mailing list archives
Re: [PEN-TEST] Your opinions ... more info
From: David Vandervort <irvingthemagnificent () YAHOO COM>
Date: Tue, 31 Oct 2000 15:25:57 -0800
It doesn't matter what you tell them, it won't be good
The bank will issue its own certificates using MS
Certificate Server. They will not use the
recommended method, certificate hierarchy. They
will instead manually set up and issue certificates
to clients when a request is approved.
This is the killer. Outside attacks will go for social
engineering to gain bogus certificates. They're
vulnerable as hell from the inside. They will try to
set up accounting controls to limit access, but
they've shown by other decisions that they don't
understand the technology well enough to make that
certificates will be installed in MS IE by our
support at client sites after receipt via email of
the notification of certificate approval.
And the e-mail also has a certificate to verify it?
Didn't think so.
detection of certificate compromise will be
addressed by revocation and re-issuance to the
client using the manual / approval process.
So do a clumsy attack on one in order to force
re-issuance of another - that can be stolen.
The issue is the reliance on the
certificate schema versus the VPN. We could argue
forever about the effectiveness of authentication by
logonid/password, and I'd rather focus on the issue.
The issue is that no matter what you tell them, it
will be inadequate. DON'T put yourself in the position
to be blamed! Bow out of this one before there's
The client base will not exceed 200, so scaling is
not really an issue.
Sounds like a special service for the really big bucks
clients. The incentive to break their system is,
therefore, very high. And their system is inadequate.
Do yourself a favor. Walk away.
Do You Yahoo!?
From homework help to love advice, Yahoo! Experts has your answer.