Latest News Stories:

• NORAD Intelligence Blackout
• Y2k -- You´re Okay
• Amiga Sold
• OSAll Plans
• The Belgians Need Our Help
• Back from Vacation
• Standards in Compsec
• NSA FOIA Request
• Happy Birthday Attrition
• More News...

Only $31.95

New Methodology:

• AS/400 Security
• Is YOUR Network Secure?
• Case Study: Stupidity of Sys Admins
• Solaris Auditing Overview
• Understanding NetBIOS
• Checking For RPC
• Sniffing FAQ
• More Soon...

Product Reviews

OSAll is starting to do weekly product reviews, to be published every single Friday.  Check out software, book and hardware reviews.

 Check it out!

Front | Methods | BBS | FAQ | Adverts | Mail | Write | Link | Shop

"Y2k, all hype, all the time."

Problems With Digital Signatures

---===---
OSAll Contributor

Right now there´s only one way to "positively" identify yourself on the Web -- a certificate (most likely issued by Verisign).  Utah already considers these certificates to be acceptable for legally binding signatures and New York is closely following.  The problem is that there´s no identity verification involved when a certificate is issued.

A print signature has precedence -- there´s always going to be a set of original signatures to be examined.  These signatures can be "known good."  The problem with a digital signature is that they´re so easy to get -- and there´s no precedence to compare them to.

In order to get a working digital certificate from Verisign, the top vendor of these products, you need two things: an e-mail address you have access to and a credit card number.  These two things are very easy to have access to.  I can relatively easily get access to your e-mail account (it really isn´t that hard).  Furthermore, it´s not entirely difficult to get your credit card number (receipts, sniffed transmissions, phone, etc). 

Take this scenario: I (person A) want to impersonate you (person B) on the Web.  I go to Verisign and sign up for a certificate saying I´m you.  I give your e-mail address (I´ve already compromised your account) and your credit card number (I went dumpster diving behind your house).  I now have your digital signature -- and equally importantly, you don´t.

Presumably when the Verisign charge (ten dollars per year) shows up on your bill, you´d call up the bank and say that this charge isn´t correct.  At that point, presumably, the digital certificate would be pulled (I´ve tried this as a test -- the certificate isn´t always pulled).  A credit card number simply isn´t enough verification.

So what can be used as a digital signature?  Right now, there´s no way short of actual physical content to verify an identity.  If certificates were to be issued only after a "real" signature was used to verify them, then there would be a chance. 

Granted, a falsified signature probably wouldn´t hold up in court.  But what about the other implications?  How about secure communications sent to person A instead of person B?  The implications are indeed rather large.

Unless Verisign or a similiar company establishes physical checks there will never be a truly solid identity on the Web.  There´s simply no purely remote way to identify someone (short of biometrics, but that would be considered an invasion of privacy and is several years in the future anyway).

The short?  Get a certificate -- it´s a good idea.  But don´t rely on other people´s certificates.

Don´t forget to discuss this issue on the OSAll BBSystem!

All content copyright 1998 - 99 unless book covers or otherwise noted.  Book covers copyright 1998 - 99 Amazon.com.  All OSAll-owned content may be reprinted with the following header added: "Copyright 1998 - 99 Owl Services.  Visit aviary-mag.com for computer security news and information."  Article authors retain a non-exclusive right to republish their work.   324