[Pugged] SSL options and providers

[Steve Langasek]

--OFj+1YLvsEfSXdCH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Sep 23, 2002 at 04:19:41PM -0500, Angie Tollerson wrote:
> >Perhaps you were looking at
> >http://www.verisign.com/products/site/commerce/index.html instead --
> note
> >that if you buy their commerce services, $895 only gets you *40*-bit
> >encryption.  Sufficient proof for me of their shadiness, encouraging
> >people to use 40-bit encryption on eCommerce sites...
> This was the one i was talking about..but I wasn't aware that 40 bit
> was not sufficient for most sites. Explain more please :)

It's possible to brute-force 40-bit SSL encryption in a matter of minutes
on a modern PC (Pentium III grade).  40-bit encryption isn't encryption
anymore, it's obfuscation.  If someone was in a position to intercept
traffic from your eCommerce server and intended to collect dozens or
hundreds of credit card numbers from you, 40-bit isn't really much of a
deterrent.

About the best thing you get with VeriSign's 40-bit cert is the $100K
insurance, which is worth more than the cert itself -- and personally, if
I wanted that I'd go to an insurance agent, not to a domain registrar.

Steve Langasek
postmodern programmer

--OFj+1YLvsEfSXdCH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9j4dWKN6ufymYLloRAs+kAKCn93UMjdCZiGvRJAdibW3WMKvBMgCgiVOh
wpVWzXO/qSemd/NBP+eYAVM=
=qk4F
-----END PGP SIGNATURE-----

--OFj+1YLvsEfSXdCH--