> ---------- > From: Steve Mynott[SMTP:[EMAIL PROTECTED]] > On Sat, Jun 26, 1999 at 01:09:36PM -0400, Nelson Minar wrote: > > > The point is that in Netscape, it is very hard to tell if a given link > > is 40 bit or 128 bit. Sure, with enough poking around looking at page > > info you could probably figure it out. Or maybe someone knows if the > > little padlock means something like the little key used to. But I'm a > > crypto-sophisticated person, and I don't know. What about people who > > don't understand the technology at all? > > Good point > > There used to be two keys I believe a little (weak) key and a larger > (strong) > key. In the (patched to domestic US strength) version of Netscape I use > (Linux 4.07) the padlock is always the same size. It may be my version > is broken. > Actually, The key had one ward for 40-bit crypto, and two wards for the good stuff. (and was shown with a crack through it if you were unprotected). The keys' background color also changed, and a solid blue line appeared between the display area and the tool bar if you were using SSL (this is circa Netscape 2.x IIRC). > Anyone with a legit. US browser confirm that this visual cue (icon > size) has been removed? > > I'm using Netscape Navigator 4.03 - a US version with good crypto. I have it configured to use only RC4/MD5, either at 40 or 128 bit (one at a time for this test). If I go to the secure site at https://www.c2net.com, I apparently get a 40 or a 128 bit connection, depending on configuration. The icon in both modes is identical - there is not (in this version) any on-screen identification of the the strength of cipher being used. There is no blue line at the bottom at the toolbar in any mode. If I go to 'view/page info', I get either: "Security: This is a secure document that uses a high-grade encryption key for U.S. domestic use only (RC4, 128 bit)." or "Security: This is a secure document that uses a medium-grade encryption key suited for U.S. export (RC4-40, 128 bit with 40 secret)." (one shudders to think of what might qualify as 'low-grade' encryption). So, in this version at least, the on-screen indication as to whether you are using 40 bit 'espionage enabled' SSL or stuff that might be good has been removed. You're at least two clicks away from finding out. Somehow, I'm reminded of the discussion relative to the ingredient adjacent to monosodium glutamate on the label of the "Wizzo Chocolate Assortment" in the Monty Python sketch :-) Peter Trei [EMAIL PROTECTED]
