SSL, banks, was Re: [plug] StarOffice

Tue Jun 27 23:03:31 WST 2000

On Tue, Jun 27, 2000 at 09:37:45PM +0800, Mike Holland wrote:
> On Tue, 27 Jun 2000, Peter Wright wrote:
> > The bank exception is still for what _they're_ using at _their_
> > end. If
> 
> Pete, sorry but where did you get this idea?
> The banks have site certificates that enable 128-bit encryption on
> _your_ browser. Banks _always_ use 128 bit encryption with web
> browsers, or none. Never 40 bit AFAIK.

D'oh!

*open mouth*

*remove foot from mouth*

*close mouth*

Sorry, pardon me. I'll try to find out something about what I'm
talking about before going off like that again :).

I think I got the idea from stuff that I read... must have been at
least a year or two ago... which referred to US export restrictions on
cryptography, mentioned the 40-bit limitation on exportable
cryptographic software, but explained that there was a specific
exception for the banking industry. Wasn't too clear on how this
exception would be policed - wasn't really too clear on exactly what
the "exception" meant, but anyway.

I'd actually been under the impression that the 40-bit encryption
limitation was built in to the "international" versions of Netscape/MS/
etc. browsers (though you explain this below) - so that 40-bit was all
they could do under any circumstances, while more secure encryption
was built in to the non-export versions. I recall reading a story back
just after Netscape opensourced their browser, starting the Mozilla
project, mentioning that a handful of guys (in Queensland, I think)
had taken the Mozilla source and build strong cryptography back into
it, releasing the result under the name "Cryptozilla". The story was
presented both as an example of the power of open source and as a bit
of an "up yours" to the US crypto-control ethos.

> > the user only has a 40-bit-capable SSL browser, then the
> > communication should be only 40-bit SSL'ed.
> 
> The export versions were 128 bit "capable" - thats why fortify
> could exist. They were just crippled to normally use 40-bit.

Aha. Wonder exactly how they were crippled? *looks thoughtful* In any
case, thank you for explaining that. That makes a lot more sense.

Anyway, it appears I've at the very least completely misunderstood
exactly how the hell SSL and server certificates work.  Will have to
have a read and update my understanding of SSL and related crypto
stuff once I've got a bit of time (which should be in about 24 hours,
woohoo! last day of contract tomorrow! *happy dance*)

> Check the netscape docs, e.g. http://home.netscape.com/security/index.html
> 
>            online merchants, banks, healthcare, and insurance
>            companies and overseas subsidiaries of U.S. corporations
>            can use 128-bit server certificates to enable strong
>            encryption for all of their customers who use either the
>            domestic or export version of the latest leading browsers
> 
> Commbank say "Obtain the very latest Java Virtual Machine available
> for your OS." but the site seems to work fine with java disabled.

Oh well, but the important thing is that you've _obtained_ the latest.... :)

> Mike Holland  <mike at golden.wattle.id.au>

Pete.
-- 
http://cygnus.uwa.edu.au/~pete/

--
hundred-and-one symptoms of being an internet addict:
205. You're constantly yelling at your spouse, family, roommate, whatever,
     for using the phone for stupid things...like talking.