is https safe?

Discussion in 'Trading Software' started by NoMoreOptions, Feb 15, 2005.

  1. in my opinion, it can't be. if all the traffic are sniffed and logged, why can't the entire encrypted messaged get replayed and decrypted by those who want to? prove me right.
  2. Xenia


  3. SSL can be broken, but it's generally more effort than it's worth. When Netscape and IE first came out, they only had 40 bit keys which could be cracked by brute force in around 4 hours with 250 networked computers.

    Most SSL keys these days are 128 bit and much harder to crack. Some websites that are trying to get people to use credit cards on the internet claim it will take longer than the age of the universe to crack 128-bit encyption, but that's probably incorrect. At some point it will be fairly easy to crack it, but whether that's 50 years from now or 100, doesn''t much matter - it's very difficult today.

    Consequently, it's not worth anyone's time to try to steal your SSL data (usually a credit card) today, especially when there are any number of other scams where you can get someone's credit card much easier (usually by some sort of scam.) It's much like "the club" for cars - it can be defeated but why bother if the next car doesn't have one and is much easier to steal.
  4. SSL uses public key encryption algorithm to exchange a symetric session key. then the symetric sessoin key is used for the rest of the session.

    nothing is safe 100% that's why you see many new encryption algoirthms coming onto mainstream market. DES 56bits used to be the standard, it was infeasible to crack it back in the days because of limited computing power. now even 128bits can be cracked by a computer farm in matter of days. currently the move is towards 1024. It's a matter of time before computing power catchs up and made 1024 obsolete.

    most keys issued by trusted authorities like versign is 256. you can, however generate keys with 1024bits key length and use it on your own webserver.

  5. so, if one uses

    does this mean your company can't read your email or is it still possible?

    just wondering...