[2142] in bugtraq
Re: SSL message broken
daemon@ATHENA.MIT.EDU (Scott McClung)
Fri Aug 18 18:28:01 1995
Date: Fri, 18 Aug 1995 11:00:57 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Scott McClung <mcclung@nawc690.chinalake.navy.mil>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508180119.PAA09487@zang.com> from "Mark" at Aug 17,
95 03:19:41 pm
Hi,
> There are only limited repercussions, the SSL that was broken was the 40
> bit key exportable version that NetScape are forced to sell to non US
> citizens. The domestic version uses 128 bit keys and so is virtually
> impossible to break. The real problem is the US ITAR export laws, they
> cripple US industry by forcing them to sell inferior products internationally
> thus putting them at a large commercial disadvantage.
>
> Normal SSL is fine, the exportable version has been crippled and thus you
> are at risk of someone with access to significant computing power. If the
> SSL connections were allowed to be conducted with full security then there
> would not be a problem.
Netsite can be configured to not support the crippled RC4/RC2 methods,
which is the way we've chosen to run it for security reasons. It means
that you have to get the non-exportable version of Netscape, but that's
not really a big deal.
If anyone is interested, Netscape's Commerce Server can be set to use
a combination of the following:
RC4 (128 bits)
RC4 (40 bits)
RC2 (128 bits)
RC2 (40 bits)
IDEA (128 bits)
DES (64 bits)
DES with EDE 3 (192 bits)
It's implied in the documentation that the client (browser) and server
negotiate an encryption method for a session.
As for which of the non-crippled ciphers are better, I have no idea.
Anyone reading this know what 'DES with EDE 3' is?
Later.
--
/* Scott McClung
* Software Engineer/UNIX System Administrator, SAIC
* mcclung@imt.saic.com
* mcclung@nawc690.chinalake.navy.mil
*/
