Re: OpenSSL versus Verisign

[Wes Kussmaul]

This particular exchange ought to be forwarded to every CEO, every stockholder and, hey, everyone who uses a computer. I was on dozens of radio shows last summer talking about how bad things were going to get if we didn't start really thinking about the foundations of our information infrastructures. Almost invariably the host would ask me to "tell our listeners what they should install right away to make their computers secure." In other words, don't tell me I have to go back, to think, just tell me what to buy or download. We are addicted to shopping. When we want security we go shopping for a colorful box with the word SECURE! in a big yellow splat. We do this even as we read about how the latest rootkits turn our computers into botnets that are more robust than the original Arpanet. Why is it that people only learn the hard way? Wes Kussmaul David Schwartz wrote: Hello, My commercial company needs to secure its databases and file transmissions. We need to reassure the client that our site and his datas are secured on our application. Therefore, we need to make sure he knows the security standard we are using. We would like to use OpenSSL but we need to make sure it is fully secured and that an OpenSSL logo will make our clients confident. What is your opinion on this ? Should we go for OpenSSL or pay for a Verisign licence and logo ? Thanks for your help. Sorry to be blunt, but the truth is going to be painful. If you have to ask this question, you are not in any position to reassure anyone that anything is secure. It takes someone with quite a bit of expert knowledge to do that. The problem is that security is not some single piece or magic bullet you hook up, no matter what the Cisco commercials say. Security is, largely and among other things, the absence of vulnerabilities. So asking what lock to put on the front door when you don't even know whether or not there is a back door won't make things secure. If you're asking the question I think you're asking, and this about how to obtain a certificate for a secure web server, the answer is that it depends upon what your threat model is. Are we dealing with a secure web server that deals with a very small number of clients each of which has a previous relationship with your server? Or are you using the server to establish new relationships with people who don't know who you are (and thus have no way other than trusting the certificate issuer to tell if they've really reached you). Seriously, you need an expert. She needs to evaluate the security needs of your particular application and what threat models it reasonably needs to resist. Then you can look at what tools and technologies meet those needs and resist those particular threats. Or buy a slick blue box with a flashing "secure" light on it and just point to that when the client asks. That makes people feel good too. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Wes Kussmaul CIO The Village Group 738 Main Street Waltham, MA 02451 781-647-7178 My uncle likes to say that the world’s biggest troubles started when the serpent said, “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” I don’t get the serpent and fruit part. Must be some Swiss mythology thing. He can be a bit obscure. P.K. Iggy _How I Like Fixed The Internet_ (Tales from the Great Infodepression of 2009 and the prosperity that followed)