[434] in cryptography@c2.net mail archive
Proposed High Profile 40 bit awareness attack:
daemon@ATHENA.MIT.EDU (Black Unicorn)
Tue Apr 1 18:01:42 1997
Date: Mon, 31 Mar 1997 13:56:59 -0500 (EST)
From: Black Unicorn <unicorn@schloss.li>
Reply-To: Black Unicorn <unicorn@schloss.li>
To: cryptography@c2.net
cc: Digital Commerce Society of Boston <dcsb@ai.mit.edu>, e$@thumper.vmeng.com
Poking around today I discovered this:
Details for site www.eubank.ag:
Organisation as given by certificate
European Union Bank
St. Johns
AG
Common name: wwwsecure.eubank.ag
Certificate (common name) does not match URL
HTTPS Server
Netscape-Commerce/1.12
Supported SSL ciphers:
RC4 with MD5 (export version restricted to 40-bit key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Certificate Administrative Details
Valid from:
Feb 8 00:00:00 1997 GMT
Valid to:
Feb 8 23:59:59 1998 GMT
Serial number:
0x02
Certification Authority
Secure Server Certification Authority
RSA Data Security, Inc.
USA
As you can imagine I was a bit surprised to find European Union Bank using
crippled crypto. Particularly given their marketing strategy.
Anyone who wanted to increase awareness abroad and among the online
financial community about ciphers should consider EUB as a target for a
high profile demonstration.
I don't know much about SSL attacks, or even if the key can be isolated,
but if someone wanted to dedicate brute force to a good 40 bit target,
this would be it.
Do be careful. EUB is reputed to have connections to Russian organized
crime.
--
Forward complaints to : European Association of Envelope Manufactures
Finger for Public Key Gutenbergstrasse 21;Postfach;CH-3001;Bern
Vote Monarchist Switzerland
