OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dr S N Henson (drhcelocom.com)
Date: Thu Jun 07 2001 - 18:24:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Carlos Prados wrote:
    >
    >
    > Again, I would pay more athention to local security.
    > Why is the file /tmp/.pcscrx world writtable? isn't
    > this a security hole?
    >

    On the subject of security...

    As may be apparent I've only just got my setup working and I've not
    examined things in any detail. I did notice a few things which might be
    cause for concern.

    Consider a Netscape PKCS#11 module. In this application the connection
    to the reader may need to be kept open for an extended period of time
    (typically the whole browser session) and may not be closed cleanly. As
    we are all painfully aware its not entirely unknown for a browser to
    crash.

    This situation needs to be handled, i.e. a connection can be kept open
    for a long time with no security issues and if the application using it
    crashes then the session is cleaned up appopriately.

    Steve. 

    -- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: shensondrh-consultancy.demon.co.uk 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: drhcelocom.com PGP key: via homepage.

    ***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************