how-to block ads
|
|
Share Topic
 |
 |
|
|
|
TabletPremium
join:2003-01-15
Czech
| reply to jansson_mark
Re: Securing my Certificates said by jansson_mark:
said by Tablet:
For example I have a certificate for online banking for which password is required to use the private key.
In practise, how does this happen? You go to their www-site with your browser and...what?
I go the the website and input location of my exported certificate, then it asks for passsword. When I try to import the certificate to my certificate store, it asks for password too, so I guess it should be encrypted. What do you think?
quote:
According to what bank has said, the private key is encrypted though I do not know if the encryption is strong enough.
quote:
A tip: Banks dont know drek about computer security, so dont count anything on that. It took me 3 years to persuade Scandinavias biggest bank (Nordea) to move to 1024bit RSA from their totally insecure 512bit RSA...  My bank uses 1024bit RSA, hope it is sufficient.
quote:
Unfortunatelly if I enable this setting I cannot use my online banking using SSL, so I have to go without the option enabled
EXCUSE ME?!? It doesnt effect SSL in any way. SSL settings are configured in your browser... 
I don't understand why, but whenever I enable using FIPS compliant algorithms, SSL for my specific bank doesn't work. I have to enable TLS to make it work. My father's online banking also doesn't work with the option enabled, but in his case it seizes to work even with TLS support enabled in IE60.. Link to my bank's secure site is here, so you may try it yourself, you will not get there with the FIPS option on and TLS turned off. I guess SSL and the option have to be somewhat interconnected.
»www.mojebanka.cz and click on the upper-right button named "Pøihlášení do systému"
[text was edited by author 2003-03-02 03:46:16] | |
| said by Tablet:
I go the the website and input location of my exported certificate,
??? What? How? When I go to that page, I get empty page and no prompts nothing.
quote:
then it asks for passsword.
What exactly asks the password? Browser, certificate store or www-page?
quote:
When I try to import the certificate to my certificate store, it asks for password too, so I guess it should be encrypted.
Import it from where and who putted the password for it? Did you get it on a floppy from the bank and they putted a password for it or...
quote:
I don't understand why, but whenever I enable using FIPS compliant algorithms, SSL for my specific bank doesn't work. I have to enable TLS to make it work.
In security perspective, TLS is even better than SSL, so you better use FIPS and TLS.
quote:
My father's online banking also doesn't work with the option enabled, but in his case it seizes to work even with TLS support enabled in IE60.
It might be that bank only supports weak keys for SSL and if you disable them it doesnt work. I dont know. This SHOULDNT be the issue. I dont know. But you SHOULD use FIPS and hopefully TLS (1024bit RSA and atleast 128bit symmetric cipher).
quote:
»www.mojebanka.cz
I dont know about IE, but with Opera I can go there with both SSL and TLS. But, I get blank screen so it doesnt go forward from »www.mojebanka.cz/installnew.html?run=login apparenlty some javascript bug so it doesnt work with Opera...
Could you put some screen captures about what you are describing? (Keep them small with .jpg etc.) This seems very intresting but I dont seem to understand all you mean...
--
My computer security & privacy related homepage »www.markusjansson.net | |
TabletPremium
join:2003-01-15
Czech | IE60 error | |
TabletPremium
join:2003-01-15
Czech | reply to jansson_mark
To make things clear:
When using the online banking I go to a web page and have to input location to the certificate and on the same web page I also input the password.
I obtained the certificate on a floppy disk, they gave it to me in the bank and the password was already there protecting the private key, I had chosen the password myself in the web application.
What you are describing as Java script error is exactly what I get if I enable option to use FIPS compliant encryption. Only when I disable this option or when I enable TLS I can proceed further and see the actual page. I posted the IE error above hopefully, since I do not yet know how to work with attachments on this forum. | | |
|
| said by Tablet:
To make things clear:
When using the online banking I go to a web page and have to input location to the certificate and on the same web page I also input the password.
So a window pops up and ask the certificate? Can you grap a screen capture(s) from that?
quote:
I obtained the certificate on a floppy disk, they gave it to me in the bank and the password was already there protecting the private key, I had chosen the password myself in the web application.
OK. But a stupid question: Why do they use certificates for this one, it would a lot easier to use one-time-passphrases or verification cards (similiar) to login. Now, you cannot login if you dont carry that disk with you all the time and you CANT use any public computer to login, since if that computer is fitted with trojan horse, it can grap your certificate when you use it yourself!!! If you where using one-time-passphrases (usually 4-8 digit number) there would be no danger or trojan horses since the number you give is only used once (by you) and then its useless.
quote:
What you are describing as Java script error is exactly what I get if I enable option to use FIPS compliant encryption. Only when I disable this option or when I enable TLS I can proceed further and see the actual page.
Intresting! I get the same error when I try to use Nordea banks internet with my IE! Hmmmmmm......Strange. FIPS option should NOT have any effect on SSL/TLS whatsoever!  LOL!
--
My computer security & privacy related homepage »www.markusjansson.net | |
| reply to Tablet
Dammit, I cant edit my earlier posting, dont know why...anyway, this is what I forgot to say...
said by Tablet:
I obtained the certificate on a floppy disk, they gave it to me in the bank and the password was already there protecting the private key, I had chosen the password myself in the web application.
The certificate in your floppy might be protected with good crypto or not. My advice is, that you import it to OS/browser, then WIPE it from the disk and then export it back to floppy in strongly encrypted form (use PGP to be sure). And how good the passphrase protection is in IE, thats a hard question, it might be good or it might be bad, personally I believe it is bad since M$ dont know how to do these things.
The certificate is meant for IE isnt it? Could you import it to, lets say, Opera and put a good passphrase onto it there (that would make it safe since I know they do encrypt it in Opera using your passphrase)?
--
My computer security & privacy related homepage »www.markusjansson.net | |
|
