From: Ian Grigg <iang @ systemics . com>
Subject: How effective is open source crypto?
Date: Sat, 15 Mar 2003 11:05:14 -0500
To: cryptography @ wasabisystems . com
Message-Id: <200303151105.14524.iang @ systemics . com>


How effective is open source crypto?

http://www.securityspace.com/s_survey/sdata/200302/protciph.html

One measure is to look at how effective the
open source crypto regime is in getting
product out there.  From the above, it is
fairly easy to suggest that strong crypto is
totally available to all, probably thanks to
the efforts of open source crypto providers.



How effective is the SSL cert regime?

Last page showed 9,032,963 servers.  This
page shows 112,153 servers using certs.

http://www.securityspace.com/s_survey/sdata/200302/index.html

That's right, folks.  In the particular
case of web browsing, the USAGE of crypto
has been relegated to 1% of potential
opportunities.

(Pprobably much less than that due to other
factors, but 1% makes for a nice soundbite.)

Why?  Because a) it is relatively hard to get
a server configured with a cert, and b) the
browsers discriminate against self-signed
certs, forcing administrators to go the more
troublesome, costly and frustrating way of
requiring purchased and "approved" certs.

(For no measurable added value to the security.)

(So they don't.)

I suggest that open source crypto has won
the crypto wars, and the implementations
of SSL have bungled the peace for us.

It is ludicrously easy to encourage more
use of crypto, by repairing the browsers
and servers in these two ways:

Fix 1. browsers should not negatively
  discriminate between self-signed,
  CA-signed and unprotected HTTP.

  (For example, browsers might show one
  icon for the self-signed and another
  icon for the CA-signed - maybe a
  branded icon from the CA.  There
  should be no FUD warnings when going
  from totally unprotected HTTP to
  connections secured by self-signed
  certs.)

Fix 2. Apache and other servers
  should be configured out of the
  box automatically with SSL enabled
  over the default site.

  (Which means, a self-signed cert
  [unencrypted on disk] and the server
  listening on its port.)

(There are plenty of minor fixes as well,
such as renaming the self-signed certs
to be self-signed.  At the moment, they
are sometimes incorrectly labelled as
"snake oil", thus confusing the users by
implying that that are not definitively
better than unprotected HTTP.)

To conclude, open source crypto has not
shown itself to be effective, at least
within the one protocol examined above,
but could easily be so with some changes
to the implementations.

-- 
iang

PS:  I don't know who Security Space is,
there is also another company called
Netcraft that provides similar stats,
but they do not release the results in
so timely a fashion, so conclusions tend
to suffer from being already "out of date."

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com