[LINK] RFI: The Key-Length Currently Needed for SSL Security

Roger Clarke Roger.Clarke at xamax.com.au
Fri Dec 10 08:58:37 AEDT 2010 

[The article below suggests that the Chrome browser refuses to permit 
interactions with web-sites that use [presumably, symmetric] keys 
[presumably, for data encryption] shorter than 1024 bits.

[I wonder if it's true?

[If so, I wonder how many organisations can actually deploy 
sufficient computing power to crack 256-bit keys?  And how the cost 
of doing so compares with the benefits extractable from a single set 
of credit-card data?]

[Other possibilities:  misunderstanding by the journo, an odd play by 
Transurban, an odd play by the Google Chrome team, a ploy by Google 
Markerting Division to get more press coverage for Chrome, an 
over-enthusiastic Google Chrome team employee putting code into a 
live beta without the authority or knowledge of Google, etc., etc.


Access denied: how Google gets its way
Date: December 10 2010
The Sydney Morning Herald (Business Section)
MALCOLM MAIDEN
http://www.smh.com.au/business/access-denied-how-google-gets-its-way-20101209-18rga.html?skin=text-only

Google gets bigger by the day, and the Transurban toll road group is 
the latest unlikely company to come into its shadow.

The US group this week soft-launched what might be its most ambitious 
development yet - an internet-infused operating system for computers 
that takes on Microsoft's Windows.

And it has just announced that the number of people using its Google 
Chrome web browser to interact with the internet has tripled in a 
year, from 40 million to 120 million.

Google does not break down Chrome user numbers by country. But you 
can be sure that the Chrome browser is growing quickly here too - and 
Chrome is disallowing financial transactions with Transurban's City 
Link toll road website.

Chrome users who try to use their credit cards to buy a CityLink trip 
are told that the connection is not secure because of a ''disastrous 
misconfiguration'', and that Citylink's server ''needs to be fixed Š 
Chrome won't use insecure connections in order to protect your 
privacy''.

It advises that other browsers may work, and they do. But it says 
they are ''unknowingly or intentionally'' working to get past 
''broken'' servers and adds, ''this doesn't change the fact that the 
servers have a glaring security hole and should be fixed''.

The level of security offered on the Transurban site appears to be 
the issue, but the toll road operator will not be the only company 
that is being bounced by the fastest growing internet browser on the 
planet.

This is a fascinating power play by the company that says its first 
rule is ''do no evil''. Google is rewriting the rules of internet 
financial engagement and creating a new and higher security standard.

And in cutting off sites that do not meet its standards, it is taking 
away the power users have had until now to engage with a site flagged 
by their browser as unsafe: instead of flagging security concerns and 
giving the user the option of proceeding or withdrawing as browsers 
have done in the past, Chrome simply refuses to allow the transaction.

Transurban and Google have been in contact about the problem since 
August, and to date there is no resolution. Transurban believes that 
security on its site is high enough; Google believes it isn't.

CityLink's website security is audited quarterly by an independent IT 
company, Stratsec, at the behest of the companies that issue the 
credit and other transaction cards used on the site, and it received 
a clean bill of ''high security health'' only recently.

Google is maintaining that the CityLink site needs to install 
significantly higher cipher security - raising encryption levels well 
above those that Transurban believes are required by the card issuers.

Most secure websites utilise a suite of cipher keys that contain 
either 128 bits of information, 256 bits or 512 bits. Browsers 
interrogate servers about the keys they use (there are often several).

But Google's Chrome browser sets a higher encryption standard, saying 
when it blocks access to CityLink that the website's operator can 
solve the security problem by installing a 1024 bit cipher key.

Transurban is still in discussions with Google, and the problem is in 
one sense a symptom of the opening up of the browser market that all 
companies that conduct transactions on the internet must adjust to.

When CityLink opened in Melbourne in 2000 the dominant browser was 
Microsoft's Internet Explorer. Today there are a half dozen serious 
players. Internet Explorer still has a 50 per cent share, but the 
open-source Firefox browser has won about a quarter of the market, 
and Chrome is past 10 per cent, and growing rapidly.

But if I were a betting person I would back Google not to budge on 
its security demands, and to win. The group that says its first task 
is to do no evil appears to be on a mission to single-handedly lift 
encryption standards worldwide, and is arguably well on the way to 
succeeding: observers of the arcane world of cyber cipher technology 
tell me that the development issue of the next version of Firefox is 
also now denying users access to payment sites it deems to be unsafe. 
That would give those backing the tougher new regime 35 per cent of 
the browser market, and counting.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list