Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)

From: Steve Beattie (steve@private)
Date: Wed Apr 17 2002 - 19:48:09 PDT

Next message: Jere Retzer: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"

Previous message: Mark Morrissey: "Re: CRIME DRM Debate Article"
In reply to: George Heuston: "CRIME NIPC DAILY REPORT: 17 APRIL, 2002"
Next in thread: Jere Retzer: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Reply: Jere Retzer: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Reply: Daggett, Steve: "RE: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 17, 2002 at 07:34:19AM -0700, George Heuston wrote:
> SSL keys coming up short.  More than 15 percent of the Secure Sockets
> Layer (SSL) servers in the US are using short RSA keys that are in
> danger of being compromised with off-the-shelf products and computing
> resources available to individuals in most medium-size businesses. SSL
> is the de facto standard protocol used to encrypt data going to and
> from Web sites, typically for financial transactions on e-commerce
> sites. If the RSA key is compromised, an attacker is able to impersonate
> the Web site and decrypt traffic intercepted to or from the site.
> (Eweek, 15 Apr)
>
> WWU Comment: The significance of this issue lies in the potential for
> individuals with semi-sophisticated capabilities who have access to
> readily-available resources to take advantage of lesser security key
> implementations of widely used security products.  The stature of SSL
> as the de facto standard offers a false sense of security when using
> the lesser security key implementation in the same manner that fire
> walls and intrusion detection systems that are poorly configured fail
> to provide adequate protection.

It is with great humor that I read this blurb from NIPC, especially
their additional comment. The whole idea of the US federal government
complaining that too many people are using weak encryption when the US
government has been one of the strongest impediments to adopting strong
encryption through its ITAR restrictions (crypto is a munition!) is
just laughable. Alas, Phil Zimmerman wasn't laughing when he was being
threatened with years in jail for distributing PGP.

Of course, using strong crypto only buys you transport security. Given
the depressing state of host security, using SSL to most websites is
like using an armored car to transport your money to a bank made out of
a cardboard box.

-- 
Steve Beattie                               Don't trust programmers? 
<steve@private>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.

application/pgp-signature attachment: stored

Next message: Jere Retzer: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Previous message: Mark Morrissey: "Re: CRIME DRM Debate Article"
In reply to: George Heuston: "CRIME NIPC DAILY REPORT: 17 APRIL, 2002"
Next in thread: Jere Retzer: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Reply: Jere Retzer: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Reply: Daggett, Steve: "RE: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:56 PDT