Bugtraq mailing list archives
Re: SSL message broken
From: mcclung () nawc690 chinalake navy mil (Scott McClung)
Date: Fri, 18 Aug 1995 11:00:57 -0700
Hi,
There are only limited repercussions, the SSL that was broken was the 40 bit key exportable version that NetScape are forced to sell to non US citizens. The domestic version uses 128 bit keys and so is virtually impossible to break. The real problem is the US ITAR export laws, they cripple US industry by forcing them to sell inferior products internationally thus putting them at a large commercial disadvantage. Normal SSL is fine, the exportable version has been crippled and thus you are at risk of someone with access to significant computing power. If the SSL connections were allowed to be conducted with full security then there would not be a problem.
Netsite can be configured to not support the crippled RC4/RC2 methods, which is the way we've chosen to run it for security reasons. It means that you have to get the non-exportable version of Netscape, but that's not really a big deal. If anyone is interested, Netscape's Commerce Server can be set to use a combination of the following: RC4 (128 bits) RC4 (40 bits) RC2 (128 bits) RC2 (40 bits) IDEA (128 bits) DES (64 bits) DES with EDE 3 (192 bits) It's implied in the documentation that the client (browser) and server negotiate an encryption method for a session. As for which of the non-crippled ciphers are better, I have no idea. Anyone reading this know what 'DES with EDE 3' is? Later. -- /* Scott McClung * Software Engineer/UNIX System Administrator, SAIC * mcclung () imt saic com * mcclung () nawc690 chinalake navy mil */
Current thread:
- SSL message broken That Whispering Wolf... (Aug 16)
- Re: SSL message broken Mark (Aug 17)
- Re: SSL message broken That Whispering Wolf... (Aug 17)
- Re: SSL message broken Perry E. Metzger (Aug 17)
- CERT Alert on new sendmail bug - any info? Dr. Frederick B. Cohen (Aug 18)
- Re: CERT Alert on new sendmail bug - any info? Tom Fitzgerald (Aug 18)
- Re: CERT Alert on new sendmail bug - any info? Karl Strickland (Aug 18)
- Re: CERT Alert on new sendmail bug - any info? Ben Golding (Aug 20)
- Re: CERT Alert on new sendmail bug - any info? Neil Woods (Aug 18)
- Re: CERT Alert on new sendmail bug - any info? Dr. Frederick B. Cohen (Aug 18)
- Re: SSL message broken Mark (Aug 17)
- Re: SSL message broken Scott McClung (Aug 18)