[AUUG-Talk]: What's a padlock worth?

Fri Jan 7 13:23:38 EST 2005

David Bullock writes:
> The questions is - leaving aside the claim made by option A
> - does option A or B provide any more actual protection
> against the consumer trusting a fraudulent site than option
> C?  Given that users don't generally look at their certificates
> (other than to notice the state of the 'golden padlock'), can
> we safely say that the value of the golden padlock is *only*
> in respect of security of data-transmission?

In the dark, dim past, when export controls actually mattered, there were a 
lot of 40/56 bit key length limited SSL implementations shipped in browsers.
In order to satisfy financial institution requirements, these 
implementations would often recognise a special flag in a certificate (if 
it was signed by the right CA) and step up to full 128 bit symmetric keys 
when it was present. This is your option A cert.

Nowadays, modern browsers all support 128 bits, so option A is not worth 
paying for. The certificate vendor may blather on about backwards 
compatibility with historical browsers but, realistically, people who 
haven't uypgraded their browsers for years have larger security problems to 
worry about than a brute force attack on a 56 bit key.

The difference between B and C? How much authentication does B entail? Most 
CA's use the ability to pay an invoice as a key authentication criterion. 
And face it, do your customers know or care about the authentication regime of 
a specific CA? Nope. So long as the little padlock is locked, they are 
"safe".

In practice, the authentication your CA does is worthless. Don't believe 
me? Ask Verisign about the Microsoft certifcate they were duped into 
issuing. The problem is that the authentication in the system is only as 
good as the authentication of the weakest/laziest/dumbest CA in the 
standard list of built in authorities. Therefore, there is no commercial 
incentive for excellence.

> And if we can say that, whom is the cheapest .au-friendly
> certificate provider which has a good presence on the default
> certificate-provider lists shipped with most browsers?

The answer used to be Thawte. But then Verisign bought them, so I don't 
know any more. A quick look at their prices suggests a core competancy of 
highway robbery.

CAcert is free, but they are still working on getting their root cert into 
browsers.

Have you considered self signing? Yes there is an annoying dialog (which 
can be avoided by having clients load your root cert into their browser as 
part of a registration process). In practice, this is every bit as secure 
as the smoke and mirrors you pay for from commercial CAs.

Finally, the real vulnerabilities are often not SSL (which is point to 
point transport), but weaknesses in the end nodes. Databases make 
especially juicy targets.

Michael