1995-08-16 - Re: Phone call for Mr. Doligez, was Re: SSL challenge – broken !

Header Data

From: adam@bwh.harvard.edu (Adam Shostack)
To: pcw@access.digex.net (Peter Wayner)
Message Hash: b4ca0ab43adf54c3a30478db2762d0e69a447b34e2d47be559f6571eb32a39bc
Message ID: <9508162008.AA00722@waller.harvard.edu>
Reply To: <199508161654.MAA25878@access5.digex.net>
UTC Datetime: 1995-08-16 20:10:39 UTC
Raw Date: Wed, 16 Aug 95 13:10:39 PDT

Raw message

From: adam@bwh.harvard.edu (Adam Shostack)
Date: Wed, 16 Aug 95 13:10:39 PDT
To: pcw@access.digex.net (Peter Wayner)
Subject: Re: Phone call for Mr. Doligez, was Re: SSL challenge -- broken !
In-Reply-To: <199508161654.MAA25878@access5.digex.net>
Message-ID: <9508162008.AA00722@waller.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain


Peter Wayner writes:

| I don't think that there is any serious worry for Netscape. Their
| security is fine-- it's just crippled by the US Government. They
| could probably start distributing binary versions of their software
| that used full 128 bit keys in several hours. It's just that the
| Government gets pissed off about these things.

	I'm not sure I trust their security.  I know I have no reason
to; their server comes as 14.9mb of object code.  I know of no vendor
who ships a bug free 14mb product.  (To be more than fair, most of
those binaries are relatively small, on the order of 250k.)  As RTM,
Sr asked, if your programs are buggy, what does that say about their
security?

	(Not that I'm offering up exploits; simply saying that I
suspect there are problems, and that those problems can make whatever
security SSL does or doesn't offer moot).

	The operative question is not one of 'what is the cost of
breaking SSL relative to the financial gain?' but 'what is the cost of
breaking or bypassing SSL relative to the risk involved and the
financial gain?'

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume






Thread