Paul The concern about having more compared to less is valid. But I guess you must evaluate how much more you are getting for the resources you are spending on the problem.
Using HTTPS (SSL) the data payload is encrypted using a well tested solution(not using the Export Administration Regulations standards). A 40 bit key has 2 to the power of 40 different keys to crack (1,099,511,627,776 different keys). With the US Domestic version a 128 bit key is used. The keys also change with every new SSL session. Cracking that requires (at least today) hundreds of computers running in parallel working for months. So, the worry that the data is going to be stolen in transit can be decrypted is small. Using VPN the data payload is also encrypted using one of many ways. DES encryption is weak and the Linux world with vouch for that. However there are multiple strong encryption that can be used. Since both provide for strong encryption in transit, it makes more sense to put controls around how this data is stored and security on the end points. In my security experience, you are more likely to see issues with people knocking on the front door to get this information than trying to brute force the data. Make sure you have your perimeter secure, good policies and procedures around the data. You are only as strong as your weakest link and HTTPS(SSL) or VPN(3DES), I can speculate are not your weakest link. To speculate again, let assume someone builds a Quantum computer that is capable of operating many factors faster than our fastest machines, then doing both 3DES-VPN and 128bit SSL will put you ahead as it would take much longer to crack. Sanjay -----Original Message----- From: Stanford [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 8:42 AM To: Another Security; SEcurity Subject: Secure Transactions over HTTPS???? How secure is HTTPS?? The question being discussed is: Should people's private information (medical, prescription, banking, etc.) be sent over HTTPS or should a VPN be involved with HTTPS? I always follow the practice of better to have more than not enough. I am currently using VPN with HTTPS. I know most, if not all, banking is done over HTTPS, but what about people's medical history and stuff like that? Is HTTPS really secure enough?? Just thought I'd find out what the concensus is on this matter!! Thanks in advance for your comments, Paul __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. *****************************************************************************
