A public security test conducted on the Covid certificate revealed 136 real or suspected flaws. However, the Confederation considers this number to be normal, given the complexity of the project.
The National Center for Cybersecurity (NCSC) published Thursday on its site a report of this test, in progress since the end of May. It is open to professionals and all interested persons who have had access to the source code of the certificate.
The NCSC releases a list of 136 defects identified during the exercise. He specifies that a certain number of “critical” shortcomings, still being analyzed, are not published for the moment for security reasons. A report will also be unveiled soon by the National Testing Institute for Cybersecurity (NTC).
Flaws linked to the requirements of the authorities
According to the published list, around forty flaws have already been fixed. A solution is being developed for about fifty other problems.
Some flaws are also recognized but will be left as they are, because they are due to express requirements of the Swiss or European authorities, underlines the NCSC. Finally, a certain number of points raised are not bugs but the result of a poor assessment of the person who made the report.
Various systems and services examined
The test notably targeted the systems generating the certificate (with cryptographic signatures), the services allowing offline decentralized verification and the detection of revoked certificates.
It also concerned communication services enabling the authenticity of the document to be checked (in particular within the framework of the European certificate), as well as mobile applications (both the one allowing the user to save his certificate on his mobile phone and the provided for verification of authenticity).
>> Interview with Stéphane Koch, expert in digital strategy and information security, in Forum: