John Pettitt <jpp@software.net> writes:

On Wed, 16 Aug 1995, Damien Doligez wrote:

...

The exportable SSL protocol is supposed to be weak enough to be easily broken by governments, yet strong enough to resist the attempts of amateurs.

Exactly.

...

It fails on the second count. Don't trust your credit card number to this protocol.

Huh? So you run on 120 workstations worth how much? to steal a credit card number worth how much? Get real - there are hundreds of ways to get credit card numbers that cost less. ...

SSL can of course be used to protect information other than credit card #s. It is supposed to be strong enough to resist the attempts of amateurs, yet it was broken not by a government, not by a three letter agency, not by a major corporation, but by a grad student with a lot of spare cycles. In other words, it was broken by an amateur. The real issue is not cc#s, the real issue is: does it do what it was designed to do (foil amateur attempts), and the answer is: no, not so long as it is export-restricted to only 40 secret bits of key. -- David R. Conrad, ab411@detroit.freenet.org, http://www.grfn.org/~conrad Finger conrad@grfn.org for PGP 2.6 public key; it's also on my home page Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 Jerry Garcia, August 1, 1942 - August 9, 1995. Requiescat in pace.