From: Lucky Green (shamrock[at]NETCOM.COM)
Date: Thu, 27 May 1999 00:24:26 -0700

I am becoming concerned about the apparent lack of professional competence
within even well-known segments of the security community. I hope the
incident I discovered is an isolated one, but even a single such incident
is disquieting.

There is a site that offers credit reports to consumers called

The site owner seems to have tried to do everything right. They joined
TrustE. They had their site certified by ICSA. They clearly have given
security a serious thought. But the company and all its customers were
severely let down by ICSA, since the highly confidential information
submitted by the user to the site is insufficiently "secured" by 40bit
TLS.  And it is not as if using 128 bit would have been a challenge. The
site uses IIS and is located in the US. (Not that deploying 40 bit crypto
would be acceptable even outside the US).

I find it frightening to think that somebody calling themselves a security
professional might even consider certifying a site using 40bit SSL to
protect crucial customer information. Especially a site in the financial
sector. Certifying obfuscation as security is an unacceptable level of
performance by any computer security professional.

I would like to be able to blame simple ignorance of crypto for this deed,
which alone would be bad enough coming from a security "professional", but
I am afraid that's not possible since it is inconceivable that the
certifying ICSA member was unaware that 128 bit TLS/SSL is industry
standard. Instead, we must assume that for reasons unknown, but ultimately
irrelevant, a certification was issued for technology the issuer knew to
not afford the customer security or simply didn't bother to check the
crypto strength.  Either way this condemns ICSA (a member of the Gartner
Group), and reflects very badly on our industry as a whole.

- --Lucky Green (
  PGP 5.x  encrypted email preferred

main page ATTRITION feedback