Re: Java and trojans: any last words before Netscape 2.0 is out?

• To: Clever Staff <root@clever.net>
• Subject: Re: Java and trojans: any last words before Netscape 2.0 is out?
• From: Paul Phillips <paulp@cerf.net>
• Date: Tue, 19 Sep 1995 21:00:22 -0700 (PDT)
• cc: www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.3.89.9509192243.A17025-0100000@ns.clever.net>

On Tue, 19 Sep 1995, Clever Staff wrote:

> Pretty good. "A kid with a super computer cracked SSL" Does that mean the 
> same kid can send a trojan too ? The idea is its either mostly secure or 
> not. I'ld rather not risk my systme to mostly secure. Java/ssl etc . 
> Silly me.

Is that in quotes to warn of its falsity? No kid with a super computer 
cracked SSL; nobody cracked SSL at all.  A 40 bit key was broken by brute 
force using a group of workstations, and a flaw in the random number 
generation was exploited by two grad students to break keys of any size 
very quickly.  The first was a result of US export laws, the second of 
poor implementation by Netscape, and neither reflects on the security of 
SSL at all.

You risk your system in ten dozen ways you haven't even thought of, every 
day of the year.  This sort of random handwaving tossing together SSL 
implementation flaws, Java, and the mythical concept of a completely 
secure system is not helping anyone.  Silly you.

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://+1-619-558-3789/is/paul/there?>   |  their short-lived web site

• Re: Java and trojans: any last words before Netscape 2.0 is out?
• From: Clever Staff <root@clever.net>

• Previous: Re: Java and trojans: any last words before Netscape 2.0 is out?
• Next: No Subject
• Index(es):
  • Index
  • Thread