On Mon, Apr 19, 1999 at 10:01:26AM +1200, Russell Fulton wrote: > To my knowledge you are correct. The bottom line is this: Client > programs that store credentials so the user does not have to enter them > every time the program is used are insecure. End of story. Well actually you can use one key/passphrase to secure all the stored credentials. This has the advantage that you dont need to rember all credential (which is impossible for secret keys anyway). But it has the disadvantage, that the security is a) breakable by trojans/backdooring b) as secure as the (weakest) manual entered passwort Netscape supports Passworts to unlock the credential-store. On a physical secure system this provides a bit of security. On physical insecure systems even smatcards can fail, since the trojan can use the plugged smartcard without the user to notice it. Greetings Bernd
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:16 PDT