Fergal Daly wrote:
> Also, a "secure" site who's key length is too short should probably also be
> considered insecure. Mozilla can be set to warn about this but I don't think
> any other browser makes a distinction between 128 bit and 48 bit (or is it
> 56?) security,
The symmetric cipher used is typically 40-bit "export grade" or 128-bit
RC4. 56-bit DES, 168-bit (112 effective) 3DES, and 40/128-bit RC2 are
also options.
You should be aware that when you use 128-bit encryption with Netscape
or Internet Explorer, 88 bits (and possibly all 128 bits depending on
who you believe) of that key are additionally tranmitted encrypted with
the NSA's public key such that if the NSA are listening/recording they
don't have to go breaking strong encryption. In the unlikely event
someone gets hold of the NSA's private key to match, we're screwed. I
don't know what Mozilla's position is on that, but given its Open Source
Whilst other browsers might not be able to warn about weak encryption,
you can configure them to disable the low security cipers. At least you
can in Netscape.
Paul.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
