[LINK] RFI: The Key-Length Currently Needed for SSL Security
Roger Clarke
Roger.Clarke at xamax.com.au
Fri Dec 10 08:58:37 AEDT 2010
[The article below suggests that the Chrome browser refuses to permit
interactions with web-sites that use [presumably, symmetric] keys
[presumably, for data encryption] shorter than 1024 bits.
[I wonder if it's true?
[If so, I wonder how many organisations can actually deploy
sufficient computing power to crack 256-bit keys? And how the cost
of doing so compares with the benefits extractable from a single set
of credit-card data?]
[Other possibilities: misunderstanding by the journo, an odd play by
Transurban, an odd play by the Google Chrome team, a ploy by Google
Markerting Division to get more press coverage for Chrome, an
over-enthusiastic Google Chrome team employee putting code into a
live beta without the authority or knowledge of Google, etc., etc.
Access denied: how Google gets its way
Date: December 10 2010
The Sydney Morning Herald (Business Section)
MALCOLM MAIDEN
http://www.smh.com.au/business/access-denied-how-google-gets-its-way-20101209-18rga.html?skin=text-only
Google gets bigger by the day, and the Transurban toll road group is
the latest unlikely company to come into its shadow.
The US group this week soft-launched what might be its most ambitious
development yet - an internet-infused operating system for computers
that takes on Microsoft's Windows.
And it has just announced that the number of people using its Google
Chrome web browser to interact with the internet has tripled in a
year, from 40 million to 120 million.
Google does not break down Chrome user numbers by country. But you
can be sure that the Chrome browser is growing quickly here too - and
Chrome is disallowing financial transactions with Transurban's City
Link toll road website.
Chrome users who try to use their credit cards to buy a CityLink trip
are told that the connection is not secure because of a ''disastrous
misconfiguration'', and that Citylink's server ''needs to be fixed
Chrome won't use insecure connections in order to protect your
privacy''.
It advises that other browsers may work, and they do. But it says
they are ''unknowingly or intentionally'' working to get past
''broken'' servers and adds, ''this doesn't change the fact that the
servers have a glaring security hole and should be fixed''.
The level of security offered on the Transurban site appears to be
the issue, but the toll road operator will not be the only company
that is being bounced by the fastest growing internet browser on the
planet.
This is a fascinating power play by the company that says its first
rule is ''do no evil''. Google is rewriting the rules of internet
financial engagement and creating a new and higher security standard.
And in cutting off sites that do not meet its standards, it is taking
away the power users have had until now to engage with a site flagged
by their browser as unsafe: instead of flagging security concerns and
giving the user the option of proceeding or withdrawing as browsers
have done in the past, Chrome simply refuses to allow the transaction.
Transurban and Google have been in contact about the problem since
August, and to date there is no resolution. Transurban believes that
security on its site is high enough; Google believes it isn't.
CityLink's website security is audited quarterly by an independent IT
company, Stratsec, at the behest of the companies that issue the
credit and other transaction cards used on the site, and it received
a clean bill of ''high security health'' only recently.
Google is maintaining that the CityLink site needs to install
significantly higher cipher security - raising encryption levels well
above those that Transurban believes are required by the card issuers.
Most secure websites utilise a suite of cipher keys that contain
either 128 bits of information, 256 bits or 512 bits. Browsers
interrogate servers about the keys they use (there are often several).
But Google's Chrome browser sets a higher encryption standard, saying
when it blocks access to CityLink that the website's operator can
solve the security problem by installing a 1024 bit cipher key.
Transurban is still in discussions with Google, and the problem is in
one sense a symptom of the opening up of the browser market that all
companies that conduct transactions on the internet must adjust to.
When CityLink opened in Melbourne in 2000 the dominant browser was
Microsoft's Internet Explorer. Today there are a half dozen serious
players. Internet Explorer still has a 50 per cent share, but the
open-source Firefox browser has won about a quarter of the market,
and Chrome is past 10 per cent, and growing rapidly.
But if I were a betting person I would back Google not to budge on
its security demands, and to win. The group that says its first task
is to do no evil appears to be on a mission to single-handedly lift
encryption standards worldwide, and is arguably well on the way to
succeeding: observers of the arcane world of cyber cipher technology
tell me that the development issue of the next version of Firefox is
also now denying users access to payment sites it deems to be unsafe.
That would give those backing the tougher new regime 35 per cent of
the browser market, and counting.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list