Hang on, correct me if I'm wrong, but isn't 56bit DES significantly different from 40-bit SSL (which uses a 40bit key for the public key crypto and something like a 3000bit key for the symmetric cipher used for the actual data transfer).
What I mean is, DES is significantly weaker than the weakest part of standard 40bit SSL yes? If I'm wrong, arent a lot of people putting a lot of confidence in something that really isnt secure (i.e. all SSL sessions...)?? -- Shane On Thursday 20 Dec 2001 9:07 pm, TD - Sales International Holland B.V. wrote: > On Thursday 20 December 2001 14:58, you wrote: > > I urge you strongly to advise against that. Although it might be possible > to downgrade your encryption to 40bit I'd like to make you aware of the > fact that DES which is 56 bit encryption if I'm not mistaken was cracked > several times by brute force in UNDER 22 hours by the distributed.net > people (www.distributed.net). Therefore I would NOT consider 40 bits > encryption safe and I feel obligated to make you aware of that. You are > warned now :-) so do as you please. > > Kind regards, > > Ferry van Steen > > PS I'm also on distributed.net's mailing list. I once asked why it wouldn't > be safe then, since distributed.net has a huge load processing power due to > the number of people that participate. Appearantly it's fairly easy for a > lot of companies/governments/etc to EASILY!! match that computational > power. > > > Hi, > > Bit off topic this, but I thought I'd ask anyway... > > > > I've been implementing a financial reporting system, in PHP, which will > > be running on the internet. > > > > Obviously, therefore, security is an issue. The system itself implements > > a username/password login system, but I want to be able to run it using > > SSL for obvious reasons. > > > > My problem is this: The server we have (Red Hat 7.0, Apache 1.3.14-3, > > open-ssl 0.9.5a-14, mod_ssl 2.7.1-3) came with ssl preconfigured and > > ready to use. It runs at 128 bit encryption which is fine as far as I'm > > concerned. > > > > The people who will be using the system, however, have a company standard > > browser which is IE 4 and only supports 40 bit encryption. And for > > various political reasons they don't want to upgrade all the browsers. So > > what I want to know is how easy it is to "turn down" the encryption > > level, and how to go about it. > > > > Any suggestions, pointers??? All the documentation I've come across thus > > far doesn't really cover anything like this.... > > > > Richy > > > > > > ========================================== > > Richard Black > > Systems Programmer, DataVisibility Ltd - http://www.datavisibility.com > > Tel: 0141 435 3504 > > Email: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]