There's a very nice paper by Ross Anderson called "Why Cryptosystems
fail" available at http://citeseer.nj.nec.com/9195.html - it's a crappy
PDF file on the site ... I have a high quality original if anyone's
interested.
The basic message is that trusting in technology does not give you
security - SSL and PIN can all be bypassed with ease if you have the
time or the desire ... there was a nice article on cryptome.org a while
back about this.
--
Edmund Cramp
http://www.emgsrus.com/graffiti.htm
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Behalf Of John Hebert
> Sent: Monday, March 25, 2002 1:46 PM
> To: [EMAIL PROTECTED]
> Subject: SSL and security was Re: [brluglist] Yahoo E-Mail - Beware:
> Non-Linux Related
>
>
> Well, there's a big ole can of worms you are opening.
> :)
>
> There are a number of security factors to consider
> beyond SSL and pin numbers (authentication,
> authorization, network security, etc, ad
> infinitum,...), but for the sake of this discussion,
> let's just consider SSL with a PIN.
>
> IMHO, for your needs, SSL (Secure Socket Layer) is
> secure. I assume that Yahoo can support 128-bit SSL
> encryption, so make sure your browser(s) use this.
> Most new browsers do. If you want to know more about
> SSL: http://www.openssl.org. Anybody know how long it
> would take to decrypt 128-bit SSL?
>
> Now the PIN is another story. Treat the PIN just like
> a password, which is basically what it is. I assume
> that Yahoo keeps these PINs encrypted and secure in
> their databases, but, who knows for sure?
>
> Also, make sure you have a good SSL connection
> (https://...) with the little "gold key" icon whenever
> you transmit secure data from your browser.
>
> John Hebert
>
> --- Kory Wnuk <[EMAIL PROTECTED]> wrote:
> > As I am sure that many of you are aware, Yahoo is
> > attempting to have users of the Yahoo mail system
> > pay
> > for POP access and mail forwarding. This is not an
> > overly big deal to me personally. However, to pay
> > for
> > this service one is required to have a Yahoo
> > "Wallet"
> > account. This will allow all of my credit card
> > numbers to be stored in one location for easy
> > access.
> > This is supposedly secure (SSL). This combined with
> > a
> > PIN is supposed to make me feel comfortable. Does
> > anyone have any information regarding what level of
> > security might be expected from a system such as the
> > one I have briefly described? Thanks.
> >
> > -K
> >
> > =====
> > Contrary to what you may believe, I don't do
> > Windows!
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Movies - coverage of the 74th Academy Awards®
> > http://movies.yahoo.com/
> > ================================================
> > BRLUG - The Baton Rouge Linux User Group
> > Visit http://www.brlug.net for more information.
> > Send email to [EMAIL PROTECTED] to change
> > your subscription information.
> > ================================================
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Movies - coverage of the 74th Academy Awards®
> http://movies.yahoo.com/
> ================================================
> BRLUG - The Baton Rouge Linux User Group
> Visit http://www.brlug.net for more information.
> Send email to [EMAIL PROTECTED] to change
> your subscription information.
> ================================================
>
================================================
BRLUG - The Baton Rouge Linux User Group
Visit http://www.brlug.net for more information.
Send email to [EMAIL PROTECTED] to change
your subscription information.
================================================
