Hello All, > Date: Thu, 03 Jan 2002 15:59:03 -0500 > To: "e-gold Discussion" <[EMAIL PROTECTED]> > From: GoldMoney Support <[EMAIL PROTECTED]> > Subject: [e-gold-list] Re: Dealing with Passphrase Cracking Bots > and Motives for Initiating Them > > Harvesting a cert from a browser/OS (operating system) is > at least an order of magnitude more difficult than sniffing > keyboard strokes. Also, the cert can be secured further by > storing it on a smartcard running its own OS, which > effectively isolates the cert from the potentially > insecure/"trojanized" browser/OS.
Even in the best case when smartcard itself is making all public key cryptography calculations there still exists software which should exchange data with smartcard and the data which should be fed into smartcard may be taken over and replaced to something completely different by trojanized operating system, like when user wants to pay 0.1 AUG to one account but instead these transaction data are replaced on the fly to transaction data stating that user pays 99999.9 AUG to malicious account and *stupid* smartcard signs everything using certificate which is absolutely secure stored there. Certificate is secure but gold has gone. Any preview screens and other verification techniques will be useless also in the case of trojanized operating system because *all* data replacements may be done on system kernel level. > >Anyway it is rather religious discussion because there > >will always be the people who rely on something they know > >and the people who rely on something they have. > > Exactly. That's why it's good to offer both options. The key word here is *options* and here is the question, which is religious one like all this discussion. What about switching off digital certificates if user does not want to use them? Can user work while using open source operating system with the simplest open source SSL enabled Lynx Web browser software? e-Gold system is completely usable with this configuration, what is known about other digital currencies? Instead of relying on complex and impossible to verify solutions which can not ensure absolute security anyway it may be better to use simplest but relatively easy to verify solutions. There exists very old and simple authentication technique which is called call back. If this option is enabled and user wants to do something then system should send fax message or SMS message or just voice message to predefined contact telephone number. There should be some random sequence in this message which should be entered into the system later in order to confirm transaction. Security of telephone communications is protected by *laws* and enforced by *state* in most countries thus this technique is secure enough for average user, without any digital certificates. As far as I know (have not tried it myself yet) e-gold system is usable with mobile telephone, what is known about other digital currencies? At the same time it may be good to have several options which may be switched on or off because all people are different and there is no solution which can fit every situation. I think that e-gold set of features in its present state is optimal as default starting point and other options should be added only after thorough research and then explicitly enabled or disabled by user. Here is a joke. Two Russian men are talking one with another in Russian language on the street in New York City. A woman has come to them and is asking something in English language. They are paying no attention and are talking one with another in Russian language. Woman is going away. One Russian man is saying to another -- Everyone says that we should learn English language. Has her English language helped her? > Sincerely, > Geoff Turk Respectfully yours, Dmitry Salnikov, http://dmitry-salnikov.com/index.htm FreeBSD, Linux, C/C++, Perl, ... Web software development services, English / Russian translations. --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] http://www.e-gold.com/stats.html lets you observe the e-gold system's activity now!
