Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?

[Graham Toal <gtoal () UTPA EDU>]

> We've also been talking to VeriSign about SSL certificates
> because we want the entire online session to be secure.  They
> are trying to upsell us from the "standard" SSL certificate
> to one that uses Server-Gateway Cryptography (SGC).  They
> claim that standard SSL certificates do not guarantee 128-bit
> encryption, due to operating system issues.  According to
> their report, users on Windows 2000 (without SP4) and Windows
> 98 will get 40-bit or 56-bit encryption for their SSL
> connections.  They also claim that 40-bit encryption can be
> hacked by brute force within seconds, and 56-bit can be
> hacked within days.

FUD like this is one of the reasons I always give Verisign a
0/10 evaluation when their QA droids phone up asking what we
think of their service :-)  Honestly, if UT System weren't
paying for them for us, I wouldn't have anything to do with them.


> *         Are their claims valid about 40-bit and 56-bit encryption?

probably, but I'm pretty sure you can configure your web server
to refuse a session to anyone who doesn't have the required strength
of certificate.

> *         Can those really be hacked by brute force that quickly?

sort of.

> *         How much of a risk is it to go with a standard SSL
> certificate?

how likely is it that an attacker who has access to your wiring also
has access to a massively parallel array of processors and will use it
to attack one of your web transactions, and how much is that transaction
worth to this criminal?

> *         Does anyone else out there use SGC SSL Certificates?

Not me.

The big security issue with a system such as you describe is not
how individual web pages are submitted but what is done with
the data after it is submitted.  Will you have a complete collection
of SSNs and credit card numbers sitting online on a M$ web server,
for example?

The best thing to do if you can is use the CC immediately with
your CC company then destroy the info.  No record of it, no chance
of all your CCs being divulged when someone breaks into your web
server.  Don't forget log files.  We had a very similar system
to what you want which used proprietary software that we discovered
was keeping a debugging log of all transactions.  Believe me
we had words with the company when we found that out!  Especially
since their techs had remote access to our system for maintenance
and we had no way of logging their remote sessions.  (That's
long fixed, before anyone asks...)

You need a very well protected and maintained system to host this,
and you might also consider taking some extraordinary measures to
protect the data if your system *does* get hacked.  For example
by using a one-way hash on key data fields such as SSN and CC,
chosen so that even if the file does get divulged, it will take
days or weeks to recover each individual item.  (This is more
damage limitation than prevention, but does make a significant
difference to how you handle an intrusion if you get one)

Hints for a system to run this on: 1) Unix, probably OpenBSD;
2) Only have the SSL web port open, no other ports.  Access the
console from a local keyboard or if you're very lucky, a physically
secure private network (NOT a VPN, VLAN, or any other form of
black magic that ends up going over the same insecure switches
as your main network)
3) Single-application on the web server, NO helpful utilities
such as PHP, server side includes, etc.  Block everything else
and have a sanity-check filter on incoming URLs to pro-actively
defend against buffer overflows and data injection attacks.

If what I'm talking about here doesn't mean anything to you and
you think your server will be made secure by buying a $1000 certificate,
then you probably shouldn't be embarking on this project ;-)  (In
which case I'd think about outsourcing and be prepared to pay
heavily for some company that is insured and bonded and prepared
to make good when *they* get hacked, because that's the best you
can hope for - you can't expect to find a service that will
be *secure*, no matter how big or expensive they are... in fact
the bigger they are, the more likely a corrupt insider who has
easy access to your data will sell it to criminals without even
needing to hack your servers)


Graham