-----BEGIN PGP SIGNED MESSAGE----- Jerod, I'm forwarding your message to a couple of lists. I thought you made good points. Of course DigiCash is only running a demo, but still-- why demo poor security? I think it doesn't make a good impression. Bryce, signatures at end - ------- Forwarded Message To: ecash-feedback@digicash.com cc: netherto@taussky.cs.colorado.edu, wilcoxb@taussky.cs.colorado.edu Subject: Security in your ecash project. Date: Tue, 26 Sep 1995 17:00:15 -0600 From: Jerod D Netherton <netherto@taussky.cs.colorado.edu> I have a couple of problems/complaints with your ecash project. When I was sent my Acct ID and Passwd they were sent to me plain text instead of being PGP-encrypted first. This means that some malicious hacker could have intercepted the e-mail message and stolen the free cyber-bucks you were so generous as to give me. Second, on the WWW-page where one downloads the software it does not seem to do a secure connection between my browser and your server (on netscape there is a small key in the lower-left hand corner that is supposed to show when one is securely connected to a secure server). So someone could sniff my password from the transaction when I GET the software. Also When I'm buying/selling things it would be smart for all parties involved to be using PGP, and I think you should stress this point more in your page. Otherwise this is another vulnerable point in your system IMHO. Thank you for your time. /\ The Scottish Claymore of All CyberSpace UgradLab DumpMeister /\ Watcher of Anime. Addictor to Muds. WebMaster of OAA at CU! < E A N O R JaDuN Comes. Shade and Sweet Water \/ Yuri, Miyu, Nene, Ranma-chan, Ryoko, B-ko! \/ Anime, Chivalry, and Physics Forever!!!! Finger for PGP Key Email:netherto@colorado.edu Phone:(303)786-8311 Pager:(303)610-1203 http://ugrad-www.cs.colorado.edu/~netherto/Home.html Lab:(303)492-6207 - ------- End of Forwarded Message signatures follow To strive, to seek, to find and not to yield. bryce@colorado.edu http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Automatic PGP clearsigning under Unix with Bryce's Auto-PGP v1.0 iQCVAwUBMGiNz/WZSllhfG25AQHFMAQApc6Td8e6bQsBqpCU+EnfbYhueJthyYPS rkHfFrenHNwG/MCEFtwXBBxEQP3yyvnY2qD9RrrhC3cN0HcFw2jE8r++2Y3Z9H7u dJuIKodi2LP8POoW6dJPlW93N5E/+LhuCZvfqe78T2bIl20GIYQ5x0UUTm+APo2f MLu6wUEAHTE= =ofwj -----END PGP SIGNATURE-----