From: “Joseph M. Reagle Jr.” <reagle@MIT.EDU>
To: Jon Matonis <jon@verisign.com>
Message Hash: 425e7cb7d4f5fe98be223c98f8a82654b56394ff3976244c3e08a372366c0eda
Message ID: <9604091701.AA29911@rpcp.mit.edu>
Reply To: N/A
UTC Datetime: 1996-04-09 23:56:53 UTC
Raw Date: Wed, 10 Apr 1996 07:56:53 +0800
From: "Joseph M. Reagle Jr." <reagle@MIT.EDU>
Date: Wed, 10 Apr 1996 07:56:53 +0800
To: Jon Matonis <jon@verisign.com>
Subject: Re: Bank transactions on Internet
Message-ID: <9604091701.AA29911@rpcp.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
At 04:31 PM 4/8/96 -0700, you wrote:
>I agree with Jim at SFNB that the encryption made possible by VeriSign
>server certificates is an integral part of remote banking on the Web.
>However, I would encourage Security First and other banks looking at the Web
>to focus increased attention on client certificates AND to migrate away from
>their dependence on user passwords.
I brought this up with SFNB a month or so ago (when I opened my
account) and the word then was that client side certificates would be
avaible within a month or so, my time guestimate (based on what they were
saying) was half-a-year.
>Admittedly, client certificate
>functionality has not yet been available but it will probably be standard by
>mid-1996.
Let's hope so, I am not keeping significant funds in that account
until I have a certificate.
>Yes---it is true that security is never absolute.
I hope Eric Young does attempt to crack a 40-bit SFNB session as he
mentioned on cpx today.
>As Michael Karlin of SFNB noted and subsequently corrected, Netscape caches
>passwords.
I suspected this, and was further exposed because of a common
problem with using Netscape and the like from student accounts (with a big
10M quota), say on MIT's athena, where I like my disk cache to reside in the
workstations /tmp . I wipe(d) it whenever I log out, but I'm sure others
sprinkled their passwords in a million "public" cache's before SFNB stuck
the tag no-cache tag in.
OBJava: do java applets have access to the cache, would it be possible to
write one of the little nasties that keep an eye on the cache?
>Additionally, people tend to use a single password for 10 or more of their
>relationships and one compromise, compromises all.
Indeed! How many people use their easily crack "ftp:/etc/passwds"
password for SFNB?
_______________________
Regards, The best way to have a good
idea is to have lots of ideas. - Linus Pauling
Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html
reagle@mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E
Return to April 1996
Return to ““Joseph M. Reagle Jr.” <reagle@MIT.EDU>”