[2581] in cryptography@c2.net mail archive
safety of SSL 2?
daemon@ATHENA.MIT.EDU (Rodney Thayer)
Sun Apr 26 23:10:21 1998
Date: Sat, 25 Apr 1998 11:09:28 -0400
To: cryptography@c2.net
From: Rodney Thayer <rodney@sabletech.com>
I recently ran across a web site that used SSL 2 for security. Now I
wouldn't have noticed of course if I hadn't carefully disable that in
Netscape. How (in)secure is SSL 2, in reality? I realize 'we' (the loud
characters in the crypto implementor space) consider it rather unsafe, but
what does, or, should that translate to in The Real World? Should Verisign
stop supporting sites that use it, for example? Should there be cert
advisories on it? Has anyone been sued for using it, sort of like an
exploding pickup truck gas tank? I mean, hey, this is 1998, DES has been
cracked twice and we're two generations of TCP-based crypto beyond SSL 2...
