217a8cc034a5da8fa4c68bd53c15a7
Message ID: <199509262333.RAA01743@taussky.cs.colorado.edu>
Reply To: N/A
UTC Datetime: 1995-09-27 00:32:07 UTC
Raw Date: Tue, 26 Sep 95 17:32:07 PDT
Raw message
From: Bryce Wilcox <wilcoxb@taussky.cs.colorado.edu>
Date: Tue, 26 Sep 95 17:32:07 PDT
To: ecm@ai.mit.edu
Subject: weak links in DigiCash system
Message-ID: <199509262333.RAA01743@taussky.cs.colorado.edu>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Jerod, I'm forwarding your message to a couple of lists. I thought you
made good points. Of course DigiCash is only running a demo, but still--
why demo poor security? I think it doesn't make a good impression.
Bryce, signatures at end
- ------- Forwarded Message
To: ecash-feedback@digicash.com
cc: netherto@taussky.cs.colorado.edu, wilcoxb@taussky.cs.colorado.edu
Subject: Security in your ecash project.
Date: Tue, 26 Sep 1995 17:00:15 -0600
From: Jerod D Netherton <netherto@taussky.cs.colorado.edu>
I have a couple of problems/complaints with your ecash project.
When I was sent my Acct ID and Passwd they were sent to me plain text
instead of being PGP-encrypted first. This means that some malicious
hacker could have intercepted the e-mail message and stolen the
free cyber-bucks you were so generous as to give me. Second, on the
WWW-page where one downloads the software it does not seem to do a secure
connection between my browser and your server (on netscape there is
a small key in the lower-left hand corner that is supposed to show when
one is securely connected to a secure server). So someone could sniff my
password from the transaction when I GET the software. Also When I'm
buying/selling things it would be smart for all parties involved to
be using PGP, and I think you should stress this point more in your page.
Otherwise this is another vulnerable point in your system IMHO.
Thank you for your time.
/\ The Scottish Claymore of All CyberSpace UgradLab DumpMeister
/\ Watcher of Anime. Addictor to Muds. WebMaster of OAA at CU!
< E A N O R JaDuN Comes. Shade and Sweet Water
\/ Yuri, Miyu, Nene, Ranma-chan, Ryoko, B-ko!
\/ Anime, Chivalry, and Physics Forever!!!! Finger for PGP Key
Email:netherto@colorado.edu Phone:(303)786-8311 Pager:(303)610-1203
http://ugrad-www.cs.colorado.edu/~netherto/Home.html Lab:(303)492-6207
- ------- End of Forwarded Message
signatures follow
To strive, to seek, to find and not to yield.
bryce@colorado.edu http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Automatic PGP clearsigning under Unix with Bryce's Auto-PGP v1.0
iQCVAwUBMGiNz/WZSllhfG25AQHFMAQApc6Td8e6bQsBqpCU+EnfbYhueJthyYPS
rkHfFrenHNwG/MCEFtwXBBxEQP3yyvnY2qD9RrrhC3cN0HcFw2jE8r++2Y3Z9H7u
dJuIKodi2LP8POoW6dJPlW93N5E/+LhuCZvfqe78T2bIl20GIYQ5x0UUTm+APo2f
MLu6wUEAHTE=
=ofwj
-----END PGP SIGNATURE-----
Thread
Return to September 1995
Return to “Bryce Wilcox <wilcoxb@taussky.cs.colorado.edu>”
1995-09-27 (Tue, 26 Sep 95 17:32:07 PDT) - weak links in DigiCash system - Bryce Wilcox <wilcoxb@taussky.cs.colorado.edu>