Bank information protected by 40-bit encryption....
If you are the worring sort (or are looking for a ripe target) point your browser at: https://www.diginsite.com/clients.html There is a list of 23 Credit Unions - some (or all) of which allow transactions to be done over the net. A brief once over shows that it requires Netscape 2.0 or better so you will have encryption, but it does not warn you when you are using only a 40-bit session key vs. a 128-bit key. (Netscape wizards - is there a way that the server can detect this so that a warning message could be put up?) They also have some other information about their security at: http://www.diginsite.com/security/security.html I think it is GREAT that this kind of functionality is coming. I also think that the pioneers like this had better be prepared to be targets as I am sure they will be. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke@aud.alcatel.com Richardson, TX
Tom Weinstein wrote:
For Netscape servers, you can configure which ciphers you want to use. I'm sure Apache-SSL and most other SSL-capable servers have the same sort of thing. I know that Wells Fargo, at least, requires 128-bit encryption.
Actually I don't think that Wells Fargo requires 128-bit. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Daniel R. Oelke writes:
If you are the worring sort (or are looking for a ripe target) point your browser at: https://www.diginsite.com/clients.html
There is a list of 23 Credit Unions - some (or all) of which allow transactions to be done over the net.
A brief once over shows that it requires Netscape 2.0 or better so you will have encryption, but it does not warn you when you are using only a 40-bit session key vs. a 128-bit key. (Netscape wizards - is there a way that the server can detect this so that a warning message could be put up?)
Yes. Netscape servers pass three (additional) environment variables to CGI programs when used with SSL. For a 40-bit invocation, you get: HTTPS=ON HTTPS_KEYSIZE=128 HTTPS_SECRETKEYSIZE=40 So, you can distinguish 40- versus 128-bit usage. -- Jeff
Daniel R. Oelke wrote:
If you are the worring sort (or are looking for a ripe target) point your browser at: https://www.diginsite.com/clients.html
There is a list of 23 Credit Unions - some (or all) of which allow transactions to be done over the net.
A brief once over shows that it requires Netscape 2.0 or better so you will have encryption, but it does not warn you when you are using only a 40-bit session key vs. a 128-bit key. (Netscape wizards - is there a way that the server can detect this so that a warning message could be put up?)
For Netscape servers, you can configure which ciphers you want to use. I'm sure Apache-SSL and most other SSL-capable servers have the same sort of thing. I know that Wells Fargo, at least, requires 128-bit encryption. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@netscape.com
For Netscape servers, you can configure which ciphers you want to use. I'm sure Apache-SSL and most other SSL-capable servers have the same sort of thing. I know that Wells Fargo, at least, requires 128-bit encryption.
(Yeah, Apache-SSL lets you do that too) Uh, but Wells Fargo doesn't. Just the other day I used Netscape 1.x international (i.e. 8cent RC4) to get my bank balances from Wells Fargo. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer@c2.net
sameer@c2.org wrote:
For Netscape servers, you can configure which ciphers you want to use. I'm sure Apache-SSL and most other SSL-capable servers have the same sort of thing. I know that Wells Fargo, at least, requires 128-bit encryption.
(Yeah, Apache-SSL lets you do that too)
Uh, but Wells Fargo doesn't. Just the other day I used Netscape 1.x international (i.e. 8cent RC4) to get my bank balances from Wells Fargo.
Can you transfer money or just check balances? I'm pretty sure that they won't let you perform transactions unless you're using Netscape 2.0 with 128-bit encryption. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@netscape.com
Can you transfer money or just check balances? I'm pretty sure that they won't let you perform transactions unless you're using Netscape 2.0 with 128-bit encryption.
I was unaware the Wells Fargo let you transfer money with the web. I only checked my balance. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer@c2.net
sameer@c2.org wrote:
Can you transfer money or just check balances? I'm pretty sure that they won't let you perform transactions unless you're using Netscape 2.0 with 128-bit encryption.
I was unaware the Wells Fargo let you transfer money with the web. I only checked my balance.
Sorry, I think I was hallucinating or something. You're right, they don't require 128-bit encryption and they only let you query your balance. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@netscape.com
On Wed, 10 Apr 1996, Tom Weinstein wrote:
Sorry, I think I was hallucinating or something. You're right, they don't require 128-bit encryption and they only let you query your balance.
Are there any banks besides SFNB then that use weak 40-bit encryption for anything more than balance queries or transaction history, and allow to make real transactions on-line? I know Merita in Finland allows bank transactions using 40-bit RC4, but they also use one-time passwords (every user gets a printed list with 40 or so password pairs, each of which you can use just once). Juri Kaljundi jk@digit.ee
On Thu, 11 Apr 1996, =?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote:
On Wed, 10 Apr 1996, Tom Weinstein wrote:
Sorry, I think I was hallucinating or something. You're right, they don't require 128-bit encryption and they only let you query your balance.
Are there any banks besides SFNB then that use weak 40-bit encryption for anything more than balance queries or transaction history, and allow to make real transactions on-line?
I know Merita in Finland allows bank transactions using 40-bit RC4, but they also use one-time passwords (every user gets a printed list with 40 or so password pairs, each of which you can use just once).
Juri Kaljundi jk@digit.ee
--- My preferred and soon to be permanent e-mail address:unicorn@schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information
Daniel R. Oelke wrote:
A brief once over shows that it requires Netscape 2.0 or better so you will have encryption, but it does not warn you when you are using only a 40-bit session key vs. a 128-bit key. (Netscape wizards - is there a way that the server can detect this so that a warning message could be put up?)
There is an environment variable called HTTPS_KEYSIZE that is passed to cgi's by the HTTP server. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
There is an environment variable called HTTPS_KEYSIZE that is passed to cgi's by the HTTP server.
HTTPS_SECRETKEYSIZE is the one you need to watch. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.net/ (or login as "guest") sameer@c2.net
participants (7)
-
Black Unicorn -
droelke@rdxsunhost.aud.alcatel.com -
Jeff Barber -
Jeff Weinstein -
Jüri Kaljundi -
sameer@c2.org -
Tom Weinstein