From: Russ (Russ.Cooper[at]RC.ON.CA) To: BUGTRAQ[at]netspace.org Date: Thu, 27 May 1999 19:23:19 -0400 Subject: Re: ICSA - Certified Sites and Criteria Issues If ICSA is "constrained by NDAs from discussing the specific issues of any particular ICSA customer's security issues or policy" and "Nearly all of the criteria elements are driven by the customer's security and operational policy-- which is derived from their business objectives and risk management approach." and you say "Do we need to add an "appropriate crypto strength" element to the TruSecure criteria? Yes I guess we do." then what, pray tell, should a consumer visiting https://www.consumerinfo.com/n/security.htm?htm+l glean from the fact that the page linked on their site from your ICSA icon contains the following; "ConsumerInfo.Com employs sophisticated encryption" and further states; "In addition to employing these high-security measures, ConsumerInfo.Com has undergone the rigorous certification process for the International Computer Security Association's (ICSA) Web Certification program. This process examined every aspect of our security precautions, encompassing an on-site inspection of our facility for physical security and policy plus a remote assessment of our potential vulnerabilities to web-based attacks. In addition, the ICSA's certification is a continuous process, repeated several times during the year and renewed annually, so you know ConsumerInfo.Com's security measures are state-of-the-art." However, the bottom line is that; - They are *NOT* employing "sophisticated encryption", they're employing the least sophisticated deployable. - They also say ICSA "examined every aspect of our security precautions", but in fact, you only examined those aspects defined in their policies. - They also claim that because of your certification, their customers "know ConsumerInfo.Com's security measures are state-of-the-art" when in fact their *NOT*. I will not, at this time, question the integrity of ICSA. Nor will I suggest that ConsumerInfo.Com is out and out lying. I will, however, suggest that ICSA is tacitly allowing ConsumerInfo.Com to mislead their customers via the ICSA Web Certification approval. By ICSA not being permitted, by NDA, to discuss certification they have performed, it renders, IMNSHO, the certification itself *worthless*. It would appear that ConsumerInfo.Com has been allowed to say anything they want about their work with ICSA and, by NDA, ICSA cannot rebuke it. ICSA Web Certification reports should be public, or, not trusted. Cheers, Russ - NTBugtraq Editor