Question

Congratulations! You have just been appointed as the new head of cryptographic engineering at softoo.com, an online retailer specialising in soft toys. Since its foundation in Surrey, five years ago, the company has grown to have an annual revenue in the billions and more than 100 million regular customers. The company is very proud of its green credentials, specialising in reducing and recycling toy packaging. You set about conducting an internal review of the company's cryptographic infrastructure. You find that the company authenticates its customers to the website using a standard username/password approach, with MD5 hashes of the passwords being stored alongside usernames in a back-end database. The entire softoo.com site is served over http instead of https because your predecessor was concerned about the costs of supporting encryption. After recovering from the shock of realising that your predecessor was likely to have very limited knowledge of cryptographic security best practices, you decide to write a briefing note for the Chief Information Security Officer (CISO) of softoo.com. This note will describe the problems you've found, along with their likely security impacts and possible consequences for the business. It will also recommend remediations for these problems, including rationale for these recommendations. Your note will include timelines for implementing the remediations and any costs that you anticipate. Yourtask in this question is to produce the first draft of this note. Keep in mind thatthe CISO is smart, but cryptographically rusty, so your note will need to provide an appropriate level of detail for any solutions you propose.

Fig: 1

Fig: 2

Fig: 3