From: John Pettitt <jpp@software.net>
Date: Thu, 17 Aug 95 14:51:28 PDT
To: Damien Doligez <Damien.Doligez@inria.fr>
Subject: Re: SSL challenge -- broken !
In-Reply-To: <9508160842.AA27120@couchey.inria.fr>
Message-ID: <Pine.3.89.9508171031.E16021-0100000@www2.software.net>
MIME-Version: 1.0
Content-Type: text/plain


On Wed, 16 Aug 1995, Damien Doligez wrote:

> SSL challenge -- broken
> 
> Conclusions:
> 
> * Many people have access to the amount of computing power that I used.
>   The exportable SSL protocol is supposed to be weak enough to be
>   easily broken by governments, yet strong enough to resist the attempts
>   of amateurs.

Exactly

>               It fails on the second count.  Don't trust your credit
>   card number to this protocol.

Huh?  So you run on 120 workstations worth how much?  to steal a credit
card number worth how much?  Get real - there are hundreds of ways
to get credit card numbers that cost less.  The idea is to make
breaking SSL less attractive than dumpster diving not to make it
impossible.   I'll lay odds that I could get the credit card number
of *any* individual in the US in less elapsed time and with nothing
more than a $1000 windoze machinei, a telephone and a modem.


John Pettitt
jpp@software.net