Re: SSL message broken

[mcclung () nawc690 chinalake navy mil (Scott McClung)]

Hi,

> There are only limited repercussions, the SSL that was broken was the 40
> bit key exportable version that NetScape are forced to sell to non US
> citizens. The domestic version uses 128 bit keys and so is virtually
> impossible to break. The real problem is the US ITAR export laws, they
> cripple US industry by forcing them to sell inferior products internationally
> thus putting them at a large commercial disadvantage.
>
> Normal SSL is fine, the exportable version has been crippled and thus you
> are at risk of someone with access to significant computing power. If the
> SSL connections were allowed to be conducted with full security then there
> would not be a problem.

Netsite can be configured to not support the crippled RC4/RC2 methods,
which is the way we've chosen to run it for security reasons.  It means
that you have to get the non-exportable version of Netscape, but that's
not really a big deal.

If anyone is interested, Netscape's Commerce Server can be set to use
a combination of the following:

RC4 (128 bits)
RC4 (40 bits)
RC2 (128 bits)
RC2 (40 bits)
IDEA (128 bits)
DES (64 bits)
DES with EDE 3 (192 bits)

It's implied in the documentation that the client (browser) and server
negotiate an encryption method for a session.

As for which of the non-crippled ciphers are better, I have no idea.
Anyone reading this know what 'DES with EDE 3' is?

Later.
--
/* Scott McClung
 * Software Engineer/UNIX System Administrator, SAIC
 * mcclung () imt saic com
 * mcclung () nawc690 chinalake navy mil
 */