Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?

[Mark Newman <mnx () UTK EDU>]

Hi Susan-
in my opinion, the best place to start is Schneier's web site -
http://www.schneier.com - if you don't know who Bruce Schneier is, he's
like the Mozart of crypto

I ~think~ he has a pretty good article that explains SGC and other
things like two-factor authentication (*cough* snake *cough* oil
*cough*)...if you can't find what you need there, I can rifle through my
stuff for a document by another author explaining SGC, etc. 

> and we will NOT be storing credit card or bank account details in our
> database.
this is better than most can say

> We’ve also been talking to VeriSign about SSL certificates because we
> want the entire online session to be secure.  
in my opinion, this problem *still* has not been completely solved by
any single product or process

> They claim that standard SSL certificates do not guarantee 128-bit
> encryption, due to operating system issues.  

> According to their report, users on Windows 2000 (without SP4) and
> Windows 98 will get 40-bit or 56-bit encryption for their SSL
> connections.  They also claim that 40-bit encryption can be hacked by
> brute force within seconds, and 56-bit can be hacked within days.
all true but, that it's that word "guarantee" that they use in their
report...I read it, too but, I never got the free mini RC car they were
trying to give away if you asked for the report and were one of the
first lucky ones to request it

what "guarantee" does one have that a keystroke logger, for example,
isn't installed on ANY machine regardless of OS? so you pay $999 a year,
a client machine gets compromised and your "upped" investment goes down
the drain

I remain unconvinced on applying one dimensional solutions to multi-
dimensional, pervasive problems

Mark Newman
University of Tennessee