Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?

From: "Gibbs, Aaron M." <AMGibbs () ST-AUG EDU>
Date: Thu, 23 Feb 2006 15:11:15 -0500
Susan
Thanks for taking the time to speak with me this afternoon.
 
Aaron M Gibbs 
Executive Director 
Center for Information Technology 
Saint Augustine's College 
919-516-4379 (Office) 
919-516-4382 (Fax) 
amgibbs () st-aug edu 
www.st-aug.edu 

"Always be a visionary!" 

-----Original Message-----
From: Mercer, Susan [mailto:smercer () EDMC EDU]
Sent: Thursday, February 23, 2006 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FW: Server-Gateway Cryptography SSL Certificates....are they needed?



 

Hello - 

 

We are implementing a new online admissions application that will store applicant's Social Security numbers.  We will 
also require our applicants to pay their application fee via credit card or e-check before they submit the application. 
 We will be using Verisign Payment Services (recently sold to paypal) for the payment transaction, and we will NOT be 
storing credit card or bank account details in our database.

 

We've also been talking to VeriSign about SSL certificates because we want the entire online session to be secure.  
They are trying to upsell us from the "standard" SSL certificate to one that uses Server-Gateway Cryptography (SGC).  
They claim that standard SSL certificates do not guarantee 128-bit encryption, due to operating system issues.  
According to their report, users on Windows 2000 (without SP4) and Windows 98 will get 40-bit or 56-bit encryption for 
their SSL connections.  They also claim that 40-bit encryption can be hacked by brute force within seconds, and 56-bit 
can be hacked within days.

 

Of course, the cost for SGC SSL certificates is 3 times the cost of the regular ones ($999/yr vs $349/yr).

 

I don't know that much about security, so I thought I would ask the group.

*         Are their claims valid about 40-bit and 56-bit encryption?

*         Can those really be hacked by brute force that quickly?

*         How much of a risk is it to go with a standard SSL certificate?

*         Does anyone else out there use SGC SSL Certificates?

 

Any guidance is appreciated.  

 

Thank you,

Susan

 

Susan Mercer | EDMC Online Higher Education 

Web Producer - Student Services

1400 Penn Avenue| Pittsburgh, PA 15222-4332

Office: 412-995-2937 | Cell: 412-327-9423

===================================================================================
CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and intended solely for the use 
of the individual or entity to which they are addressed. If you are not the intended recipient, you may not review, 
copy or distribute this message. If you have received this email in error, please notify the sender immediately and 
delete the original message. Neither the sender nor the company for which he or she works accepts any liability for any 
damage caused by any virus transmitted by this email.
===================================================================================

  


--



  This message has been scanned by the Securiant SpiderISA for spam and viruses, and is believed to be safe and clean.

   Securiant SpiderISA <http://www.securiant.com/>
Previous By Date Next
Previous By Thread Next

Current thread: