Re: [PEN-TEST] Your opinions are solicited ...

["van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>]

On Mon, 30 Oct 2000, Jim Miller wrote:

> .. on the configuration of security for an Internet application to be deployed.  The bank that I work for is planning 
> to deploy a cash mgt application on the internet.  They propose to secure the application and its face on the Net 
> with SSL and MS Certificate Server.

...

> The sessions will be protected from Net snooping by SSL's 132 bit encryption, " as strong as IP tunnelling".

132 bits? I guess 128 bits is the proper number.

> Access will be controlled by installing a certificate on each remote client.  The installation is done via download 
> from the Certificate Server,  but is a manual process:  the remote will request the certificate and the server will 
> download only after a process is started by support.
> The IT staff is unsure where the certificate resides on the client.  They suppose it to be both file based and in the 
> Registry.  They have tried the "certificate export" process in IE and found that it will not export, so they are 
> satisfied that it provides the level of security required to secure a cash mgt application.  They note that the HTML 
> page presented to IE without the certificate is an error page.  There is no way to get at the certiciate on the Net 
> site.
> The cash mgt application has its own security, but I note that it is application level security, and that using only 
> logonid / password authentication across the Net is generally held to be a mistake.

Using plain passwords is not an option for safety reasons. A staff that
doesn't know where items reside scare me a lot. If you don't know how the
client side behaves then how can you be confident it will work and can't
be broken into?

I know Dutch banks are required to use hardware tokens and some sort of
one-time passwords. I wouldn't trust a bank with fixed username/passwords
to do my business. (Unfortunatly there are plenty of banks that think it's
safe enough.) Any bank that would offer it to me would loose me as
customer the instant I learned they don't use one-time passwords.

Even then there may be ways to do unpleasant things. (The Dutch ABN bank
was shown that the application at the customer site could be modified and
the actuals transactions could be modified without the customer noticing
the issue.)

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)