1996-04-09 - Re: Bank transactions on Internet

Header Data

From: “Joseph M. Reagle Jr.” <reagle@MIT.EDU>
To: Jon Matonis <jon@verisign.com>
Message Hash: 425e7cb7d4f5fe98be223c98f8a82654b56394ff3976244c3e08a372366c0eda
Message ID: <9604091701.AA29911@rpcp.mit.edu>
Reply To: N/A
UTC Datetime: 1996-04-09 23:56:53 UTC
Raw Date: Wed, 10 Apr 1996 07:56:53 +0800

Raw message

From: "Joseph M. Reagle Jr." <reagle@MIT.EDU>
Date: Wed, 10 Apr 1996 07:56:53 +0800
To: Jon Matonis <jon@verisign.com>
Subject: Re: Bank transactions on Internet
Message-ID: <9604091701.AA29911@rpcp.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


At 04:31 PM 4/8/96 -0700, you wrote:
>I agree with Jim at SFNB that the encryption made possible by VeriSign
>server certificates is an integral part of remote banking on the Web.
>However, I would encourage Security First and other banks looking at the Web
>to focus increased attention on client certificates AND to migrate away from
>their dependence on user passwords.

        I brought this up with SFNB a month or so ago (when I opened my
account) and the word then was that client side certificates would be
avaible within a month or so, my time guestimate (based on what they were
saying) was half-a-year.

>Admittedly, client certificate
>functionality has not yet been available but it will probably be standard by
>mid-1996.

        Let's hope so, I am not keeping significant funds in that account
until I have a certificate.

>Yes---it is true that security is never absolute.

        I hope Eric Young does attempt to crack a 40-bit SFNB session as he
mentioned on cpx today.

>As Michael Karlin of SFNB noted and subsequently corrected, Netscape caches
>passwords.

        I suspected this, and was further exposed because of a common
problem with using Netscape and the like from student accounts (with a big
10M quota), say on MIT's athena, where I like my disk cache to reside in the
workstations /tmp . I wipe(d) it whenever I log out, but I'm sure others
sprinkled their passwords in a million "public" cache's before SFNB stuck
the tag no-cache tag in. 

OBJava: do java applets have access to the cache, would it be possible to
write one of the little nasties that keep an eye on the cache?

>Additionally, people tend to use a single password for 10 or more of their
>relationships and one compromise, compromises all.

        Indeed! How many people use their easily crack "ftp:/etc/passwds"
password for SFNB?

_______________________
Regards,            The best way to have a good 
                    idea is to have lots of ideas. - Linus Pauling
Joseph  Reagle      http://farnsworth.mit.edu/~reagle/home.html
reagle@mit.edu      E0 D5 B2 05 B6 12 DA 65  BE 4D E3 C1 6A 66 25 4E






Thread