On 6 Jun 2001, at 8:30, Ken Griffith wrote:
> Gold Money now allows security certificates that are installed in the
> users browser to authenticate transactions.
>
> My question is: how easy is it for someone who can gain access to the
> users computer (either physically or through a trojan) to COPY a
> security certificate and install it on another browser? Does anyone
> know?
Hello Ken,
Here is an answer I got from the GoldMoney people:
My understanding is that for a trojan to steal the cert from the browser,
it must take advantage of a glaring security hole in the browser related
to how these certificates are stored on the client computer. IE5 and
Netscape4 have undergone quite thorough security reviews in this regard,
and the management/security of client certs in both of these browsers is
reputed to be quite tight. Therefore, the likelyhood of a trojan being
able to steal the cert from the browser is very remote, if even possible
at all.
If an attacker gains physical access to the machine and has the necessary
passwords to login to the user's account and access the cert, he could
steal a copy of the digital certificate from the machine. Physical
security is as essential for digital certificates as it is for one's
wallet or checkbook. One way to enhance physical security of the cert is
to store in on a smart card and never keep it on one's computer.
Claude
http://www.goldcurrencies.ca
http://www.ormetal.com
==================================
Claude Cormier Public Key
http://www.ormetal.com/PGPkey.html
==================================
---
You are currently subscribed to e-gold-list as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]
