CDR: Re: Lions and Tigers and Backdoors, oh, my...

brflgnk at cotse.com brflgnk at cotse.com
Wed Sep 27 19:31:35 PDT 2000


The words of Steve Furlong:
-- begin quote --
I've been trying to find evidence of this, too. I've sent messages to
self from several versions of Netscape Messenger on Windows and FreeBSD,
then examined the headers.
-- end quote --

You're looking in the wrong place.  The "help fields" would be somewhere in the 
SSL tunnel setup.  That's where the Wells Fargo case came to light.  Suddenly 
one day, the banking site required me to "upgrade" my browser, allegedly because 
of an expired certificate.  As others have mentioned, simply upgrading the cert 
itself didn't satisfy the site.

So ostensibly, the NSA, et al, have a bit of assistance in cracking the 128-bit 
SSL session.  You may recall a few years ago when the information lifetime of 
40-bit SSL fell somewhere below 3 hours, given access to enough parallel CPU 
(like a college workstation farm).  Moore's Law hasn't slowed down.  I'd be 
surprised if 40-bit could stand much more than an hour of dedicated attack 
today, if even that.  And these rumored "help fields" could easily reduce the 
keyspace far below 40 bits, if they don't simply expose the whole key to a 
knowledgable eavesdropper.

"They" don't care much about your email... "they" want your bank balance and 
credit card numbers.





More information about the cypherpunks-legacy mailing list