CDR: Re: Re: Lions and Tigers and Backdoors, oh, my...

Neil Johnson njohnson at interl.net
Wed Sep 27 20:28:33 PDT 2000 

Capturing and analyzing the traffic between the browser session and the bank
would be a good place to start.

I believe there is a tool for Windoze that will let you packet sniff (even a
PPP) connection.

<Conspiracy theory mode=OFF>

My employer blocks certain versions of browser's from going through our
firewall because
of reported security vulnerabilities. Yeah, I know it's easy to spoof, but
it insures that our "less sophisticated" users upgrade.

The bank may have been concerned about a security problem in the version of
the browser you were using.

<Conspiracy theory mode=ON>

Then again, they could of just said that, I guess (unless they were doing
the "security through obscurity"  bit).

You could try getting the source for Mozzilla, verifying it,  compiling it,
and then trying to access your bank.

Neil M. Johnson
njohnson at interl.net
http://www.interl.net/~njohnson
PGP Key Finger Print: 93C0 793F B66E A0C7  CEEA 3E92 6B99 2DCC

----- Original Message -----
From: <brflgnk at cotse.com>
To: <cypherpunks at einstein.ssz.com>
Sent: Wednesday, September 27, 2000 9:31 PM
Subject: CDR: Re: Lions and Tigers and Backdoors, oh, my...


> The words of Steve Furlong:
> -- begin quote --
> I've been trying to find evidence of this, too. I've sent messages to
> self from several versions of Netscape Messenger on Windows and FreeBSD,
> then examined the headers.
> -- end quote --
>
> You're looking in the wrong place.  The "help fields" would be somewhere
in the
> SSL tunnel setup.  That's where the Wells Fargo case came to light.
Suddenly
> one day, the banking site required me to "upgrade" my browser, allegedly
because
> of an expired certificate.  As others have mentioned, simply upgrading the
cert
> itself didn't satisfy the site.
>
> So ostensibly, the NSA, et al, have a bit of assistance in cracking the
128-bit
> SSL session.  You may recall a few years ago when the information lifetime
of
> 40-bit SSL fell somewhere below 3 hours, given access to enough parallel
CPU
> (like a college workstation farm).  Moore's Law hasn't slowed down.  I'd
be
> surprised if 40-bit could stand much more than an hour of dedicated attack
> today, if even that.  And these rumored "help fields" could easily reduce
the
> keyspace far below 40 bits, if they don't simply expose the whole key to a
> knowledgable eavesdropper.
>
> "They" don't care much about your email... "they" want your bank balance
and
> credit card numbers.
>

More information about the cypherpunks-legacy mailing list