Secure Coding mailing list archives
"Bumper sticker" definition of secure software
From: vanderaj at greebo.net (Andrew van der Stock)
Date: Mon, 24 Jul 2006 16:24:12 -0700
NB: I am not speaking on behalf of my employer and this is my personal opinion. Banks in general do not use smart cards as they suffer from the same issue as two factor non-transaction signing fobs - they are somewhat trivial to trick users into giving up a credential. Connected keys are the worst - they induce laziness in the user and infer security which is not actually there. Smart card integration over web apps is non-existent. The HTTP 1.1 protocol does not support two factor transaction signing nor smart cards in general (unless you are just using SSL with a client-side cert, which is just as vulnerable as a normal IB app today if the attacker chooses a CSRF attack). Therefore, you need *something* extra to make 2FA USB fob authentication work. RSA has an ActiveX plugin (Keon WebPassport) which works great in an Intranet environment and you control all the resources. However, such solutions have a support overhead and locks users into just Win32 platform, and locks out pretty much any site that blocks ActiveX controls on their PCs. Here's why such devices will not fly: *) costs money to ensure that the crypto is compliant with national and international standards *) costs money to develop and deploy secure internal PKI and secure operational procedures to issue certificates for the devices. For the average institution, this is a lot of overhead. *) costs money to deploy (need to send out software, instructions, device, smart card) *) costs money to register users securely (is sending through the mail acceptable?) <- this step was stuffed up in the UK's Chip and Pin roll out, so we have an excellent data point already http://www.theregister.co.uk/2004/09/16/chip_pin_crime_wave/ *) costs money to train users to only insert their smart card when your app is running and not just leave it in *) costs money to support users when your software gets the blame for their user's support woes (whether true or not) *) doesn't improve security if the user can just say yes. The typical dialog for these things is "Please press Submit to pay Nice Person $100 using your token". If the app suffers from an XSS, why is this prompt safe? Can you trust "Nice Person" or $100? Disconnected trx signing devices are simple, cheap, and have *fewer* costs. Note I do not say none of the costs, but it is significantly less and at least we don't trust the user's browser, the user's browser can be any platform (MacOS X, Linux, FreeBSD, Win95, XP, Vista), we don't end up supporting the user's desktop, and we don't need to train the users so much. That's why smart cards will not be used if the Bank has done a proper side-by-side comparison, and compared the relative risk versus cost. Smart cards (and anything which requires platform support) are less secure, less trustworthy, take more effort, and cost more. thanks, Andrew On 23/07/2006, at 3:42 PM, mikeiscool wrote:
No I disagree still. Consider a smart card. Far easier to use then the silly bank logins that are available these days. Far easier then even bothering to check if the address bar is yellow, due to FF, or some other useless addon.
-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2234 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20060724/21195f27/attachment.bin
Current thread:
- "Bumper sticker" definition of secure software Gary McGraw (Jul 16)
- <Possible follow-ups>
- "Bumper sticker" definition of secure software Holger.Peine at iese.fraunhofer.de (Jul 16)
- "Bumper sticker" definition of secure software Wall, Kevin (Jul 17)
- "Bumper sticker" definition of secure software Jeremy Epstein (Jul 17)
- "Bumper sticker" definition of secure software Shea, Brian A (Jul 17)
- "Bumper sticker" definition of secure software Florian Weimer (Jul 20)
- "Bumper sticker" definition of secure software mikeiscool (Jul 20)
- "Bumper sticker" definition of secure software Crispin Cowan (Jul 23)
- "Bumper sticker" definition of secure software mikeiscool (Jul 23)
- "Bumper sticker" definition of secure software Andrew van der Stock (Jul 24)
- "Bumper sticker" definition of secure software Shea, Brian A (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 17)
- "Bumper sticker" definition of secure software mikeiscool (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 17)
- "Bumper sticker" definition of secure software Rajeev Gopalakrishna (Jul 17)
- "Bumper sticker" definition of secure software Gadi Evron (Jul 18)
- "Bumper sticker" definition of secure software Paolo Perego (Jul 18)