Belgian EID security storm rises again (and it is not my fault)

If you think that your security is important and you think that the data that is digitalised is important and should be secured and private.

If you think that the identities and transactions of people online or on computers should be secure and private.

Than you have to define what secure and private means and you have to compare what you prepared to do or accept with what should be done to keep that data and those transactions private. There is no other way to measure this if you want to build an infrastructure that is going to use the personal EID from people for public or professional transactions. You have to be sure that you can guarantee them the best standards in security.

I don't know about you but what do you think when

* there is no public platform with open standards and norms that are debated publicly and adapted over time (NIST example)

* the audit reports about the EID seem to secret

* there are no audits by totally independent auditors not linked to any commercial or public stakeholder

* the code for the software is public without any controls (security and quality) and without any certification

* there is discussion about the security mistakes that are being made in the first and last versions of the middleware

I don't think that this corresponds to security guarantees.

And this problem will become even greater when real securityresearchers will do real securityresearch on those modules and will publish their comments and research. You can try to suppress some of them during some time, but not all of them all the time.

This is the case for the total insecure way Drupal has made an EID module all by itself that seems totally public and unsecure. By the way today there were several other drupal exploits published for those sites that use this Obama tool.

 the Zionsecurity research about EID

If you want to read all the other research that has been published around here about EID the last years, click here

And if you ask me, I am only looking at EID card readers that are US certified smart card readers that are adapted for EID without any middleware from anywhere else. This doesn't make the use of EID on websites with insecured modules like Drupal secure, but it is for internal use already the best available commercial solution if you think that you should guarantee your users the best privacy and security for their EID card that is on the market today.

This is not about open source and closed source, this is about security and even a good Open Source project can have a very bad security just as the most closed source in the world (apple) or the closed source that invests so much in security (windows). Security is all about controls, audits, procedures and prevention and having an adequate response and communication strategy. Nothing less. Open source or closed source frankly, my dear I don't give a damn because if you don't have that your security and trust will be gone with the wind....

Comments

  • Drupal.org did not make an eID module. It was made by a third party developer, and the code is hosted on Drupal.org.
    From a technical, internal Drupal point of view, the code is probably secure (no obvious runtime bugs, no SQL injections etc) so the code was admitted to drupal.org.
    But from a design point of view the code is of course totally wrong and in violation of Belgian privacy law.

The comments are closed.