Your account number, amount of money you just transferred, account you
transferred it to etc may all be in that transaction. Even if they can't get
in and mess with stuff during the session, this may still be information you
expect to be private.
It's less forgiveable for banks, who have an exemption and are often
actually _allowed_ to deploy (US exported) strong crypto.
It's worse if you don't trust 512-bit RSA keys, because now you have the
possibility that the key exchange is compromised.
It's worse STILL if your bank uses some stupid password scheme instead of
cryptographically strong authentication (like digital certs or something)
because then all that's protecting your client entered data is the stupid
40-bit key and once someone cracks one session they can impersonate you
forever.
So, I would say yes. I think it is bad practice.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-----Original Message-----
From: avishver [mailto:[EMAIL PROTECTED]]
Sent: Monday, 20 September 1999 7:13 AM
To: firewall - security
Subject: SSL 40bit
Greetings,
Epicurus question:
Is it *really* bad practice to use 40bit SSL, even in banking transactions,
when the average session time ("session": from user point of view, the
time he is connected to the web server) is usually less than 20 minutes ?
Thanks
Avi
<<<< "Children", I say plainly, "watch out for the baobabs!" >>>>
<<<< The Little prince by Antoine de Saint Exupery. >>>>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
