Re: secure webmail and firewall issues...

[Jason Axley]

On Tue, 11 Jul 2000, Paul D. Robertson wrote:

> I'd look closely at two-factor (hard token-based) authentication or
> challenge-response authentication.  Both of those can solve not only the
> insecurity issue, but the issues with malicious code presenting a
> certificate when a luser isn't present.

My recommendation also, for the same reasons.  The other reason is that
there is no way to ensure that a luser even puts a passphrase on their
certificate database, or a good one for that matter.  Then, a certificate
without a passphrase is in many ways less secure than a good strong
password (which you generally can check on the server-side).

-Jason

#include <std_disclaimer.h>

-- 

AT&T Wireless Services
IT Security
UNIX Security Operations Specialist

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]