[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phone call for Mr. Doligez, was Re: SSL challenge -- broken !



Peter Wayner writes:

| I don't think that there is any serious worry for Netscape. Their
| security is fine-- it's just crippled by the US Government. They
| could probably start distributing binary versions of their software
| that used full 128 bit keys in several hours. It's just that the
| Government gets pissed off about these things.

	I'm not sure I trust their security.  I know I have no reason
to; their server comes as 14.9mb of object code.  I know of no vendor
who ships a bug free 14mb product.  (To be more than fair, most of
those binaries are relatively small, on the order of 250k.)  As RTM,
Sr asked, if your programs are buggy, what does that say about their
security?

	(Not that I'm offering up exploits; simply saying that I
suspect there are problems, and that those problems can make whatever
security SSL does or doesn't offer moot).

	The operative question is not one of 'what is the cost of
breaking SSL relative to the financial gain?' but 'what is the cost of
breaking or bypassing SSL relative to the risk involved and the
financial gain?'

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume