[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phone call for Mr. Doligez, was Re: SSL challenge -- broken !



jweis wrote: 
> I have to agree, Netscape may spend some energy to upgrade their 
> encryption, but it really won't buy them all that much.   SSL, to me, is 
> like using a "security envelope" to mail cash or putting the club on your 
> car.  It presents just enough of an obstacle to keep honest people honest.

This is the problem of using "physical" world analogies with the network.
A similar argument that is posited is that "Sure its not 100% secure but
its better than the carbons from a receipt (now gone) or people who
don't shred their garbage." I respond that the network isn't the "real"
world so the laws of physics don't apply. Someone in Boston MA is unlikely
to fly into Sunnyvale to paw through my garbage, but it would be "trivial"
for them to see my receipt go flashing by can throw some spare compute
cycles at breaking it. A snooper/cracker program on a "spare" machine
might yield a half dozen credit cards a week. 

I prefer the attitude of better vigilance through layered encryption. That
is the transaction might be 40bit RC4 but the "jewels" (otherwise known
as the credit authorization information) should be DES3. 

--Chuck

Just my opinion of course.