Analysts and companies are starting to point out the security gaps in the digital certificate system. This is from an article published in today's "Network News" on a new product:
" . . . The idea of [Webfort's] camouflage technology is to protect users' digital certificate credentials by concealing the genuine credentials among a collection of false ones. While the legitimate user can easily locate even a collection of valid credentials, which could be activated using the same password or PIN, intruders cannot.
"WebFort can secure URLs at the web server level or function as a secure access point to web-enabled applications. But analysts cautioned that physical tokens or other mechanisms are still needed to provide a secondary user-specific authentication system to validate digital certificates.
"'Digital certificates only provide device authentication,' said Steve Hunt, director of analysts Giga Information Group. 'You're subject to the same problems with certificates as with passwords, so they need to be complemented with smart cards or biometrics.'
"The technical director of Security Dynamics, Dominic Storey, claimed WebFort merely hid a basic problem - that certificates on a hard disk are always open to attack. 'Certificates alone have no client-based policies on the length and strength of passwords, and provide no central management,' he added.
"Natarajan Kausik, Arcot's founder, said: 'The digital certificate private key is your credential for the internet, but letting these credentials just sit on the desktop unprotected is like leaving the key under the front doorstep.'"
================
It sounds like the only secure system is a biometric smart card system that has the certificate off-line and further protected by biometrics.
By the way, RTQ says IDX closed at $10.25 today. |
