More Crypto...
- Part Two: It probably ain't
But even if you're connecting to a site that can do the whole
secure thang, and even if you do connect and see the "locked"
looking thing in the corner, you probably aren't any more secure
than you were before. "Why" you ask? Cuz even
then, the crypto connection that your browser is using is probably
weak.
- Part Three: Here's why it ain't
Here's the skinny. Our U.S. government people consider
crypto technology a weapon, because twenty years ago back in
the cold war it was a dangerous thing for your enemy to have.
The United States "Export Law" says that since it's
considered a weapon, it's illegal to export out of the country.
Why is it such a big freakin deal? Well, America has
interests spread out all over the place, and we have spies who
pay real close attention to what goes on all over the world,
especially in terrorist countries. If terrorists start
using strong crypto, we can't eavesdrop on them and maybe tell
when they're gonna blow stuff up (Not that our spying on these
people has kept them from blowing stuff up before now).
Now before you get all in a frenzy, people have been trying
to reach an agreement with our intelligence people for a while
now.. There are a lot of bills in the House and the Senate
trying to fix this, but no luck yet. I mean, heck, Congress
has only been at it for about six years now, give em a little
time ...
So when you download a browser off the net, most people get
stuck downloading what's called an "export-grade" web
browser. That means one whose crypto stuff is weak enough
for the government to feel okay about you exporting it.
Don't buy anything off the web with those wimpy little browsers,
cuz any cyber-moron that knows how to use a packet sniffer and
a cracking utility can read your credit info that you buy stuff
with.
>Boooooo! Hissssss!<
Part Four: Here's why that sucks
Netscape can work with all the great crypto stuff out there
through its Secure Sockets Layer but people are usually limited
to 40-bit encryption stuff, which is really weak and super lame.
Crypto stuff that weak has been cracked left and right.
Heck, Bruce Schneier will even give you a SCREEN SAVER that can
crack this type of encryption, and it even BRUTE FORCES IT!!!!
Can you imagine how weak that is? Sheesh!! You can
get it at http://www.counterpane.com/smime.html
Part Five: Fix it!
Help is here! >sound of trumpets< This super
high-class software guy named Farrell McKay and some of his friends
put together a little set of files called "Fortify"
that you download right into your browser's home directory, run
them, and they just strengthen the SNOT outta your browser.
They pump it UP, my friends.
Here's what you should do. First send me a million dollars.
Then, go to the "Fortify" website at http://www.fortify.net/index.html.
Then check what your connection security is for right now at
the link that says "SSL checker" (Yes, that stands
for "Secure Sockets Layer Checker"). It will
tell whether or not your browser is set on "wimpy mode"
or whether or not it can connect to a server in a safe way.
It will even list all the different secure connections you could
have along with what you actually have.
If that page tells you that your connection is weak, go to
the "download" page and get the version that's right
for your computer (there isn't a version available for Macs yet).
Stick the stuff in the directory that your browser is in and
follow whatever other instructions there are. It's easy
and really quick to do, and then you have to restart your browser.
Now to check if it worked. Go back to the SSL checker
at their site, you might have to hit reload. See what it
says? Most versions should connect at a full 128-bit RC-4!
Note: Remember the cryptogenius Ron Rivest who helped create
RSA? RC-4 is one of his own special algorithms, and a sweet
one at that.
So, you can send and receive super-secret encrypted email
that nobody can read, and you can connect with whopping 128-bit
RC-4 to participating websites. This would be a good time
to rub your hands together and cackle maniacally. Now I
know you're hooked ...
V. WRAP UP STUFF
A. All that confuses is not crypto
The biggest thing to keep in mind when you dig around for
good crypto stuff to play with is this: Just because it
has a fancy-schmancy name like "cryptographic module"
and seems to screw up text real good doesn't mean that it is
real cryptography. Even if it comes from a big name software
company, it ain't necessarily worth your while.
Real cryptography is incredibly difficult to make secure.
Most of these companies churning out software packages that protect
passwords and encrypt little documents and stuff don't bother
with any kind of real work in that area. I won't even go
into these wiseguys on the web and in hacker rags that write
their own stuff and then try to sell you on it. Sheesh!
Most of them have no idea what they're getting themselves into.
Cryptography is just too tough and experts are few and far between.
These warnings are covered a bit more in the web resources section
later on. So ...
B. Beware "kindergarten cryptography"
Don't just take someone else's word for it. There
are all kinds of
interesting ideas floating around about new crypto stuff from
people who only sound like they know what they're talking about.
From hacker magazines, to newsgroup postings from alleged elite
experts, to rave reviews in big computer magazines, everybody
seems to know what crypto should be and where to find the good
stuff.
Ugh.
It ain't the wares that the journalists rave about.
It ain't the program that your favorite hacker writes.
It ain't the impressive looking plug-in that your favorite software
company tries to sell you.
The "good stuff" is what survives the tests by
the experts. Remember this: learn the names of the experts.
Learn the names of the algorithms and cryptosystems. After
a long, long, long time on the market and after a wayyyyy lot
of tests, the algorithms and systems that live on are the good
ones. And that's only for today. Breakthroughs in
computing power have made more than one seemingly secure cryptosystem
obsolete.
Every algorithm that is untested or unreleased to the public,
every algorithm that flies in the face of established mathematical
law and number theory, every algorithm that claims to be great
but isn't available to be proven is not cryptography, but kindergarten
cryptography.
Using kindergarten cryptography is even worse than using
no cryptography at all. You know why kindergarten cryptography
is so dangerous? Because it fools you into thinking it's
cryptography, and you use it on private stuff that it isn't really
going to protect. If you didn't try to use any crypto at
all, at least you would know enough to save the private stuff
for later and it would never be at risk!
More crypto--->>
