From: ab411@detroit.freenet.org (David R. Conrad)
Date: Thu, 17 Aug 95 15:34:24 PDT
To: cypherpunks@toad.com
Subject: Re: SSL challenge -- broken !
Message-ID: <199508172234.SAA21241@detroit.freenet.org>
MIME-Version: 1.0
Content-Type: text/plain




John Pettitt <jpp@software.net> writes:
>On Wed, 16 Aug 1995, Damien Doligez wrote:
>>   The exportable SSL protocol is supposed to be weak enough to be
>>   easily broken by governments, yet strong enough to resist the attempts
>>   of amateurs.
>
>Exactly.
>
>>               It fails on the second count.  Don't trust your credit
>>   card number to this protocol.
>
>Huh?  So you run on 120 workstations worth how much?  to steal a credit
>card number worth how much?  Get real - there are hundreds of ways
>to get credit card numbers that cost less.  ...

SSL can of course be used to protect information other than credit card #s.
It is supposed to be strong enough to resist the attempts of amateurs, yet
it was broken not by a government, not by a three letter agency, not by a
major corporation, but by a grad student with a lot of spare cycles.

In other words, it was broken by an amateur.  The real issue is not cc#s,
the real issue is: does it do what it was designed to do (foil amateur
attempts), and the answer is: no, not so long as it is export-restricted
to only 40 secret bits of key.

--
David R. Conrad, ab411@detroit.freenet.org, http://www.grfn.org/~conrad
Finger conrad@grfn.org for PGP 2.6 public key; it's also on my home page
Key fingerprint =  33 12 BC 77 48 81 99 A5  D8 9C 43 16 3C 37 0B 50
Jerry Garcia, August 1, 1942 - August 9, 1995.  Requiescat in pace.