Re: [PEN-TEST] Your opinions ... more info

[David Vandervort <irvingthemagnificent () YAHOO COM>]

It doesn't matter what you tell them, it won't be good
enough.

> Certificates:
> The bank will issue its own certificates using MS
> Certificate Server.  They will not use the
> recommended method, certificate hierarchy.  They
> will instead manually set up and issue certificates
> to clients when a request is approved.

This is the killer. Outside attacks will go for social
engineering to gain bogus certificates. They're
vulnerable as hell from the inside. They will try to
set up accounting controls to limit access, but
they've shown by other decisions that they don't
understand the technology well enough to make that
work.

> The
> certificates will be installed in MS IE by our
> support at client sites after receipt via email of
> the notification of certificate approval.

And the e-mail also has a certificate to verify it?
Didn't think so.

>  Any
> detection of certificate compromise will be
> addressed by revocation and re-issuance to the
> client using the manual / approval process.

So do a clumsy attack on one in order to force
re-issuance of another - that can be stolen.

>  The issue is the reliance on the
> certificate schema versus the VPN.  We could argue
> forever about the effectiveness of authentication by
> logonid/password, and I'd rather focus on the issue.

The issue is that no matter what you tell them, it
will be inadequate. DON'T put yourself in the position
to be blamed! Bow out of this one before there's
trouble.

> The client base will not exceed 200, so scaling is
> not really an issue.

Sounds like a special service for the really big bucks
clients. The incentive to break their system is,
therefore, very high. And their system is inadequate.

Do yourself a favor. Walk away.

__________________________________________________
Do You Yahoo!?
> From homework help to love advice, Yahoo! Experts has your answer.
http://experts.yahoo.com/