I am becoming concerned about the apparent lack of professional competence within even well-known segments of the security community. I hope the incident I discovered is an isolated one, but even a single such incident is disquieting. There is a site that offers credit reports to consumers called ConsumerInfo.com. https://www.consumerinfo.com The site owner seems to have tried to do everything right. They joined TrustE. They had their site certified by ICSA. They clearly have given security a serious thought. But the company and all its customers were severely let down by ICSA, since the highly confidential information submitted by the user to the site is insufficiently "secured" by 40bit TLS. And it is not as if using 128 bit would have been a challenge. The site uses IIS and is located in the US. (Not that deploying 40 bit crypto would be acceptable even outside the US). I find it frightening to think that somebody calling themselves a security professional might even consider certifying a site using 40bit SSL to protect crucial customer information. Especially a site in the financial sector. Certifying obfuscation as security is an unacceptable level of performance by any computer security professional. I would like to be able to blame simple ignorance of crypto for this deed, which alone would be bad enough coming from a security "professional", but I am afraid that's not possible since it is inconceivable that the certifying ICSA member was unaware that 128 bit TLS/SSL is industry standard. Instead, we must assume that for reasons unknown, but ultimately irrelevant, a certification was issued for technology the issuer knew to not afford the customer security or simply didn't bother to check the crypto strength. Either way this condemns ICSA (a member of the Gartner Group), and reflects very badly on our industry as a whole. --Lucky Green <shamrockat_private> PGP 5.x encrypted email preferred
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:20 PDT