Thursday, April 17, 2008

Server Gated Cryptography (SGC): Aiding and Abetting?

I’ve made my views on SGC known before, but this week I was asked to restate in a more condensed way.

How’s this?

Enabling Server Gated Crypto on your web servers is tantamount to aiding and abetting cyber criminals.

“Of course it isn’t!” your SSL certificate salesperson will say. “SGC enables all your customers to use super strong 128 bit cryptography, even if they have older browsers.”

There’s the rub. Those older browsers are the only ones that need SGC. Unfortunately , those older browsers are also so full of unpatched security holes that you could encrypt the pipe between the browser and the web server with 256-bit AES and the criminals wouldn’t break a sweat as they collected your customer’s login information or credit card number.Photo Credit: Drunken Monkey

The bad guys are able to install software on those older, unpatched systems that lives inside the browser or inside the operating system. That malicious software can log keystrokes or view submitted information before it is encrypted by SSL. The rogue software can then submit the collected information to a central place for aggregation and collection by the criminal group.

If you haven’t heard of botnets yet, that’s what we’re talking about here. They’re not new - if you’re a details person this three year old paper on botnets is a good introduction to the topic. Shadowserver Foundation has some interesting stats on bot counts and locations – today they’re showing ~110,000 infected systems. These are only the ones that are actively being controlled by a command and control server, and obviously they’re only the ones that they know of.

As for the accusation of “aiding and abetting”, it’s mostly tongue in cheek, but think about it. I’m no lawyer, and neither is Wikipedia, but this is what the Wikipedia community consensus says:

Where available, aiding and abetting liability generally requires three elements:

  1. an underlying violation by a principal; [AJC: Credit cards are being stolen. Check!]
  2. knowledge of that violation and/or the intent to facilitate the violation; and [AJC:You’ve read this post. Check! ]
  3. assistance to the principal in the violation. [AJC: You put up the SGC cert. Check!]

You have visibility into your users' configuration through user-agent info when they connect. Don't give them a false sense of security.

You owe it to your customers to help those with unsafe systems understand the risks and to strongly encourage them to upgrade their systems.

Are you doing the right thing?

Feedback welcome in the comments or by email.

No comments: