Educause Security Discussion mailing list archives
Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed?
From: David LaPorte <david_laporte () HARVARD EDU>
Date: Thu, 23 Feb 2006 16:29:32 -0500
Here's a whitepaper from GeoTrust I was shown a while ago. Of course, it's from a Verisign rival looking for business, but the points it raises are valid. The 1% of browsers out there that could benefit from SGC certificates are ancient and riddled with security holes. I'd require strong encryption server-side and force the small number of users with issues to upgrade. http://www.geotrusteurope.com/resources/media/Techpaper_Myth_of_SGC.pdf David Mercer, Susan wrote:
Hello – We are implementing a new online admissions application that will store applicant’s Social Security numbers. We will also require our applicants to pay their application fee via credit card or e-check before they submit the application. We will be using Verisign Payment Services (recently sold to paypal) for the payment transaction, and we will NOT be storing credit card or bank account details in our database. We’ve also been talking to VeriSign about SSL certificates because we want the entire online session to be secure. They are trying to upsell us from the “standard” SSL certificate to one that uses Server-Gateway Cryptography (SGC). They claim that standard SSL certificates do not guarantee 128-bit encryption, due to operating system issues. According to their report, users on Windows 2000 (without SP4) and Windows 98 will get 40-bit or 56-bit encryption for their SSL connections. They also claim that 40-bit encryption can be hacked by brute force within seconds, and 56-bit can be hacked within days. Of course, the cost for SGC SSL certificates is 3 times the cost of the regular ones ($999/yr vs $349/yr). I don’t know that much about security, so I thought I would ask the group. · Are their claims valid about 40-bit and 56-bit encryption? · Can those really be hacked by brute force that quickly? · How much of a risk is it to go with a standard SSL certificate? · Does anyone else out there use SGC SSL Certificates? Any guidance is appreciated. Thank you, Susan *Susan Mercer** **|** **EDMC Online Higher Education* Web Producer - Student Services 1400 Penn Avenue| Pittsburgh, PA 15222-4332 Office: 412-995-2937 | Cell: 412-327-9423 =================================================================================== CONFIDENTIALITY NOTICE: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, you may not review, copy or distribute this message. If you have received this email in error, please notify the sender immediately and delete the original message. Neither the sender nor the company for which he or she works accepts any liability for any damage caused by any virus transmitted by this email. ===================================================================================
Current thread:
- FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mercer, Susan (Feb 23)
- <Possible follow-ups>
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Gibbs, Aaron M. (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Christopher E. Cramer (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Graham Toal (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? David LaPorte (Feb 23)
- Re: FW: Server-Gateway Cryptography SSL Certificates....are they needed? Mark Newman (Feb 24)