Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?

[David LaPorte <david_laporte () HARVARD EDU>]

Here's a whitepaper from GeoTrust I was shown a while ago.  Of course,
it's from a Verisign rival looking for business, but the points it
raises are valid.

The 1% of browsers out there that could benefit from SGC certificates
are ancient and riddled with security holes.  I'd require strong
encryption server-side and force the small number of users with issues
to upgrade.

http://www.geotrusteurope.com/resources/media/Techpaper_Myth_of_SGC.pdf


David

Mercer, Susan wrote:
> Hello –
>
>
>
> We are implementing a new online admissions application that will store
> applicant’s Social Security numbers.  We will also require our
> applicants to pay their application fee via credit card or e-check
> before they submit the application.  We will be using Verisign Payment
> Services (recently sold to paypal) for the payment transaction, and we
> will NOT be storing credit card or bank account details in our database.
>
>
>
> We’ve also been talking to VeriSign about SSL certificates because we
> want the entire online session to be secure.  They are trying to upsell
> us from the “standard” SSL certificate to one that uses Server-Gateway
> Cryptography (SGC).  They claim that standard SSL certificates do not
> guarantee 128-bit encryption, due to operating system issues.  According
> to their report, users on Windows 2000 (without SP4) and Windows 98 will
> get 40-bit or 56-bit encryption for their SSL connections.  They also
> claim that 40-bit encryption can be hacked by brute force within
> seconds, and 56-bit can be hacked within days.
>
>
>
> Of course, the cost for SGC SSL certificates is 3 times the cost of the
> regular ones ($999/yr vs $349/yr).
>
>
>
> I don’t know that much about security, so I thought I would ask the group.
>
> ·         Are their claims valid about 40-bit and 56-bit encryption?
>
> ·         Can those really be hacked by brute force that quickly?
>
> ·         How much of a risk is it to go with a standard SSL certificate?
>
> ·         Does anyone else out there use SGC SSL Certificates?
>
>
>
> Any guidance is appreciated.
>
>
>
> Thank you,
>
> Susan
>
>
>
> *Susan Mercer** **|** **EDMC Online Higher Education*
>
> Web Producer - Student Services
>
> 1400 Penn Avenue| Pittsburgh, PA 15222-4332
>
> Office: 412-995-2937 | Cell: 412-327-9423
>
> ===================================================================================
> CONFIDENTIALITY NOTICE: This email and any files transmitted with it are
> confidential and intended solely for the use of the individual or entity
> to which they are addressed. If you are not the intended recipient, you
> may not review, copy or distribute this message. If you have received
> this email in error, please notify the sender immediately and delete the
> original message. Neither the sender nor the company for which he or she
> works accepts any liability for any damage caused by any virus
> transmitted by this email.
> ===================================================================================