Educause Security Discussion mailing list archives
Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?
From: Graham Toal <gtoal () UTPA EDU>
Date: Thu, 23 Feb 2006 15:03:00 -0600
We've also been talking to VeriSign about SSL certificates because we want the entire online session to be secure. They are trying to upsell us from the "standard" SSL certificate to one that uses Server-Gateway Cryptography (SGC). They claim that standard SSL certificates do not guarantee 128-bit encryption, due to operating system issues. According to their report, users on Windows 2000 (without SP4) and Windows 98 will get 40-bit or 56-bit encryption for their SSL connections. They also claim that 40-bit encryption can be hacked by brute force within seconds, and 56-bit can be hacked within days.
FUD like this is one of the reasons I always give Verisign a 0/10 evaluation when their QA droids phone up asking what we think of their service :-) Honestly, if UT System weren't paying for them for us, I wouldn't have anything to do with them.
* Are their claims valid about 40-bit and 56-bit encryption?
probably, but I'm pretty sure you can configure your web server to refuse a session to anyone who doesn't have the required strength of certificate.
* Can those really be hacked by brute force that quickly?
sort of.
* How much of a risk is it to go with a standard SSL certificate?
how likely is it that an attacker who has access to your wiring also has access to a massively parallel array of processors and will use it to attack one of your web transactions, and how much is that transaction worth to this criminal?
* Does anyone else out there use SGC SSL Certificates?
Not me. The big security issue with a system such as you describe is not how individual web pages are submitted but what is done with the data after it is submitted. Will you have a complete collection of SSNs and credit card numbers sitting online on a M$ web server, for example? The best thing to do if you can is use the CC immediately with your CC company then destroy the info. No record of it, no chance of all your CCs being divulged when someone breaks into your web server. Don't forget log files. We had a very similar system to what you want which used proprietary software that we discovered was keeping a debugging log of all transactions. Believe me we had words with the company when we found that out! Especially since their techs had remote access to our system for maintenance and we had no way of logging their remote sessions. (That's long fixed, before anyone asks...) You need a very well protected and maintained system to host this, and you might also consider taking some extraordinary measures to protect the data if your system *does* get hacked. For example by using a one-way hash on key data fields such as SSN and CC, chosen so that even if the file does get divulged, it will take days or weeks to recover each individual item. (This is more damage limitation than prevention, but does make a significant difference to how you handle an intrusion if you get one) Hints for a system to run this on: 1) Unix, probably OpenBSD; 2) Only have the SSL web port open, no other ports. Access the console from a local keyboard or if you're very lucky, a physically secure private network (NOT a VPN, VLAN, or any other form of black magic that ends up going over the same insecure switches as your main network) 3) Single-application on the web server, NO helpful utilities such as PHP, server side includes, etc. Block everything else and have a sanity-check filter on incoming URLs to pro-actively defend against buffer overflows and data injection attacks. If what I'm talking about here doesn't mean anything to you and you think your server will be made secure by buying a $1000 certificate, then you probably shouldn't be embarking on this project ;-) (In which case I'd think about outsourcing and be prepared to pay heavily for some company that is insured and bonded and prepared to make good when *they* get hacked, because that's the best you can hope for - you can't expect to find a service that will be *secure*, no matter how big or expensive they are... in fact the bigger they are, the more likely a corrupt insider who has easy access to your data will sell it to criminals without even needing to hack your servers) Graham
Current thread:
- FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mercer, Susan (Feb 23)
- <Possible follow-ups>
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Gibbs, Aaron M. (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Christopher E. Cramer (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Graham Toal (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? David LaPorte (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mark Newman (Feb 24)