Re: [TLS] Security today

To: Mike <mike-list at pobox.com>
Subject: Re: [TLS] Security today
From: Yoav Nir <ynir at checkpoint.com>
Date: Sat, 29 Mar 2008 00:12:49 +0300
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <47EC2A75.2050303 at pobox.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <47EC2A75.2050303 at pobox.com>
Sender: tls-bounces at ietf.org

On Mar 28, 2008, at 1:15 AM, Mike wrote:
> Is anyone else concerned about the level of security on the
> Internet today?  I mean everybody is using 1024-bit RSA keys
> which have an estimated 80 bits of security.  (Yet CA's are
> happy to claim that you get 128 or even 256 bits of security
> using them for SSL.)  RSA Labs even states that 1024-bit keys
> are good only until 2010, and they estimate 2048-bit keys
> will protect data until 2030.  Why use such small margins
> anyway?  Processors are already super fast and getting even
> faster.  Who cares if it takes an extra half second to buy a
> book if your financial data will be secure for several more
> decades?

RSA labs' estimate seems a little pessimistic to me, as there has been  
a 64-bit attack on SHA-1 for 2 years and even the original researchers  
haven't got the computing resources to mount it. Sure, the NSA might  
be able to do it, but not your average hacker, competitor or  
moderately-sized botnet.  Given that, I don't see how we scale to 80- 
bits in two years.

Still, Amazon does not make its own certificates. It buys them from  
Verisign or some other commercial CA. That vendor sells them the 1024- 
bit RSA certificate, and nearly every web server certificate I've ever  
seen is 1024-bit (I did see once a 1000-bit key on some site - who  
needs powers of two, anyway?)  I don't know how the negotiation  
between Amazon and Verisign goes, but from both parties' points of  
view, this would require Amazon to use more computing resources (half  
a second is cheap to you, but expensive for a web server - they care),  
or IOW upgrade their server farm. A moderate expense for zero  
perceived security benefits - it won't stop any attacks.

Nor can browser makers enforce minimal security - you don't want to  
make a browser that won't work with Amazon.

I don't think the IETF is the right body for a document such as you  
propose. The admin at Amazon does not read the new RFC list to check  
whether their certificate is still "good enough". I'm not sure what  
the right body is, NIST is probably the one for the US, but even they  
tend to make recommendations only for government bodies.
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Security today
  - From: Mike

References:
- [TLS] Security today
  - From: Mike

Prev by Date: Re: [TLS] Next steps for Client Certificate URL
Next by Date: Re: [TLS] Security today
Previous by thread: Re: [TLS] Security today
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread

Re: [TLS] Security today

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.