lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV more about wells fargo, schwab

From: Nicholl Environmental
Subject: Re: LYNX-DEV more about wells fargo, schwab
Date: Wed, 11 Mar 1998 10:13:37 -0600 (CST) 
On Sun, Mar 08, 1998 at 04:56:26PM -0800, Matt Ackeret wrote:
>
> Hmm, so I actually *do* have a Lynx with SSL available.
> But this only does 56 bit stuff I guess?
> I can access my Schwab account (except Moneylink which requires 128 bit)..
> can't log onto Wells Fargo which requires 128 bit.
> So my next question is obvious -- is there 128 bit security stuff for
> Lynx?
> Or am I missing something?  I *thought* that the SSL stuff itself did
> 128 bit security.. (But since I can now access https but not the 128 bit
> stuff, obviously that's wrong.)

Your confusion is understandable, Matt.  I was thrown for a loop myself
last month when I accessed my Schwab account with a just-compiled Lynx-
2.7.2/SSLeay-0.8.1 combo, and was greeted with the following:

>>>>>                                      
       SchwabNOW!   [INLINE]   Customer Center Logon
   IMPORTANT BROWSER UPGRADE INFORMATION
   You are using a standard security (40- or 56-bit encryption) browser.
   Although you can access your account with this browser, to ensure that
   our customers have the best security available, we recommend you
   upgrade to a "strong encryption" (128-bit) browser. The Schwab
   MoneyLink Transfer ServiceĀ® requires 128-bit encryption.
   To upgrade your browser, blablabla.....
>>>>>

However, connecting to <https://www.fortify.net/cgi-bin/ssl> yielded the
following report: 

>>>>>
  Fortify for Netscape
  SSL Encryption Report

   [INLINE] RC4 cipher, 128-bit key
   [INLINE] RC2 cipher, 128-bit key
   [INLINE] Triple-DES cipher, 168-bit key
   (more inlines .. deleted)
   
     You have connected to this web server using the RC4-SHA encryption
                cipher with a secret key length of 128 bits.
                                      
    This is a high-grade encryption connection, regarded by most experts
   as being suitable for sending or receiving even the most sensitive or
                   valuable information across a network.
>>>>>                                      

BTW, connecting to the above site with US-Netscape 3.01 yields the same
report, except the cipher is identified as RC4-MD5.  It would appear that
some sites (eg Schwab, Wells Fargo) which check for 128-bit browser
encryption do so _not_ by analyzing the cipher stream, but by simply
identifying the user agent and comparing that against an "approved list" 
of browsers/versions. -*sigh*- more Lynx discrimination...

We should urge the companies we do business with to put Lynx-ssl on any
such lists, or better, to use an analytical method for determining browser
encryption capabilities. 

Nick Nicholl
<address@hidden>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]