Domain: luxtrust.lu
Stories and comments across the archive that link to luxtrust.lu.
Comments · 14
-
Re:This law is a good thing!
What you say is true, there are certainly sites out there that really want to get round any measures a user puts in place to block certain behaviour, but if a site is doing stuff like that, would you really trust them to conform with legislation anyway?
If legislation is in place, and a site blatantly misbehaves in such a way, this is actionable. At least the bigger sites (such as facebook) would have to comply.
From my personal experience, the types of sites that exhibit this kind of behaviour are typically not high on my trust list.
But sometimes, it may be a site whose service you absolutely need, such as directory look up... we have the case here in Luxembourg where one directory lookup service pulls such a shenanigan. Fortunately, theyre is a competitor. But what if the competitor starts behaving in the same way?
And ironically enough, luxtrust.lu, the national Luxembourgish certification agency, pulls the opacity: 0 stunt... an entity that we have to trust...
Very often though, such things happen due to contractors. Organization contracts out webdesign to a third party firm, which cares more about looks and their own ego than about functionality or their customer's mission, and then such mishaps happen. And when the customer's users bring this to their attention, the contract and warranty period with web design company has run out, and their is no budget planned to fix the mess, so it stays like that for ages...
-
Re:Everyone exaggerates
A couple of years ago, I tried to penetrate Lustrust, but I didn't manage. Indeed, the security hole that I was aiming for was protected by 2 big phat lunar firewalls. However I still managed to deface it, and the defacement stayed for a couple of days...
-
Re:One-time pads
They are pushing those here too. Except I refuse to get one for different reasons:
- The token costs money every year (renewal) and my ebanking has been 100% free at both institutions I use. This would raise the cost for no good reason
- The company providing those card readers (pretty much state mandated monopoly) supports only Windows with just recently Mac OS X support and only for 10.4 and 10.5 (which might be acceptable, I stopped using OS X at 10.3). As a Linux user, I'm left in the cold because the official support for Linux is RedHat 4.0 and Debian Etch. I guess they couldn't do even older distributions. Linky Sure, it might work on newer systems but why spend money to find out?
- The underlying system uses a Java Applet... This adds another point of failure in the whole stack.
The whole thing is pushed hard by the government, but uptake is luckily low (probably due to the fact that it costs money for no good reason)
Of the two banks I use, one uses a software certificate to identify you coupled with a password and a 16-char codecard where random digits are asked. That's secure enough in my book as long as you keep your password secure and the codecard. The other bank uses a username/password with a similar 16-digit codecard. Both lock you out at three wrong logins. The bank with the certificate is pretty much not susceptible to phishing as an intruder would need your certificate, the other bank would be and you can calculate the probability of break in chances. Anyway, I haven't ever had any problems and I have never heard of anyones account getting hacked... Might just be covered up, but still.
-
Re:how about no
I live in a small EU country and we have trusted identities to communicate with state, community and banks.
Since banks already know who their clients are, you can order the tokens online in your bank application, no sweat.They have signing sticks, tokens, cards or via SMS whatever works for you.
It's needed to do your IRS forms online or do any number of state/local community operations that formerly had to be done in person, wasting a half day or more.
They need to be sure who they're talking to, if people want a permit, passport, id, drivers licence or something expensive delivered or taken from the house.(waste bins, junk containers, reserved parking signs for special deliveries etc. -
Re:French ssh port (ssf) suggested strange weaknes
So what he was saying is, that they are padding with a potentially unencrypted random number, that can be used to guess earlier and later random numbers, and thus break SSH. The random number is a hint for crackers / PRNG guessers.
No, that a deliberately "broken" implementation of ssh (either on server or on client) could use the padding to leak the session key, and that without access to the code there would be no way to tell (... because the padding is "supposed" to be random...).
Quite clever actually, and reminescent about the ways how the French subverted the Luxembourgish Luxtrust system.
Luxtrust token are hardware crypto token containing a private key. The key (supposedly) is generated randomly by the token at initialization and never leaves the token, and can only be used to establish session keys and sign messages, where the critical calculation happens on the token. The key is used to secure banking transactions, so that for example, the French tax administration cannot spy on the communication between French citizens and their Luxembourgish bank.
That's the theory. The catch is, the tokens are manufactured by the French company Gemalto, and each token's random number generator will only ever "generate" private keys from a limited set (different for each token, of course). So, French tax administration can trivially infer the private key by looking up the public key in a table provided by Gemalto.
The scheme is virtually undetectable, because:
- The keyset is different for each token
- Each token can only be initialized a very limited amount of times (much smaller than number of possible keys for that token)
- The tokens supplied to BSI for audit didn't have this weakness. And moreover, the German tax authorities would be quite happy to listen in too
:-)
Result: Luxembourg spent millions on an inconvenient crypto scheme, which works neither on modern 64 bit compiters nor on mobiles, and which is useless for its purpose.
-
Re:stupid
Prior art, I do this all the time.
If you do, make sure you attach a string to it, for easy retrieval when done. And refrain from doing it in your car, the brown stains are awfully difficult to get out of the back seat...
That's just plain ludicrous. How can you drive from the back seat?
-
Re:stupid
Prior art, I do this all the time.
If you do, make sure you attach a string to it, for easy retrieval when done. And refrain from doing it in your car, the brown stains are awfully difficult to get out of the back seat...
-
Banking secrecy lawsNot a theoretical concern, but a very real one.
Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.
When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.
You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.
The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.
Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.
And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.
-
Re:Unix epoch does not have to end in 2038
Heck, if you could only have a working 64bit flash plugin on Linux, all Linux users would go 64bit already.
The flash plugin is not the only binary thing missing on 64 bit Linux.... and it's quite ironic to see this kind of comment after an article about Gemalto.
These people would rather give you a blowjob than recompile their Linux driver on a 64 bit CPU!
-
Re:Let governments handle SSLBe careful what you wish for.
The result:
- Usage of this CA will be compulsory for securing interacting with the government
- Usage of this CA will be compulsory for securing interacting with all banks of the country
- Actually, this CA is not really a government entity, but a for-profit company that likes to make you pay through the nose
- This government-sponsored monopoly likes to prop up other monopolies or create other monopolies
- You'll be paying through the nose for gizmos such as signing sticks that don't actually work as expected.
- If you try to fuck with them, you'll be left with ugly stains on the backseat of your car
-
Luxtrust...Here in Luxembourg, Luxtrust likes to give technical support via Facebook and other chat sites, even when the original request was submitted via e-mail.
But I've got the impression that they do it for exactly the opposite reason: because such replies do not create a legal liability.
-
64 bit Luxtrust cryptoki module
Now, after 64-bit flash, and 64-bit java, we now only miss a 64 bit Luxtrust libgemsafe module... So, Luxtrust, when are you going to move?
-
Re:Still no contact info, so I'll post here...
I live all alone in a farmhouse, you insensitive clod.
Be careful. A pony doesn't play chess, so you'll still be as bored as before!
-
Re:Important lesson:Was it a male penguin at least? (French readers will understand...) The seal then alternated between resting on the penguin, and thrusting its pelvis, trying to insert itself, unsuccessfully. Hihi, Linux' security proves itself again against all kinds of intrusion attacks. But did the seal at least attempt to give the penguin a hickey?