[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSLeay - Whats the story...

On Fri, 4 Aug 1995, Alex Tang wrote:

> just wondering but...What are the intrinsic points of weakness?  

Perry Metzger and Mark Chen have recently expressed some criticism, and
Adam Shostack, around the end of May, posted a review that hilighted a 
number of potential problem areas.

Personally, I especially dislike the use of RC4-40 (yes, other algorithms 
are supported, but not using the export version of Netscape Navigator); 
the excessively large portion of the handshaking data exchanged as 
cleartext; and the limitations in certificate management (no provisions 
for verifying the revocation status with a CA).