Justtechjobs.com Find a programming school near you






Online Campus Both


php3-list | 199807

Re: [PHP3] Authorization Questions From: pnet <email protected>
Date: 07/31/98

Thanks very much for the reply. You have told me most of what I needed in a
nutshell.

At 3:24 PM 7/30/98, Kristian Koehntopp wrote:

>> - what level of encryption is used by netscape / explorer?
>
>None if you use normal HTTP. 40 bit symmetric encryption if your
>users are using an export version of Netscape or MSIE over SSL.
>128 bit symmetric encryption if your users come in with US
>domestic versions of their browsers over SSL or if they have
>applied fortify to their export versions of Netscape and come in
>via SSL.

Can you say anything about the algorithms used in SSL? Is it DES or RSA or
something else?

I am still wondering what versions of Netscape and Explorer this applies to.
I use IE-3.01/Mac, for example, and the documentation says nothing about
the strength of the SSL encryption. I would suspect that all domestic
versions probably use the 128 bits you mentioned above, although it seems
that NSA has changed its mind a few times on these issues.

Does anyone know of an online reference which lists the capabilities of all
the browsers, not just for encryption but for other features as well?

>
>> - is APOP method of using md5 hash of <datastamp>.<password> more secure?
>
>Using a md5 hash of a password avoids sending the password in
>clear, but it provides to protection against man in the middle
>attacks or replay attacks. Encoding time values together with the
>secret can help to avoid replay attacks, if done properly.
>
>But to be really secure (tm) you need a PKI (public key
>infrastructure), certificates and trust distribution. This is
>very difficult to do and hard to implement. Use SSL if you want
>these features; it is the best commonly available implementation
>of such features.
>
>Kristian
>
>PS: The PHP Library below does authentication, too. Even MD5
>hashes, if you insist. I recommend using SSL, though.

But doesn't that limit you to only servicing SSL-capable browsers?
It also requires additional service on the hosting side.

I appreciate the greater security of SSL but this also is an NSA-approval
encryption scheme.

I think I would rather build my applications to be, at least potentially,
NSA-independent: i.e., use a client-side encryption plug-in, like a Java
applet to encrypt with PGP or whatever is least vulnerable.

Say, for example, you locate your site in a jurisdiction outside of the US
bombing range (not that any such place exists, absolutely, but politically
speaking...). Would clients in the US be at legal risk if they accessed
your site and unwittingly downloaded an applet that used strong encryption
to send a password back to the server? I can't imagine any such legal
restriction would be enforceable in any case.

Even using md5 alone would require some client-side application to perform
the hash. While I don't like the idea of requiring Java, it seems like the
best way around this problem, aside from using SSL.

I don't know much about IP-SEC (encrypted IP) but that seems a promising
alternative, if it ever becomes widely installed.

- tppt: Tom Paine, Perpetual Traveller; webmaster <email protected>

"We The People..." = tyranny; "Me The Person..." = ethics/freedom 

--
PHP 3 Mailing List   http://www.php.net/
To unsubscribe send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest list:  php3-digest-subscribe <email protected>
For help: php3-help <email protected>  Archive:  http://www.php.net/mailsearch.php3