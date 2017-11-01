Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
Government Privacy Security

Estonia Is Enhancing the Security of Its Digital Identities (medium.com) 14

Posted by msmash from the time-for-an-upgrade dept.
Estonia is upgrading the security of ID cards and digital IDs used by citizens, residents and e-residents. A new certificates update has been developed based on advanced elliptic-curve cryptography, which is more secure and faster than the SSL certificates previously used. From a report: This certificate update will protect users from a potential security vulnerability that the Estonian government announced last month had been identified by a group of security researchers. It has now been confirmed that the vulnerability is contained in software that had previously been installed on the embedded chip used in ID cards around the world, including those issued by Estonia between 16 October 2014 and 25 October 2017. Although the problem is international, minimising the risk and developing a solution has been a top priority for Estonia since the government was informed. However, there has still been no reported incidents of any Estonian digital ID or ID card being misused in the way described by the researchers. Considerable resources and expertise would be required for this so the risk for most people affected has always been low.

Estonia Is Enhancing the Security of Its Digital Identities More | Reply

Estonia Is Enhancing the Security of Its Digital Identities

Comments Filter:

  • That is a remarkably fast response to a systematic vulnerability by the government.

    Assuming this is related to the recently disclosed Infineon vulnerability, less than a month has lapsed between public disclosure of the vulnerability and a formal announcement of their affected assets and remediation process.

    I have seen places that would take twice as long just to figure out what is affected in the first place.

    • Re: (Score:2)

      by Entrope ( 68843 )

      The Estonian government was informed of the breach by August 30: http://estonianworld.com/techn... [estonianworld.com]

      Still, it's good that they moved reasonably quickly to use a more secure algorithm.

    • Re: (Score:2)

      by e r ( 2847683 )

      That is a remarkably fast response to a systematic vulnerability by the government.

      Agreed.
      This tells me that they probably planned for exactly this to happen and made sure that all they had to do was upgrade a little piece of software and everything else would still be good.
      But, as you pointed out, this is exactly the sort of planning and foresight one wouldn't expect from a government.

  • >> Considerable resources and expertise would be required for this so the risk for most people affected has always been low

    Turning that around for a moment: in many cases (not "the most") the considerable resources and expertise required to exploit the system would have been worth expending to scam certain individuals (probably those with influence, power, a reputation to sully, etc.)
  • It always amazes me when americans debate electronic voting. Of course it's bad if you use 15 year old servers [slashdot.org] from the local city council. Now you guys are thinking of creating a biometric identification system [slashdot.org]? Who comes up with this? Why not have a simple PKI setup and hand out ID cards?
    • A reader costs $10. Everyone has them.
    • No papers, no signatures, no fuzzy biometrics. File taxes in 1 minute.
    • No credit cards, only debit. Authenticate instantly and securely. No credit fraud. No identity theft.
    • Vot
    • Also, i would like to add that for years there has been an even better system. They put the keys on a SIM card and you don't even need your ID card or the reader. It's called mobile-id and it's awesome. Whenever you need to authenticate yourself there's an API call to the central system, which sends you an SMS. A tiny program on the SIM card prompts you for your PIN number and sends back the response. Bank transfer on my mobile is almost as simple as a debit payment at a cash register: enter recipient and a
      • Can you spell s i g n a l i n t e r c e p t? There is no "perfect" security platform. From Murphy's Laws of Combat. "If the Enemy can't get in, you can't get out." The ONLY way to keep a password, of any type, secure is to never use it. Copied data files, intercepted cell traffic, phishing, or some one writing down a pass phrase. And if it looks like perfect security from your end, it still has to sit on some one's server. Just like a lock on a door shows an honest man his limits and keeps out

Slashdot Top Deals

Documentation is the castor oil of programming. Managers know it must be good because the programmers hate it so much.

Close