[2588] in cryptography@c2.net mail archive
Re: safety of SSL 2?
daemon@ATHENA.MIT.EDU (Rick Smith)
Tue Apr 28 00:22:16 1998
In-Reply-To: <3.0.3.32.19980425110928.038b829c@pop.pn.com>
Date: Mon, 27 Apr 1998 10:23:31 -0500
To: Rodney Thayer <rodney@sabletech.com>, cryptography@c2.net
From: Rick Smith <rick_smith@securecomputing.com>
At 11:09 AM -0400 4/25/98, Rodney Thayer wrote:
>I recently ran across a web site that used SSL 2 for security. Now I
>wouldn't have noticed of course if I hadn't carefully disable that in
>Netscape. How (in)secure is SSL 2, in reality? I realize 'we' (the loud
>characters in the crypto implementor space) consider it rather unsafe, but
>what does, or, should that translate to in The Real World?
The Real World has a *huge* tolerance for lax security. Announcements of
Netscape security problems occurred during a run-up of their stock price,
and the stock price was barely affected.
There are several problems with SSL 2, but my "favorite" is the use of the
same crypto key for both encryption and integrity protection. So if you're
talking in "international" mode with 40 bit keys, you face an integrity
risk as well as a disclosure risk, assuming the adversary has some really,
really serious computing power available for real time cracking. This
should still be safe enough for commercial credit card transactions, but
it's probably not safe enough for significant, irreversible transactions
("launch nukes").
> Should Verisign
>stop supporting sites that use it, for example?
Verisign is running a *huge* annual loss and they can't afford to discard
part of their customer base. People have invested lots of money in the
notion that crypto can make things better. If they fail to make money
because a particular product isn't perfect (hey, it never will be) then the
basic technology will be blamed, and not the subtle features of the crypto.
Look at what's happening with e-cash.
> Should there be cert advisories on it?
The SSL3 spec has a nice summary of the bad things. I also summarized them
in "Internet Cryptography." I doubt CERT will issue anything until someone
produces a cracking script that bad guys can use successfully. As far as
I've heard, existing cracking scripts have only been used as demos. I can
imagine someone using a 40 bit cracking script to capture passwords to
access "private" sites, but I haven't heard of anyone causing identifiable
trouble this way.
>Has anyone been sued for using it, sort of like an
>exploding pickup truck gas tank?
Analog cel phones are far, far less secure than SSL2, but people aren't
assumed to be negligent because they use them. The only exception would be
if someone decides beforehand that cel phones aren't sufficiently secure
for some particular use and establishes a rigid policy with specific
consequences (lawsuits?) in that case. A car example: cars are required to
be built with ignition locks, but burglar alarms are optional, even in
Boston and Somerville.
> I mean, hey, this is 1998, DES has been
>cracked twice and we're two generations of TCP-based crypto beyond SSL 2...
Harry Houdini demonstrated that "escape proof" jails and handcuffs did not
live up to their technological promise, but folks still kept building and
buying them.
Rick.
smith@securecomputing.com
