SSL, banks, was Re: [plug] StarOffice
Peter Wright
pete at cygnus.uwa.edu.au
Tue Jun 27 17:55:31 WST 2000
On Tue, Jun 27, 2000 at 05:39:19PM +0800, Mike Holland wrote:
> On Tue, 27 Jun 2000, Darrell Horrocks wrote:
> > Linux) but <RANT> neglects to mention to the general user (under
> > FAQ or elsewhere) that the standard international browser only
> > supports 64 bit encryption.
>
> Not quite true. Some exceptions are allowed, such as banks.
> And I think you meant 40 bit, not 64.
[ snip ]
> fortify makes no difference to the bank site. They are 128 bit.
The bank exception is still for what _they're_ using at _their_ end. If
the user only has a 40-bit-capable SSL browser, then the communication
should be only 40-bit SSL'ed.
What I think Darrell meant to RANT about is that the banks don't
mention that while they (the banks) may have 128-bit encryption
capable server, the odds are that the browser you're using is only
capable of 40-bit. ie. they should be doing something like showing a
list: "These are the browsers that are capable of 128-bit SSL
encryption <list1>. These are the ones that are not <list2>. For
maximum security with your internet banking, please use a browser from
the first group."
It would also be more responsible of the banks (don't know if this is
actually a hack possible with SSL though) to display a warning message
saying eg: "It appears that your browser is only capable of 40-bit
encryption, which can be broken by an ordinary PC in a day or two. Do
you wish to continue at this relatively low level of security?"
> regards,
> Mike Holland <mike at golden.wattle.id.au>
Pete.
--
http://cygnus.uwa.edu.au/~pete/
--
hundred-and-one symptoms of being an internet addict:
204. You're being audited because you mailed your tax return to the IRC.
More information about the plug
mailing list