[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV more about wells fargo, schwab
From: |
Nicholl Environmental |
Subject: |
Re: LYNX-DEV more about wells fargo, schwab |
Date: |
Wed, 11 Mar 1998 10:13:37 -0600 (CST) |
On Sun, Mar 08, 1998 at 04:56:26PM -0800, Matt Ackeret wrote:
>
> Hmm, so I actually *do* have a Lynx with SSL available.
> But this only does 56 bit stuff I guess?
> I can access my Schwab account (except Moneylink which requires 128 bit)..
> can't log onto Wells Fargo which requires 128 bit.
> So my next question is obvious -- is there 128 bit security stuff for
> Lynx?
> Or am I missing something? I *thought* that the SSL stuff itself did
> 128 bit security.. (But since I can now access https but not the 128 bit
> stuff, obviously that's wrong.)
Your confusion is understandable, Matt. I was thrown for a loop myself
last month when I accessed my Schwab account with a just-compiled Lynx-
2.7.2/SSLeay-0.8.1 combo, and was greeted with the following:
>>>>>
SchwabNOW! [INLINE] Customer Center Logon
IMPORTANT BROWSER UPGRADE INFORMATION
You are using a standard security (40- or 56-bit encryption) browser.
Although you can access your account with this browser, to ensure that
our customers have the best security available, we recommend you
upgrade to a "strong encryption" (128-bit) browser. The Schwab
MoneyLink Transfer ServiceĀ® requires 128-bit encryption.
To upgrade your browser, blablabla.....
>>>>>
However, connecting to <https://www.fortify.net/cgi-bin/ssl> yielded the
following report:
>>>>>
Fortify for Netscape
SSL Encryption Report
[INLINE] RC4 cipher, 128-bit key
[INLINE] RC2 cipher, 128-bit key
[INLINE] Triple-DES cipher, 168-bit key
(more inlines .. deleted)
You have connected to this web server using the RC4-SHA encryption
cipher with a secret key length of 128 bits.
This is a high-grade encryption connection, regarded by most experts
as being suitable for sending or receiving even the most sensitive or
valuable information across a network.
>>>>>
BTW, connecting to the above site with US-Netscape 3.01 yields the same
report, except the cipher is identified as RC4-MD5. It would appear that
some sites (eg Schwab, Wells Fargo) which check for 128-bit browser
encryption do so _not_ by analyzing the cipher stream, but by simply
identifying the user agent and comparing that against an "approved list"
of browsers/versions. -*sigh*- more Lynx discrimination...
We should urge the companies we do business with to put Lynx-ssl on any
such lists, or better, to use an analytical method for determining browser
encryption capabilities.
Nick Nicholl
<address@hidden>
- LYNX-DEV more about wells fargo, schwab, Matt Ackeret, 1998/03/08
- Re: LYNX-DEV more about wells fargo, schwab,
Nicholl Environmental <=
- Re: LYNX-DEV more about wells fargo, schwab, Nelson Henry Eric, 1998/03/11
- Re: LYNX-DEV more about wells fargo, schwab, Nelson Henry Eric, 1998/03/11
- LYNX-DEV More security stuff., Matt Ackeret, 1998/03/12