[AUUG-Talk]: What's a padlock worth?
michael at paddon.org
Fri Jan 7 13:23:38 EST 2005
David Bullock writes:
> The questions is - leaving aside the claim made by option A
> - does option A or B provide any more actual protection
> against the consumer trusting a fraudulent site than option
> C? Given that users don't generally look at their certificates
> (other than to notice the state of the 'golden padlock'), can
> we safely say that the value of the golden padlock is *only*
> in respect of security of data-transmission?
In the dark, dim past, when export controls actually mattered, there were a
lot of 40/56 bit key length limited SSL implementations shipped in browsers.
In order to satisfy financial institution requirements, these
implementations would often recognise a special flag in a certificate (if
it was signed by the right CA) and step up to full 128 bit symmetric keys
when it was present. This is your option A cert.
Nowadays, modern browsers all support 128 bits, so option A is not worth
paying for. The certificate vendor may blather on about backwards
compatibility with historical browsers but, realistically, people who
haven't uypgraded their browsers for years have larger security problems to
worry about than a brute force attack on a 56 bit key.
The difference between B and C? How much authentication does B entail? Most
CA's use the ability to pay an invoice as a key authentication criterion.
And face it, do your customers know or care about the authentication regime of
a specific CA? Nope. So long as the little padlock is locked, they are
In practice, the authentication your CA does is worthless. Don't believe
me? Ask Verisign about the Microsoft certifcate they were duped into
issuing. The problem is that the authentication in the system is only as
good as the authentication of the weakest/laziest/dumbest CA in the
standard list of built in authorities. Therefore, there is no commercial
incentive for excellence.
> And if we can say that, whom is the cheapest .au-friendly
> certificate provider which has a good presence on the default
> certificate-provider lists shipped with most browsers?
The answer used to be Thawte. But then Verisign bought them, so I don't
know any more. A quick look at their prices suggests a core competancy of
CAcert is free, but they are still working on getting their root cert into
Have you considered self signing? Yes there is an annoying dialog (which
can be avoided by having clients load your root cert into their browser as
part of a registration process). In practice, this is every bit as secure
as the smoke and mirrors you pay for from commercial CAs.
Finally, the real vulnerabilities are often not SSL (which is point to
point transport), but weaknesses in the end nodes. Databases make
especially juicy targets.
More information about the Talk