'Re: Security Lab To Certify Banking Applications (was Re: ECARM NEWS for July 23,1999 Second Ed.)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: Security Lab To Certify Banking Applications (was Re: ECARM NEWS for  July 23,1999 Second Ed.)
From:       "William H. Geiger III" <whgiii () openpgp ! net>
Date:       1999-07-26 23:49:08
[Download RAW message or body]

In <379CF1BA.F7DF51E8@geocast.com>, on 07/26/99 
   at 04:39 PM, Tom Weinstein <tomw@geocast.com> said:

>"William H. Geiger III" wrote:
>> 
>> In <v0421012db3be70faae9c@[207.244.108.87]>, on 07/23/99
>>    at 03:20 PM, Robert Hettinga <rah@shipwright.com> said:
>> 
>> >> The Financial Services Security Laboratory will open July 28 in
>> >> Reston, Va. The facility will be used to test software packages against
>> >> a set of standards for securing e-commerce and bill-payment
>> >> applications, as well as browsers and operating software.
>> >>
>> 
>> Well I have my doubts on this. Either they refuse to certify Microsoft &
>> Netscape software and alienate 90% of the consumer market, or they do
>> certify them making their certification worthless.

>While they certainly couldn't certify any browser that included Java or
>JavaScript, what about certifying one with the caveat that these features
>be turned off?  The vast majority of the security problems in
>Communicator have come from strange interactions between, and within the
>object models of, these two very powerful languages.  The one notable
>exception is the fairly recent buffer overruns in some of the mail
>attachment code that was not properly reviewed.

>Of course, Windows NT (and IE which we all know is part of the OS) could
>be certified as long as it wasn't connected to a network, just as was
>done for their C2 certification.**


Well that does very little good for certification for e-commerce. :)

Even if you could get a striped down version of Netscape "secure" enough
to pass certification it would be irrelevant when running on an insecure
OS. Microsoft will never have a secure NOS, they just don't have the
proper mindset to develop one. What is really needed for secure e-commerce
is a small NOS with a small set of apps that are dedicated for the job at
hand. The current OS model of "everything including the kitchen sink" will
never produce a secure environment. Too much code, too little review, too
many changes. When your code distribution takes multiple CD's the system
is way too complex to be secure. The entire system, OS & apps should only
be a couple of megs running on a cheap, dedicated machine for doing your
e-comm. Not hard to do, but it means getting rid of all the bloated crap
that "modern" OS's (and their associated apps) have become.


** FWIW NT's C2 rating is a joke but that is a rant for another thread.

-- 
---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
---------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic