Educause Security Discussion mailing list archives
Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?
From: Mark Newman <mnx () UTK EDU>
Date: Fri, 24 Feb 2006 09:46:57 -0500
Hi Susan- in my opinion, the best place to start is Schneier's web site - http://www.schneier.com - if you don't know who Bruce Schneier is, he's like the Mozart of crypto I ~think~ he has a pretty good article that explains SGC and other things like two-factor authentication (*cough* snake *cough* oil *cough*)...if you can't find what you need there, I can rifle through my stuff for a document by another author explaining SGC, etc.
and we will NOT be storing credit card or bank account details in our database.
this is better than most can say
We’ve also been talking to VeriSign about SSL certificates because we want the entire online session to be secure.
in my opinion, this problem *still* has not been completely solved by any single product or process
They claim that standard SSL certificates do not guarantee 128-bit encryption, due to operating system issues.
According to their report, users on Windows 2000 (without SP4) and Windows 98 will get 40-bit or 56-bit encryption for their SSL connections. They also claim that 40-bit encryption can be hacked by brute force within seconds, and 56-bit can be hacked within days.
all true but, that it's that word "guarantee" that they use in their report...I read it, too but, I never got the free mini RC car they were trying to give away if you asked for the report and were one of the first lucky ones to request it what "guarantee" does one have that a keystroke logger, for example, isn't installed on ANY machine regardless of OS? so you pay $999 a year, a client machine gets compromised and your "upped" investment goes down the drain I remain unconvinced on applying one dimensional solutions to multi- dimensional, pervasive problems Mark Newman University of Tennessee
Current thread:
- FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mercer, Susan (Feb 23)
- <Possible follow-ups>
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Gibbs, Aaron M. (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Christopher E. Cramer (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Graham Toal (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? David LaPorte (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mark Newman (Feb 24)