1997-08-27 - Re: Netscape Crypto

Header Data

From: Martin Pool <mbp@pharos.com.au>
To: Jason William RENNIE <jrennie@hardy.ocs.mq.edu.au>
Message Hash: da8de445c755c05427b4252d22dd017aa054569432c0897931c369792128ebc3
Message ID: <Pine.LNX.3.95.970827131327.24686Q-100000@buffalo.pharos.com.au>
Reply To: <Pine.SOL.3.91.970826221440.2575A-100000@hardy>
UTC Datetime: 1997-08-27 03:37:14 UTC
Raw Date: Wed, 27 Aug 1997 11:37:14 +0800

Raw message

From: Martin Pool <mbp@pharos.com.au>
Date: Wed, 27 Aug 1997 11:37:14 +0800
To: Jason William RENNIE <jrennie@hardy.ocs.mq.edu.au>
Subject: Re: Netscape Crypto
In-Reply-To: <Pine.SOL.3.91.970826221440.2575A-100000@hardy>
Message-ID: <Pine.LNX.3.95.970827131327.24686Q-100000@buffalo.pharos.com.au>
MIME-Version: 1.0
Content-Type: text/plain



On Tue, 26 Aug 1997, Jason William RENNIE wrote:

> Does anybody know how strong the export netscape crypto stuff is ??

Netscape3 export version usually uses RC4 with a 40 bit shared key.

> Is the stuff only 40 bit crypto for export ??

Key sizes are not a very meaningful indicator of security, which is a
holistic thing.

> A friend asked me about the secure credit stuff and if netscape was 
> secure for credit cards ?? 

I think that security in that respect probably has much more to do with
the security of the server which receives your information, than with the
cypher used in transit.  Assure yourself that the person you send the
information to is trustworthy and knows how to secure a computer system. 

Even weak HTTPS encryption will make it somewhat difficult for people to
grab your information out of a proxy cache or log and similar trivial
attacks.

> So is the export copy secure ??

Compared to what?  More secure than unencrypted, less secure than
strongly-encrypted. More secure than Internet Explorer, less secure than
Lynx.  Probably.

You'll probably only lose the $50 credit-card excess at most: I'd trust
that to Netscape, if I was sending it to a reputable party.  There's
plenty of information I wouldn't trust to it.

> I presuem the non-export wouldn't be to bad.

Doubled punctuation is too bad.

Martin Pool
PGP email preferred






Thread