There's been some serious spin in the air of late. Yesterday, Biometric Access Systems put out some serious action entitled "Biometric lock ensures ultimate security." Now, I'm not going to get on this company about the "ultimate security" thing (although somebody should probably tell them it won't have the effect the intend.) Nope - these guys are a small shop, they're in the SOHO/consumer marketplace, and they're probably not used to security outside that environment - given these factors, leaping on them about their statements (inaccurate though they may be) is probably bad form.
Verisign, on the other hand, ought to know better. They're distributing a white paper about why you should be using SGC ("international") certificates on your web server. In the paper, they make some claims about these certs. For example, they say that "... among leading SSL providers only VeriSign can provide 128-bit SSL encryption—the most powerful money can buy—to virtually every client machine that comes to your site." Reading this, it sounds like Verisign is the only one getting it done, right? The other people can't handle the competition, and just aren't getting the SGC thing done. Then they go on to say that, "SGC-enabled certificates... are the only way you can protect every SSL session with the strongest encryption available to that site visitor... do you and the people you do business with online deserve anything less?" Sounds like you'd have to be some kind of heartless uncaring slime to use an "inferior" non-SGC cert, right? Going by this, it sounds like Verisign is providing some seriously superior technology... but, of course, the truth is a little more interesting.
You see, back in the day, the US government classified strong cryptographic software as a "munition" and hence disallowed its export. Given the restrictions though, commerce was being impeded because "export-grade" encryption was insufficient to protect financial transactions. So the government (mostly via the BXA), took the position that software to provide strong crypto was OK to export - provided that the strong crypto could only be done with approved institutions. SGC certificates were part of the way that rule was made technically real - specifically, they were those certificates that allowed versions of browsers distributed internationally with crippled cryptographic components to "step up" to 128-bit cryptography during sessions established with those approved financial institutions. To control that only approved institutions received certificates, only one CA - Verisign - was granted the authority to issue SGC certs. As an enforcement measure, browser manufacturers basically "hardcoded in" the SGC CA key and this legacy software has lingered around and around... and around.
So how does that jive with the implications in the paper. First, verisign was the CA selected by the US government to fill this role; does that mean that they are providing more innovative or somehow "superior" technology? No. How about the implication that your customers deserve "the best security" and that only SGC certs provide it? One could make the argument that if they really deserve the best that they deserve for someone to tell them that they're using a browser with broken cryptography that doesn't secure the vast majority of their commerce transactions; maybe if somebody really gave a crap about these users, they could point them in the direction of microsoft.com or mozilla.com, where they can download a non-crippled version of the browser free of charge...
In other news, Lindsay says Paris h4x0r3d her machine, but it seems to me like she's got other problems.
Posted by Ed at July 24, 2006 06:00 PM | TrackBackYou know, I've been looking all over the place for a security minded blogger to address SGC certs. These are nothing more than fools gold being sold to network and security "professionals" who don't take a little bit of time to analyze whether or not they are a good fit for their organization.
Currently, I'm in a debate with some of my peers about their usefulness. CAs quote that these certs will ensure 99.9% protection. What they fail to mention is that SGC technology is extremely limited in scope and that all the right pieces must be at play in order for it to be useful at all. Old browsers on machines capable of 128bit encryption...Win2k boxes WITHOUT at least SP4. It has a very specific application that is probably not applicable to most of the security pros that buy into its usefulness today.
If I had a multitude of users overseas who had not done a thing to update their PC since mid-2000, I might be able to convice myself to buy into the hype. Otherwise, the actual segment of clients that would need SGC technology is probably less than 1%...and they can't use SGC anyway!
I'm finished ranting! :) Thanks for your post.
Posted by: Starfan at November 17, 2006 06:14 PM