[10653] in bugtraq
ICSA certifies weak crypto as secure
daemon@ATHENA.MIT.EDU (Lucky Green)
Thu May 27 13:16:55 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000c01bea811$f7a13440$0200a8c0@cypherpunks.to>
Date: Thu, 27 May 1999 00:24:26 -0700
Reply-To: Lucky Green <shamrock@NETCOM.COM>
From: Lucky Green <shamrock@NETCOM.COM>
To: BUGTRAQ@NETSPACE.ORG
I am becoming concerned about the apparent lack of professional competence
within even well-known segments of the security community. I hope the
incident I discovered is an isolated one, but even a single such incident is
disquieting.
There is a site that offers credit reports to consumers called
ConsumerInfo.com. https://www.consumerinfo.com
The site owner seems to have tried to do everything right. They joined
TrustE. They had their site certified by ICSA. They clearly have given
security a serious thought. But the company and all its customers were
severely let down by ICSA, since the highly confidential information
submitted by the user to the site is insufficiently "secured" by 40bit TLS.
And it is not as if using 128 bit would have been a challenge. The site uses
IIS and is located in the US. (Not that deploying 40 bit crypto would be
acceptable even outside the US).
I find it frightening to think that somebody calling themselves a security
professional might even consider certifying a site using 40bit SSL to
protect crucial customer information. Especially a site in the financial
sector. Certifying obfuscation as security is an unacceptable level of
performance by any computer security professional.
I would like to be able to blame simple ignorance of crypto for this deed,
which alone would be bad enough coming from a security "professional", but I
am afraid that's not possible since it is inconceivable that the certifying
ICSA member was unaware that 128 bit TLS/SSL is industry standard. Instead,
we must assume that for reasons unknown, but ultimately irrelevant, a
certification was issued for technology the issuer knew to not afford the
customer security or simply didn't bother to check the crypto strength.
Either way this condemns ICSA (a member of the Gartner Group), and reflects
very badly on our industry as a whole.
--Lucky Green <shamrock@netcom.com>
PGP 5.x encrypted email preferred
