[FDE] Wells Fargo to Personal Online Safe
Ali, Saqib
docbook.xml at gmail.com
Fri Mar 21 10:05:51 MDT 2008
> * even though you sent them the pass phrase
That is the key thing. With host-proof hosting, you never send the
pass phrase to the hosting server. Your pass phrase remains on your
client computer.
Maybe Ms. Kelly (whom I have copied on this email) can elaborate more
on the topic of host-proof hosting pattern. Her company
(www.passpack.com) has successfully implemented this pattern.
On 3/20/08, Crispin Cowan <crispin at crispincowan.com> wrote:
> Ali, Saqib wrote:
> > Wells Fargo to Personal Online Safe for storing electronic copies of
> > important materials, such as financial statements, loan and tax
> > documents, wills, passports, and birth, marriage and death
> > certificates:
> > https://www.wellsfargo.com/press/2008/20080319_Online_Safe
> >
>
> Ok, that sounds like a bad idea.
>
>
> > Note: The only way I will feel safe about this service is that Wells
> > Fargo uses Host-Proof Hosting patterns[1], and PROVE (i.e. get
> > certified) that host-proof hosting pattern is implemented properly and
> > securely. Until then I will store these documents on a encrypted drive
> > that I have control over.
> >
> > 1. http://en.wikipedia.org/wiki/Host-proof_hosting
> >
>
> This *also* sounds like a really bad idea. You trust the host to:
>
> * not persist the clear text data
> * not persist the passphrase
> * not persist the decryption key
> * even though you sent them the pass phrase
>
> Never mind that lots of web sites have been caught trousers down
> retaining the extra 3-digit security codes from credit cards, never mind
> that they aren't supposed to retain that either.
>
> Crispin
More information about the FDE
mailing list