[plug] Insecurity by example

[Bernd Felsche]

This is almost off-topic.

A customer of mine recently asked me about setting up the new-fangled
Customs Integrated Cargo System.

Customs seem to encourage people to use VeriSign as the CA.

Here's VeriSign's procedure for obtaining and managing a the
expen$ive "secure" key:
http://www.verisign.com.au/support/gatekeeper/customs/gk-customs-ABN-AO.pdf

The fun bits:

   Technology Requirements
   In order to be able to enrol for a digital certificate, we suggest
   that you ensure the following is available to you prior to
   enrolling:
   " Your computer must have Internet access.
   " Your computer must allow software updates and not be locked down
     through a restriction on your access rights or locked down by
     firewall or gateway rules.
   " Ensure your web browser has 128bit security (encryption strength)
     capability eg:
      o Microsoft Internet Explorer version 4.1 (or higher) with Microsoft
	High Encryption Pack;
      o Lotus Notes 128bit security version (version 5.05 or higher).

   Email Client
   Authorised Officers are required to communicate with VeriSign via
   secure email. Ensure that your email client:
   " Has 128bit security (encryption strength) capability
   " Supports dual key certificates eg:
      o Outlook 2000 or higher
      o Outlook Express 5.5 or higher
      o Lotus Notes 5.05 or higher

People slavishly following the suggestion could well end up with a
machine running a trojan and keylogging, in order to "securely" use
and manage their "secure" keys.
-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | I'm a .signature virus!
 X   against HTML mail     | Copy me into your ~/.signature
/ \  and postings          | to help me spread!