[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL challenge -- broken !
John Pettitt <[email protected]> writes:
>On Wed, 16 Aug 1995, Damien Doligez wrote:
>> The exportable SSL protocol is supposed to be weak enough to be
>> easily broken by governments, yet strong enough to resist the attempts
>> of amateurs.
>> It fails on the second count. Don't trust your credit
>> card number to this protocol.
>Huh? So you run on 120 workstations worth how much? to steal a credit
>card number worth how much? Get real - there are hundreds of ways
>to get credit card numbers that cost less. ...
SSL can of course be used to protect information other than credit card #s.
It is supposed to be strong enough to resist the attempts of amateurs, yet
it was broken not by a government, not by a three letter agency, not by a
major corporation, but by a grad student with a lot of spare cycles.
In other words, it was broken by an amateur. The real issue is not cc#s,
the real issue is: does it do what it was designed to do (foil amateur
attempts), and the answer is: no, not so long as it is export-restricted
to only 40 secret bits of key.
David R. Conrad, [email protected], http://www.grfn.org/~conrad
Finger [email protected] for PGP 2.6 public key; it's also on my home page
Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50
Jerry Garcia, August 1, 1942 - August 9, 1995. Requiescat in pace.