From: Ian Grigg <iang @ systemics . com> Subject: How effective is open source crypto? Date: Sat, 15 Mar 2003 11:05:14 -0500 To: cryptography @ wasabisystems . com Message-Id: <200303151105.14524.iang @ systemics . com> How effective is open source crypto? http://www.securityspace.com/s_survey/sdata/200302/protciph.html One measure is to look at how effective the open source crypto regime is in getting product out there. From the above, it is fairly easy to suggest that strong crypto is totally available to all, probably thanks to the efforts of open source crypto providers. How effective is the SSL cert regime? Last page showed 9,032,963 servers. This page shows 112,153 servers using certs. http://www.securityspace.com/s_survey/sdata/200302/index.html That's right, folks. In the particular case of web browsing, the USAGE of crypto has been relegated to 1% of potential opportunities. (Pprobably much less than that due to other factors, but 1% makes for a nice soundbite.) Why? Because a) it is relatively hard to get a server configured with a cert, and b) the browsers discriminate against self-signed certs, forcing administrators to go the more troublesome, costly and frustrating way of requiring purchased and "approved" certs. (For no measurable added value to the security.) (So they don't.) I suggest that open source crypto has won the crypto wars, and the implementations of SSL have bungled the peace for us. It is ludicrously easy to encourage more use of crypto, by repairing the browsers and servers in these two ways: Fix 1. browsers should not negatively discriminate between self-signed, CA-signed and unprotected HTTP. (For example, browsers might show one icon for the self-signed and another icon for the CA-signed - maybe a branded icon from the CA. There should be no FUD warnings when going from totally unprotected HTTP to connections secured by self-signed certs.) Fix 2. Apache and other servers should be configured out of the box automatically with SSL enabled over the default site. (Which means, a self-signed cert [unencrypted on disk] and the server listening on its port.) (There are plenty of minor fixes as well, such as renaming the self-signed certs to be self-signed. At the moment, they are sometimes incorrectly labelled as "snake oil", thus confusing the users by implying that that are not definitively better than unprotected HTTP.) To conclude, open source crypto has not shown itself to be effective, at least within the one protocol examined above, but could easily be so with some changes to the implementations. -- iang PS: I don't know who Security Space is, there is also another company called Netcraft that provides similar stats, but they do not release the results in so timely a fashion, so conclusions tend to suffer from being already "out of date." --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com