Educause Security Discussion mailing list archives
Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?
From: "Christopher E. Cramer" <chris.cramer () DUKE EDU>
Date: Thu, 23 Feb 2006 15:18:45 -0500
Hi Susan, Welcome to the wonderful world of SSL salesmen - you have my sympathies. For quite a while now, SSL vendors have been selling this type of certificate. Thawte calls them SuperCerts, it sounds like Verisign (which owns Thawte) calls them Server-Gateway Cryptography certs. In any event, these certificates are designed to address problems which are no longer relevant. I don't have the references handy, but basically back in the 90s, strong cryptography (anything over 40 bit encryption) was considered to be a munition and you had to apply for an export license to sell it overseas. I believe that this rule changed around 1999 or maybe 2000 because companies believed that a lack of strong cryptography was putting them at a competitive disadvantage. Before the rule change, some of the SSL vendors created a way to force browsers which in theory only handled 40 bit encryption to handle 128 bit encryption. I don't recall the specific trick, but it meant that non-US versions of browsers could use 128 bit encryption. Before that, only the US versions could handle 128 bit encryption. Of course once the rule changed, all newer browsers have handle 128 bit encryption. So, as to your specific questions: * their claims about 40 and 56 bit encryption are correct, but irrelevant. * 40 and 56 bit encryption can be brute forced fairly quickly with specialized hardware and in reasonable periods of time with a regular computer * however, this is not an issue for the vast majority of browsers today. if you want to test this, look in your http logs and see how many netscape/ie 4.x versions you see. the number for which this is an issue is smaller than that * we do not use SuperCerts or other "enhanced" certificates. one last point - you might consider (if possible) a cheaper ssl vendor. ssl provides two things validation of identity and encryption. a verisign cert really does nothing more than a geotrust, thawte or other brand of cert and these cost in the $100 - $150/year range. i hope this helps -chris -- Christopher E. Cramer, Ph.D. University Information Technology Security Officer Duke University, Office of Information Technology 334 Blackwell St., Suite 2106, Durham, NC 27701 PH: 919-660-7003 FAX: 919-668-2953 CELL: 919-210-0528 On Thu, 23 Feb 2006, Mercer, Susan wrote:
Hello - We are implementing a new online admissions application that will store applicant's Social Security numbers. We will also require our applicants to pay their application fee via credit card or e-check before they submit the application. We will be using Verisign Payment Services (recently sold to paypal) for the payment transaction, and we will NOT be storing credit card or bank account details in our database. We've also been talking to VeriSign about SSL certificates because we want the entire online session to be secure. They are trying to upsell us from the "standard" SSL certificate to one that uses Server-Gateway Cryptography (SGC). They claim that standard SSL certificates do not guarantee 128-bit encryption, due to operating system issues. According to their report, users on Windows 2000 (without SP4) and Windows 98 will get 40-bit or 56-bit encryption for their SSL connections. They also claim that 40-bit encryption can be hacked by brute force within seconds, and 56-bit can be hacked within days. Of course, the cost for SGC SSL certificates is 3 times the cost of the regular ones ($999/yr vs $349/yr). I don't know that much about security, so I thought I would ask the group. * Are their claims valid about 40-bit and 56-bit encryption? * Can those really be hacked by brute force that quickly? * How much of a risk is it to go with a standard SSL certificate? * Does anyone else out there use SGC SSL Certificates? Any guidance is appreciated. Thank you, Susan Susan Mercer | EDMC Online Higher Education Web Producer - Student Services 1400 Penn Avenue| Pittsburgh, PA 15222-4332 Office: 412-995-2937 | Cell: 412-327-9423 =================================================================================== CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, you may not review, copy or distribute this message. If you have received this email in error, please notify the sender immediately and delete the original message. Neither the sender nor the company for which he or she works accepts any liability for any damage caused by any virus transmitted by this email. ===================================================================================
Current thread:
- FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mercer, Susan (Feb 23)
- <Possible follow-ups>
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Gibbs, Aaron M. (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Christopher E. Cramer (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Graham Toal (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? David LaPorte (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mark Newman (Feb 24)