From: Joe Buck <jbuck@Synopsys.COM>
Date: Wed, 16 Aug 95 16:15:55 PDT
To: Damien.Doligez@inria.fr
Subject: Re: SSL challenge -- broken !
Message-ID: <199508162315.QAA04306@deerslayer.synopsys.com>
MIME-Version: 1.0
Content-Type: text/plain


Congratulations on demonstrating the effort required to break SSL with
a 40-bit key.  It seems clear demonstrated that this is not adequate to
store, say, company-confidential information for communication over
insecure networks, since it seems the average grad student at a large
university could get access to similar computing power that you used
(spare cycles on a hundred workstations or more).

However, I disagree with your conclusion:

> Many people have access to the amount of computing power that I used.
> The exportable SSL protocol is supposed to be weak enough to be
> easily broken by governments, yet strong enough to resist the attempts
> of amateurs.  It fails on the second count.  Don't trust your credit
> card number to this protocol.

Your credit card number, expiration date, etc, are continually being
revealed to minimum-wage clerks all the time, unless you never use the
card.  A chain is only as strong as its weakest link; it makes no sense to
buy an expensive lock when your door has a big enough opening to climb
through.  Should some bad person get hold of your card number and misuse
it, you're not out any money: you just tell the card company "I didn't buy
that".  Since there's so much tracing in the system, if you buy a physical
something with a stolen credit card number it can usually be traced to you
(who'd they ship the package to?).  It's not clear to me that *any*
encryption is really essential if the only purpose is to protect credit
card #'s from snoopers.

There's plenty of stuff that *does* need protection, but I'm not sure
credit card #'s head the list.

Q: Of the 20,000 credit card #'s stolen from Netcom's computer, how many
were used to buy things?  Answer: not sure, but expect the answer is "zero".