RE: OpenSSL versus Verisign

Thu, 27 Apr 2006 03:51:16 -0700 

> Hello,
>
> My commercial company needs to secure its databases and file
> transmissions.
> We need to reassure the client that our site and his datas are secured on
> our application. Therefore, we need to make sure he knows the security
> standard we are using. We would like to use OpenSSL but we need
> to make sure
> it is fully secured and that an OpenSSL logo will make our clients
> confident.
>
> What is your opinion on this ? Should we go for OpenSSL or pay for a
> Verisign licence and logo ?
>
> Thanks for your help.

        Sorry to be blunt, but the truth is going to be painful. If you have to 
ask
this question, you are not in any position to reassure anyone that anything
is secure. It takes someone with quite a bit of expert knowledge to do that.

        The problem is that security is not some single piece or magic bullet 
you
hook up, no matter what the Cisco commercials say. Security is, largely and
among other things, the absence of vulnerabilities. So asking what lock to
put on the front door when you don't even know whether or not there is a
back door won't make things secure.

        If you're asking the question I think you're asking, and this about how 
to
obtain a certificate for a secure web server, the answer is that it depends
upon what your threat model is. Are we dealing with a secure web server that
deals with a very small number of clients each of which has a previous
relationship with your server? Or are you using the server to establish new
relationships with people who don't know who you are (and thus have no way
other than trusting the certificate issuer to tell if they've really reached
you).

        Seriously, you need an expert. She needs to evaluate the security needs 
of
your particular application and what threat models it reasonably needs to
resist. Then you can look at what tools and technologies meet those needs
and resist those particular threats.

        Or buy a slick blue box with a flashing "secure" light on it and just 
point
to that when the client asks. That makes people feel good too.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to