At 04:31 PM 4/8/96 -0700, you wrote:
I agree with Jim at SFNB that the encryption made possible by VeriSign server certificates is an integral part of remote banking on the Web. However, I would encourage Security First and other banks looking at the Web to focus increased attention on client certificates AND to migrate away from their dependence on user passwords.
I brought this up with SFNB a month or so ago (when I opened my account) and the word then was that client side certificates would be avaible within a month or so, my time guestimate (based on what they were saying) was half-a-year.
Admittedly, client certificate functionality has not yet been available but it will probably be standard by mid-1996.
Let's hope so, I am not keeping significant funds in that account until I have a certificate.
Yes---it is true that security is never absolute.
I hope Eric Young does attempt to crack a 40-bit SFNB session as he mentioned on cpx today.
As Michael Karlin of SFNB noted and subsequently corrected, Netscape caches passwords.
I suspected this, and was further exposed because of a common problem with using Netscape and the like from student accounts (with a big 10M quota), say on MIT's athena, where I like my disk cache to reside in the workstations /tmp . I wipe(d) it whenever I log out, but I'm sure others sprinkled their passwords in a million "public" cache's before SFNB stuck the tag no-cache tag in. OBJava: do java applets have access to the cache, would it be possible to write one of the little nasties that keep an eye on the cache?
Additionally, people tend to use a single password for 10 or more of their relationships and one compromise, compromises all.
Indeed! How many people use their easily crack "ftp:/etc/passwds" password for SFNB? _______________________ Regards, The best way to have a good idea is to have lots of ideas. - Linus Pauling Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle@mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E