1995-08-17 - Re: Phone call for Mr. Doligez, was Re: SSL challenge – broken !

Header Data

From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
To: pcw@access.digex.net
Message Hash: 2df1d3fe210fdcdaded08258694838dbe9b747c4845153b27e1d1b8719da6c45
Message ID: <9508170403.AA20845@pepper.Eng.Sun.COM>
Reply To: N/A
UTC Datetime: 1995-08-17 04:04:04 UTC
Raw Date: Wed, 16 Aug 95 21:04:04 PDT

Raw message

From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
Date: Wed, 16 Aug 95 21:04:04 PDT
To: pcw@access.digex.net
Subject: Re: Phone call for Mr. Doligez, was Re: SSL challenge -- broken !
Message-ID: <9508170403.AA20845@pepper.Eng.Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain


jweis wrote: 
> I have to agree, Netscape may spend some energy to upgrade their 
> encryption, but it really won't buy them all that much.   SSL, to me, is 
> like using a "security envelope" to mail cash or putting the club on your 
> car.  It presents just enough of an obstacle to keep honest people honest.

This is the problem of using "physical" world analogies with the network.
A similar argument that is posited is that "Sure its not 100% secure but
its better than the carbons from a receipt (now gone) or people who
don't shred their garbage." I respond that the network isn't the "real"
world so the laws of physics don't apply. Someone in Boston MA is unlikely
to fly into Sunnyvale to paw through my garbage, but it would be "trivial"
for them to see my receipt go flashing by can throw some spare compute
cycles at breaking it. A snooper/cracker program on a "spare" machine
might yield a half dozen credit cards a week. 

I prefer the attitude of better vigilance through layered encryption. That
is the transaction might be 40bit RC4 but the "jewels" (otherwise known
as the credit authorization information) should be DES3. 

--Chuck

Just my opinion of course.





Thread