[2127] in bugtraq
Re: SSL message broken
daemon@ATHENA.MIT.EDU (Mark (Mookie))
Thu Aug 17 23:11:21 1995
Date: Thu, 17 Aug 1995 15:19:41 -1000
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: "Mark (Mookie)" <mark@zang.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508162124.OAA04184@lupine.org> from "That Whispering Wolf..."
at Aug 16, 95 02:24:53 pm
>Repercussions: Well, let me say this... Actual repercussions are up to
>the reader. Well's Fargo has just started allowing account manipulations
>via Netscape and a secure server.
There are only limited repercussions, the SSL that was broken was the 40
bit key exportable version that NetScape are forced to sell to non US
citizens. The domestic version uses 128 bit keys and so is virtually
impossible to break. The real problem is the US ITAR export laws, they
cripple US industry by forcing them to sell inferior products internationally
thus putting them at a large commercial disadvantage.
Normal SSL is fine, the exportable version has been crippled and thus you
are at risk of someone with access to significant computing power. If the
SSL connections were allowed to be conducted with full security then there
would not be a problem.
The Wall Street Journal had an article in the last day or so that explained
the correct situation. It would be good to reference that before trying to
make any policy decisions.
Cheers,
Mark
