Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?

["Christopher E. Cramer" <chris.cramer () DUKE EDU>]

Hi Susan,

Welcome to the wonderful world of SSL salesmen - you have my sympathies.

For quite a while now, SSL vendors have been selling this type of
certificate.  Thawte calls them SuperCerts, it sounds like Verisign (which
owns Thawte) calls them Server-Gateway Cryptography certs.  In any event,
these certificates are designed to address problems which are no longer
relevant.

I don't have the references handy, but basically back in the 90s,
strong cryptography (anything over 40 bit encryption) was considered to be
a munition and you had to apply for an export license to sell it overseas.
I believe that this rule changed around 1999 or maybe 2000 because
companies believed that a lack of strong cryptography was putting them at
a competitive disadvantage.

Before the rule change, some of the SSL vendors created a way to force
browsers which in theory only handled 40 bit encryption to handle 128 bit
encryption.  I don't recall the specific trick, but it meant that non-US
versions of browsers could use 128 bit encryption.  Before that, only the
US versions could handle 128 bit encryption.

Of course once the rule changed, all newer browsers have handle 128 bit
encryption.

So, as to your specific questions:

* their claims about 40 and 56 bit encryption are correct, but irrelevant.

* 40 and 56 bit encryption can be brute forced fairly quickly with
specialized hardware and in reasonable periods of time with a regular
computer

* however, this is not an issue for the vast majority of browsers today.
if you want to test this, look in your http logs and see how many
netscape/ie 4.x versions you see.  the number for which this is an issue
is smaller than that

* we do not use SuperCerts or other "enhanced" certificates.

one last point - you might consider (if possible) a cheaper ssl vendor.
ssl provides two things validation of identity and encryption.  a verisign
cert really does nothing more than a geotrust, thawte or other brand of
cert and these cost in the $100 - $150/year range.

i hope this helps
-chris


--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528


On Thu, 23 Feb 2006, Mercer, Susan wrote:

> Hello -
>
>
>
> We are implementing a new online admissions application that will store
> applicant's Social Security numbers.  We will also require our
> applicants to pay their application fee via credit card or e-check
> before they submit the application.  We will be using Verisign Payment
> Services (recently sold to paypal) for the payment transaction, and we
> will NOT be storing credit card or bank account details in our database.
>
>
>
> We've also been talking to VeriSign about SSL certificates because we
> want the entire online session to be secure.  They are trying to upsell
> us from the "standard" SSL certificate to one that uses Server-Gateway
> Cryptography (SGC).  They claim that standard SSL certificates do not
> guarantee 128-bit encryption, due to operating system issues.  According
> to their report, users on Windows 2000 (without SP4) and Windows 98 will
> get 40-bit or 56-bit encryption for their SSL connections.  They also
> claim that 40-bit encryption can be hacked by brute force within
> seconds, and 56-bit can be hacked within days.
>
>
>
> Of course, the cost for SGC SSL certificates is 3 times the cost of the
> regular ones ($999/yr vs $349/yr).
>
>
>
> I don't know that much about security, so I thought I would ask the
> group.
>
> *         Are their claims valid about 40-bit and 56-bit encryption?
>
> *         Can those really be hacked by brute force that quickly?
>
> *         How much of a risk is it to go with a standard SSL
> certificate?
>
> *         Does anyone else out there use SGC SSL Certificates?
>
>
>
> Any guidance is appreciated.
>
>
>
> Thank you,
>
> Susan
>
>
>
> Susan Mercer | EDMC Online Higher Education
>
> Web Producer - Student Services
>
> 1400 Penn Avenue| Pittsburgh, PA 15222-4332
>
> Office: 412-995-2937 | Cell: 412-327-9423
>
>
> ===================================================================================
> CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and intended solely for the use 
> of the individual or entity to which they are addressed.  If you are not the intended recipient, you may not review, 
> copy or distribute this message.  If you have received this email in error, please notify the sender immediately and 
> delete the original message.  Neither the sender nor the company for which he or she works accepts any liability for 
> any damage caused by any virus transmitted by this email.
> ===================================================================================