[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(fwd>>)309,485,009,821,345,068,724,781,056



--- begin forwarded text

From: "John Hemming - CEO MarketNet"  <[email protected]>
Date:  Thu, 17 Aug 1995 08:39:37 AM PDT
To: [email protected]
Mime-Version: 1.0
Subject: 309,485,009,821,345,068,724,781,056

Like .. er ... a big number maan.

"SSL" has not been cracked "EXPORT SSL" has been cracked.  Then
if someone in the next few years can crack SSL with a confidential
master key of 128 bits with 2^88 as many required key checks (say
half the keyspace at 2^87 as our mate Damien did) then that will be
a much bigger story.

Then again it was not me floating last week ....

In the mean time we encounter the usual inane US government's
export restrictions.  Can someone put in a word for me please ...

Please Please Please Mr Clinton .... keep those export regulations
It gives people like myself a major commercial lead in provision of
encryption software.

So what can we do.

Well not being a very trusting soul at times I tried out sending the
01 (SSL 128 bit confidential) message to an export Netscape browser and
lo and behold it came up with a cipher conflict.  Well that would have
been an easy way out.

Realistically my internal browser is almost at beta test level and
we will put cipher 01 in our selection of ciphers as well as cipher
2.  We will also make available our browser to link securely to our
servers.

If anyone outside US/CA wants work done to bring their systems
up to 128 bit confidential ciphers please email
[email protected]

(JHC plc - JHC Internet Services - yes it does mean John Hemming & Co)

In the mean time:

My credit card number is 5434 8012 0900 2563 expires 3/97
My name is John A M Hemming
My address is 15, Chantry Road, Moseley, Birmingham B13 8DL

Who loses if you use that:

Firstly, I now have to check my
credit card statements for items that are not mine.  This will be
a pain, but it makes a point clear.

Secondly, if you use it you will be breaking the law.

Thirdly, when the merchant has to refund up to 6 months of trading
turnover on any duff orders the merchant will be seriously upset.

My name and address are a matter of public record in the UK. I have
only made the job easier by putting all of the information in one place.
The card number and expiry date are available in any one of a number
of places.  (As a City Councillor in Birmingham my address has to be
available to the public).

1.  Export SSL is good enough for credit card numbers.
2.  My bank account is protected by export SSL (I mean that you
     need to crack export SSL to look at the balances)
     Alternatively you can phone up the bank and pretend to be
     the police/head office/inland revenue and ask them.
3.  Export SSL or even import SSL is not good enough for entering
     into contracts.  Digital signatures are needed for that.

In the mean time .....

I have managed to implement PGP into my workhorse program (which
is gradually coming up to beta standard).  It seems interoperable with
the PGP.exe file in Europe.  (As long as you keep the message reasonably
short)

This allows two interesting additions

<A HREF="mailto:[email protected]">

has been extended to

<A HREF="mailto:[email protected]" PGPKEY="abcddbdb etc">

When you click on that it does a mailto, but also loads the PGP key
(public key and userid packets).  The program saves both the
plaintext and encrypted version and then mails out the encrypted
version.  The PGP key packet has to have the same email address
as that in the mailto otherwise the program will freak.

see

http://mkn.co.uk/

Which uses that.

Similarly

<FORM HREF="mailto:[email protected]" PGPKEY="asdfj">

allows the encryption of a form before it is mailed.  I do have a test
form somewhere try the pages in
http://mkn.co.uk/help+dir+test\*.*

This is quite a nice solid way of ensuring high level encryption for
passing around confidential information from forms.  Sadly the
program that does it
ftp://193.119.26.70/mktnet/pub/horse.zip
is still a little flaky.

Once I have finished off getting 128 bit confidential SSL built into
my program I shall be putting in the extensions for electronic cheques
(probably today or tomorrow, but I won't be putting that on release
even as alpha for the moment).

see
http://mkn.co.uk/help/policy/htmlext
for more details.

John
--- end forwarded text


-----------------
Robert Hettinga ([email protected])
Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131
USA (617) 323-7923
"Reality is not optional." --Thomas Sowell
>>>>Phree Phil: Email: [email protected]  http://www.netresponse.com/zldf <<<<<