On Thu, Apr 27, 2006 at 03:39:47AM -0700, Wakatou (sent by Nabble.com) wrote:
> My commercial company needs to secure its databases and file transmissions.
> We need to reassure the client that our site and his datas are secured on
> our application. Therefore, we need to make sure he knows the security
> standard we are using. We would like to use OpenSSL but we need to make sure
> it is fully secured and that an OpenSSL logo will make our clients
> confident.
>
> What is your opinion on this ? Should we go for OpenSSL or pay for a
> Verisign licence and logo ?
>
Since the other responses make valid points, but are tangential to your
question, the real answer is really both. Verisign is not primarily in
the business of selling cryptographic software and hardware. Rather
they sell the business process of issuing certificates.
Clients who connect to your e-commerce site will expect certificates
from a reasonably reputable CA, such as for example, Verisign. If
you buy a "high assurance" certificate, you will be able to display
their logo on your website, and the cost of this may be justified
if as a result you are seen to be more reputable by your clients.
You will also need security software (such as OpenSSL) to provide
the underlying communications security mechanisms. This alone
does not make your site "secure", but it does address certain
types of threats (man-in-the-middle or passive eavesdropping).
Other types of security measures, are both more mundane (no crypto,
nothing hi-tech) and more important. Not storing excessive customer
information on the web server (move it to storage that the web server
cannot reach as soon as it is no longer needed there). Writing
robust code, free from SQL injection, cross site scripting, buffer
overflows, ... Properly checking user credentials, ... Appropriate
internal controls for acces to sensitive data ...
Neither OpenSSL, nor the Verisign Logo deal with this class of issues,
but good auditors sometimes ask the right questions. Appropriate
trainin of staff, clear focus on security from management, ... are
also important.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
