[Mark (Mookie): Re: SSL message broken]

[peiterz () BBN COM (Peiter Zatko)]

It has been rumored that the domestic version is also currently using
a 40bit key and that Netscape had mentioned that they _will_ be using the
1024bit key (implying future tense).

This makes a lot of sense actually as throughput is very important for their
application and the difference between a 40bit key and 1024bit key is
substantial.

Can anyone confirm or deny that the current (already released) domestic
versions are using the 40bit key?

PS In the Wall Street Journal article it is mentioned that 'hackers' do
not have access to the type of computing power that this person had ---
WRONG!

PeiterZ
BBN Systems and Technologies


> From: "Mark (Mookie)" <mark () zang com>
> Subject:      Re: SSL message broken

> > Repercussions: Well, let me say this... Actual repercussions are up to
> > the reader. Well's Fargo has just started allowing account manipulations
> > via Netscape and a secure server.

> There are only limited repercussions, the SSL that was broken was the 40
> bit key exportable version that NetScape are forced to sell to non US
> citizens. The domestic version uses 128 bit keys and so is virtually
> impossible to break. The real problem is the US ITAR export laws, they
> cripple US industry by forcing them to sell inferior products internationally
> thus putting them at a large commercial disadvantage.

> Normal SSL is fine, the exportable version has been crippled and thus you
> are at risk of someone with access to significant computing power. If the
> SSL connections were allowed to be conducted with full security then there
> would not be a problem.

> The Wall Street Journal had an article in the last day or so that explained
> the correct situation. It would be good to reference that before trying to
> make any policy decisions.

> Cheers,
> Mark