Jan Rochat's Weblog

PKI Smart Cards only a security tool ?

janrochat — Sat, 05 Jan 2008 11:11:50 +0000

Most of the time when I explain to people that I sell middleware for PKI Smart Cards They assume that I am strictly in the security business. The big question; is this a fact or are there other usages for PKI Smart Cards or to generalize the concept PKI tokens.

PK(I) Tokens

First of all we most of the time address those (mostly) RSA based tokens as PKI Tokens. Better would be to address them as Public Key Technology Tokens or RSA Tokens. Calling it PKI Tokens gives the impression that they only can be used in combination with a Public Key Infrastructure, all though those tokens are most of the time used in combination with a Public Key Infrastructure there may also be applications that use the PKI Token strictly for holding a RSA Key Pair without the certificate.

So what about the security bit ?

Back to the main question. When addressing the tokens as Public Key Technology token it becomes clear that we talk about a technology. As I believe that technology should always support he business we have to look at the business side of things to find an answer on the big question.

The business side of things

When looking to the business side we don’t talk about issues like: “I want that all my users have Strong Digital Identity”. We talk about: “I want to increase my turn over” or “I want to cut down my cost”. If we start looking to it from the business angle it is not that difficult to discover a business case for PKI Tokens. An example might be giving all your customers a token to give them access to your website to cut down cost. Another example; you can give all your employees a token which is protected by a fingerprint so that you cut down cost on resetting passwords.

So…

Security is only one of the driving forces behind the use of PKI Tokens like smart cards. We are talking about a technology that has to serve the business and can be used in many different business applications as a technology providing you with a complete set of standards, protocols and implementations laying around to be used to solve your business problem.

And….

Well now it is up to you to come up with the business problems and the opportunities that can be solved by using this technology.

iGoogle Web Gadgets

janrochat — Wed, 02 Jan 2008 19:36:38 +0000

The last few days I discovered Gadgets. I started playing around with the new system from Microsoft Live. It took a couple of hours before I found out that this nice feature also exist on other web sites. Implementing Gadgets gives you the possibility to add “little” apps to a web page. An example of this is customizing the normal Google search page by using igoogle . I started with building a Gadget wrapping a flash implementation of the classic PacMan game. If you want to add this Gadget on you web page look at this page.

Firefox Susceptible To QuickTime Security Flaw, what about Second Life Client ?

janrochat — Wed, 28 Nov 2007 09:24:24 +0000

Yesterday I saw the following on Slashdot.org :

Apple’s QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur.”

And I realized that the Second Life Client is also using QuickTime. A simple test produced the following picture when applied on the windows version of the Second Life Client. So it seems that Second Life Client is also suffering from the same problem as Firefox does.

At the moment I only had time to try it on Windows and I have no idea if the same problem exists on the Mac.