[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL challenge -- broken !




John Pettitt <[email protected]> writes:
>On Wed, 16 Aug 1995, Damien Doligez wrote:
>>   The exportable SSL protocol is supposed to be weak enough to be
>>   easily broken by governments, yet strong enough to resist the attempts
>>   of amateurs.
>
>Exactly.
>
>>               It fails on the second count.  Don't trust your credit
>>   card number to this protocol.
>
>Huh?  So you run on 120 workstations worth how much?  to steal a credit
>card number worth how much?  Get real - there are hundreds of ways
>to get credit card numbers that cost less.  ...

SSL can of course be used to protect information other than credit card #s.
It is supposed to be strong enough to resist the attempts of amateurs, yet
it was broken not by a government, not by a three letter agency, not by a
major corporation, but by a grad student with a lot of spare cycles.

In other words, it was broken by an amateur.  The real issue is not cc#s,
the real issue is: does it do what it was designed to do (foil amateur
attempts), and the answer is: no, not so long as it is export-restricted
to only 40 secret bits of key.

--
David R. Conrad, [email protected], http://www.grfn.org/~conrad
Finger [email protected] for PGP 2.6 public key; it's also on my home page
Key fingerprint =  33 12 BC 77 48 81 99 A5  D8 9C 43 16 3C 37 0B 50
Jerry Garcia, August 1, 1942 - August 9, 1995.  Requiescat in pace.