ANZ, was Re: [plug] Star Office and 5.1 and the registration

Christian christian at global.net.au
Fri Jun 4 18:11:27 WST 1999 

Trevor Phillips wrote:
> 
> Christian wrote:
> >
> > Bret was telling me that they it through a page served from an
> > SSL-enabled web server and also showed me some emails from the ANZ staff
> > who were telling him that it as using 128 bit encryption, despite the
> > fact that International browsers only do 40-bit.  Can anyone suggest a
> > reason for this anomaly? (other than the ANZ staff are clueless/lying
> > which hopefully is not the case).
> 
> Westpac/Challenge also use Web-forms and claim they have 128 bit
> encryption, and went on like they had a very special Server certificate
> to do it. I'm not sure if this means the browser is happy with it that
> way, but from what I've seen, they don't use Java or even Javascript
> (maybe a little). All in all a nice clean-cut system. This is mostly
> second-hand; it's my Wife who uses it a lot. ^_^

If you send sensitive data (ie, banking details, PINs etc.) across a
link from your computer to their computer then something on your
computer must encrypt the data.  Since most people have International
browsers (max key length of 40 bits for symmetric ciphers) then this
will be encrypted with the appropriate cipher (usually RC4 I believe)
with the key length as agreed (has to be 40 since the browser can't do
any higher) and sent across the link.  As most people know, 40 bits is
fairly weak encryption.  This still goes back to my (and Bret's)
original question: if the browser can only do 40 bit encryption, how can
these banks claim that the link is 128-bit secure?

Regards,

Christian.

-- 
========================================================================
I'm not trying to give users what they want, I'm trying to give them
freedom, which they can then accept or reject. If people don't want
freedom, they may be out of luck with me, but I won't allow them to 
define for me what is right, what is worth spending my life for.
                                                    - Richard Stallman

More information about the plug mailing list