[ISN] ICSA certifies weak crypto as secure

From: cult hero (jerichoat_private)
Date: Fri May 28 1999 - 00:15:31 PDT

  • Next message: cult hero: "[ISN] SANS Web Briefing, (What an attacker knows about you)"

    Forwarded From: "Jay D. Dyson" <jdysonat_private>
    Originally From: Lucky Green <shamrockat_private>
    Originally To: BUGTRAQat_private
    I am becoming concerned about the apparent lack of professional competence
    within even well-known segments of the security community. I hope the
    incident I discovered is an isolated one, but even a single such incident
    is disquieting.
    There is a site that offers credit reports to consumers called
    ConsumerInfo.com. https://www.consumerinfo.com
    The site owner seems to have tried to do everything right. They joined
    TrustE. They had their site certified by ICSA. They clearly have given
    security a serious thought. But the company and all its customers were
    severely let down by ICSA, since the highly confidential information
    submitted by the user to the site is insufficiently "secured" by 40bit
    TLS.  And it is not as if using 128 bit would have been a challenge. The
    site uses IIS and is located in the US. (Not that deploying 40 bit crypto
    would be acceptable even outside the US).
    I find it frightening to think that somebody calling themselves a security
    professional might even consider certifying a site using 40bit SSL to
    protect crucial customer information. Especially a site in the financial
    sector. Certifying obfuscation as security is an unacceptable level of
    performance by any computer security professional.
    I would like to be able to blame simple ignorance of crypto for this deed,
    which alone would be bad enough coming from a security "professional", but
    I am afraid that's not possible since it is inconceivable that the
    certifying ICSA member was unaware that 128 bit TLS/SSL is industry
    standard. Instead, we must assume that for reasons unknown, but ultimately
    irrelevant, a certification was issued for technology the issuer knew to
    not afford the customer security or simply didn't bother to check the
    crypto strength.  Either way this condemns ICSA (a member of the Gartner
    Group), and reflects very badly on our industry as a whole.
    - --Lucky Green <shamrockat_private>
      PGP 5.x  encrypted email preferred
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: OSAll [www.aviary-mag.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:58 PDT