[ILUG] [ot] secure sites
Paul Kelly
longword at esatclear.ie
Thu Nov 1 16:05:14 GMT 2001
Fergal Daly wrote:
> Also, a "secure" site who's key length is too short should probably also be
> considered insecure. Mozilla can be set to warn about this but I don't think
> any other browser makes a distinction between 128 bit and 48 bit (or is it
> 56?) security,
The symmetric cipher used is typically 40-bit "export grade" or 128-bit
RC4. 56-bit DES, 168-bit (112 effective) 3DES, and 40/128-bit RC2 are
also options.
You should be aware that when you use 128-bit encryption with Netscape
or Internet Explorer, 88 bits (and possibly all 128 bits depending on
who you believe) of that key are additionally tranmitted encrypted with
the NSA's public key such that if the NSA are listening/recording they
don't have to go breaking strong encryption. In the unlikely event
someone gets hold of the NSA's private key to match, we're screwed. I
don't know what Mozilla's position is on that, but given its Open Source
Whilst other browsers might not be able to warn about weak encryption,
you can configure them to disable the low security cipers. At least you
can in Netscape.
Paul.
More information about the ILUG
mailing list