Re: Java and trojans: any last words before Netscape 2.0 is out?

• To: aaa@MATH.AMS.ORG
• Subject: Re: Java and trojans: any last words before Netscape 2.0 is out?
• From: ion@MATH.AMS.ORG (Patrick D. F. Ion)
• Date: 20 Sep 1995 09:36:36 -0600
• Cc: www-security@ns2.rutgers.edu

On Tue, 19 Sep 1995, Clever Staff wrote:

> Pretty good. "A kid with a super computer cracked SSL" Does that mean the
> same kid can send a trojan too ? The idea is its either mostly secure or
> not. I'ld rather not risk my systme to mostly secure. Java/ssl etc .
> Silly me.

Is that in quotes to warn of its falsity? No kid with a super computer
cracked SSL; nobody cracked SSL at all.  A 40 bit key was broken by brute
force using a group of workstations, and a flaw in the random number
generation was exploited by two grad students to break keys of any size
very quickly.  The first was a result of US export laws, the second of
poor implementation by Netscape, and neither reflects on the security of
SSL at all.

You risk your system in ten dozen ways you haven't even thought of, every
day of the year.  This sort of random handwaving tossing together SSL
implementation flaws, Java, and the mythical concept of a completely
secure system is not helping anyone.  Silly you.

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://+1-619-558-3789/is/paul/there?>   |  their short-lived web site

• Previous: Re: What's the netscape problem
• Next: Re: What's the netscape problem
• Index(es):
  • Index
  • Thread