[655] in cryptography@c2.net mail archive
Re: U.S. Broker [E*Trade] goes 40-bit only
daemon@ATHENA.MIT.EDU (Joe Roberts)
Wed Apr 30 12:37:34 1997
Date: Wed, 30 Apr 1997 10:57:42 -0400
From: Joe Roberts <joe@checkfree.com>
To: Adam Shostack <adam@homeport.org>
CC: cryptography@c2.net
I'm not the anonymous user that sent the original post, but I can tell
you that I will be terminating my account if I don't get some
information that makes me feel better about E*Trade soon.
After I saw the original post I tried logging into E*Trade's web service
and found that I couldn't get a connection with non-exportable strong
crypto (when I first opened my account this was not the case, but I
hadn't logged into the service via the web for several months). My
inquiry to E*Trade resulted in the following:
> Dear Mr. Roberts,
> Thank you for your email message.
> We use 128 bit encryption-domestic, 40 bit fro foreign access.
> Please let us know if we can be of any further assistance.
>
> Sincerely,
>
> <snip>
> E*Trade Trading Dept.
I have sent a follow-up message clearly indicating that I have a
domestic version of Netscape Navigator that will support 128 bit
encryption and yet I can only get 40-bit sessions. I haven't gotten a
response yet, but it hasn't been very long...
Joe
Adam Shostack wrote:
>
> If anonymous would like to drop me an note telling me if
> they've terminated their account, I'd appriciate it. (Relates to the
> question about 40 bit session cracking I asked the other day.)
>
> Adam
>
> Anonymous wrote:
> | >From: "Service3" <service@etrade.com>
> | >Subject: Re: Weakened web security
> | *************************************************************
> |
> | E*TRADE SECURITIES
> |
> | *************************************************************
> | Dear <snip>:
> |
> | Thank you for your e-mail message, and your comments.
> |
> | We are looking into reestablishing the handshaking capability for
> | 128-bit encryption. I do not have a time table for when that will take
> | place.
> |
> | However, we beg to differ with your view that the 40-bit encryption is
> | "insecure". Since our security system uses one-time pads, it would be
> | extremely difficult for anyone to decode a single packet, much less an
> | entire transmission series. We have yet to have a single security
> | breach at E*Trade, and even if there was, we are insured fully for
> | such a situation. We are fully confident that our customers are as
> | safe and secure as we can make them.
> |
> |
> | If you have any additional questions or comments, please e-mail us at
> | service@etrade.com, or, if you would prefer, please feel free to call
> | a Customer Service Representative, Monday through Friday, 8:00am to
> | 12:00am Midnight (Eastern Time), toll-free, at 1-800-STOCKS5
> | (1-800-786-2575).
> |
> | Sincerely,
> |
> | <snip>
> | E*Trade Customer Service
> |
> |
>
> --
> "It is seldom that liberty of any kind is lost all at once."
> -Hume
