Slashdot Mirror
Mozilla to Include Crypto
Willy Wonka passed us the news that Mozilla's
M14 release will include crypotography on the branch.
If you'd care to add your eyeballs to the debugging process, please do: Christine Begle posts in the n.p.m.seamonkey newsgroup, "We need help from the Mozilla community to test the crypto-enabled M14 candidate builds. Some tests and test plans will be posted to mozilla.org sometime on Tuesday."
That's today, folks.
tried getting some socks wrapper libs?
I use dante's socksify libraries/script.
-Yarn - Rio Karma: Excellent
Release of complete crypto source for Mozilla based on the PSM/NSS software and architecture depends not only on expiration of the RSA patent but also on replacing all the proprietary source code licensed from RSA Security and other third parties. That's the goal, but there's enough integration and other work involved that it's not going to happen overnight. But I do expect to see it happen; exactly how and when it happens remains to be seen.
Mozilla does not yet have support for encrypted email, either S/MIME or PGP-based. I expect both to become available later sometime, but it's too soon to guess at dates.
If such a function exists, it would not violate the patent, as the patent (as I understand it) specifically covers the function and not the mapping of input to output.
However, the chances are that it would take considerably longer to derive such a function than it would be to just ride out the patent. That should not deter Open Source evangelists from trying, though, as a totally unencumbered function would be useful from the perspective of eroding the notion of Intellectual Property.
(If you could duplicate the O=f(I) mapping for one piece of code, without duplicating any patented algorithm, it would render algorithm-specific patents rather pointless.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I specifically restricted it to the useful range of inputs, at which point the relationship between f(x) and g(x) outside of the range defined is undefined.
How is this practical? Well, let's define f(x) as being defined over the range of integers, and h(x) as being defined over the range of reals. h(x) is approximately f(x), within 0.5 either side, over the range that x is normally used.
Then, define g(x) as round(h(x)). g(x) is now equal to f(x), within the normal range of x, but is defined over a completely different function, and would significantly diverge if taken outside of that range.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
round(x + 0.1 * x) = x, when -4 Let f(x) = x + f(x - 1), where f(0) = 0.
Let g(x) = round(3.2 * (x - 1)).
f(x) = g(x), over the interval 2 sin(x) = x, for very small values of x, if appropriately rounded. However, if left as-is, or taken over a larger range of x, then sin(x) != x.
These are meant to be trivial examples, but they do show how two totally different functions CAN coincide over limited intervals. We don't NEED a clone of the RSA function, over the entire range of integers, as it's only meaningful over the interval of one unit of data, which gives you a very limited range over which the two functions would need to coincide.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"Then why are you having to beg people to do it? Seriously.
"OK, but will it still be a coup if his begging isn't successful?
From my personal use and what I've heard from others, it is already a very good product and therefor IMVHO it is already a coup. I just want it to be the best product possible and thereby be the biggest coup possible.
Readers of Slashdot are aware of each and every milestone release and it seems as though it is taking a long time for version 1.0 to arrive, but considering the complexity of the product and the fact that it has been re-written with a new engine in place, I think it is an incredible feat and the Mozilla/Netscape guys should be applauded. They probably feel like the "Rodney Dangerfield" of the software world, getting little or no respect.
By the way, I don't remember anyone ever stating that the OSS method of software development was the necessarily the fastest . It takes time to craft a quality product. Besides, we don't want Mozilla to be like the bug-laden products of some companies out there...do we? Of course not.
kuro5hin.org
Co-founder and designer at Music Nearby: http://musicnearby.com
BigBaldGuy-
That's great to hear. I knew that part of the problem was proprietary (read: unfreeable) stuff, and I'm sure your intentions are good. My one concern is whether or not I'll be able to use it with nightlies (since I use those and not the M builds.) Any idea if that'll be the case?
~luge
IAAL,BIANLY
Any idea what kind of restrictions would be placed on mozilla now that it has crypto? I'd like to see a fortify build for mozilla.. would be nice (can get rid of netscape for banking)
I'd like a nice replacement mailing tool with gpg support.
--
Hi. Mozilla still barfs after about 5 seconds on my SMP Celeron sysstem (Under Linux, glibc 2.1.13, kernel 2.2.14.) This is supposed to be due to the fact that it's not "thread safe." Anyone know when this will be addressed? Ben
It would be extremely cool to see some built-in PGP for the email/news client. Or at least hooks to use an external PGP/GPG.
I think that a lot more people would be more interested in defending privacy/crypto rights if it was more visible to the end-user community.
First of all, it sounds incredibly catty on Mozilla's part, throwing in a completely irrelevant quote from Tim Bray about Microsoft. Bray was nudging Microsoft to improve other parts of their browser instead of focusing on XSL, not trying to scare people off from trying implementations of XSL. Waiting until standards are completely finished before doing any kind of implementation just slows the whole process down, because people won't realize the cool stuff they're missing. Just because he wants full XML+CSS support first doesn't mean that people are supposed to wait around and do nothing on the XSL front. Mozilla twists his point around and uses it as an excuse for why they can't do both.
And oh yeah, XSLT, XPATH, XSL are all to the point -- the first two being W3C Recommendations, and the last a Working Draft -- where xml.com (the source quoted by Mozilla) considers them to be standards, making Mozilla's claims even more dubious. Perhaps they need a few more free volunteers to update their FAQ for them?
Cheers,
ZicoKnows@hotmail.com
So, if they don't have any kind of early support support for the XSLT standard now (available at http://www.w3.org/TR/xslt), then they're already digging another hole for themselves.
Cheers,
ZicoKnows@hotmail.com
Upon reading the posts on the binary part of the crypto component, I believe (IANAL!!) that Mozilla still does the same thing, send a link to the source to the BXA, and provided that whatever binary they're calling has been approved for export, all is well in the world.
Returned Peace Corps IT Volunteer
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
Question - if the binary is public domain, wouldn't the source be public domain? And would patent law require them to publish their code?
Ahh, the days when a post could be moderated -2. Anyways not to be rude, but it will be opersource eventually, like in september. But there is this little problem of RSA patents that have to be dealt with. And if you want to play in the RSA field you gotta follow their rules. Anyways all of this is built by Netscape and is under inspection by many people who will have access to the source. So please calm down and take your seat in the corner.
Probably because damn near all the secure sites out there talk RSA. They can implement SSL all they like and even include other encryption methods into Mozilla, but without RSA they might as well not bother.
At least according to Jan Leger's post on the Seamonkey news group.
Quemadmodum gladius neminem occidit, occidentis telum est
He said "It's going to be" a coup, by which, I take it, all indications are that the finished product will be good. But this doesn't mean that you shouldn't contribute where you can (if in fact having an open source browser matters to you), because the more people contribute not only coding but bug reports, the better Mozilla will be.
Admittedly you *will* have to put up with more if you use mozilla as your main browser. As crappy as Netscape on *nix is, it's got more working features than Mozilla -- at the moment.
"Oh, I hope he doesn't give us halyatchkies," said Heinrich.
I think open development is *eventually* faster than closed development, because a bunch of hackers will want to make something which is easy to hack. A project controlled by a single company will sooner or later sacrifice future hackability to meet a release date *now*. Notice I say "open development", not just "open source"; if all development is being done by one company then the same commercial pressures apply. But Mozilla *is* largely "open development" in spite of the high proportion of Netscape coders - decisions are taken by non-netscape developers too, so there are voices in there which aren't subject to Netscape's commercial pressures.
perl -e 'fork||print for split//,"hahahaha"'
HOORAY MOZILLA! Just when they've missed another on-the-wire date and you start to lose hope, they pop back up again. You guys are big encouragers, especially by jumping into the forums here and educating us all.
:-)
---
In th is usenet article, Jim Roskind goes into some of the plans for M14 and beyond. One point he brings up (and this is the where-you-can-help part) is that the main things which prevent a commercial-branded alpha/beta are the "beta-stopper" bugs; bugs which are first marked beta1 on submission, then reviewed and marked by authorization as PDT. These beta-stoppers, by virtue of their priority, draw human resources from across Netscape as well as just the seamonkey group.
So if you can, test the program. If you find a beta-stopper - some real bug like a crash or a performance problem - report it and mark it beta1. These draw special attention from the mozilla people, and if promoted to PDT status, will attract extra developers from Netscape.
---
Someone else at MozillaZine had some insights about a (possibly semi-official) name for the full completed package: Netscape 2001 or some such. Yes it is the year thing, but as Henrik points out, it could be succesfully tied into the air of cooless surrounding 2001, A Space Odyssey. Maybe they'd even give it a classical soundtrack
-- If you lived here, you'd be home by now.
can you trick the library into becoming an api using #define?
--
The shareholder is always right.
Anyway, from recent binaries, mozilla looks like it's coming along pretty well. Some of the High-vote bugs (not including mine) have been sitting on the table for a while, but a lot of smaller issues have been corrected since M13.
--
The shareholder is always right.
I'm just worried that mozilla will be so large that there won't be ten hackers who understand any given line of the source code. Has this ever been a problem with other open source projects?
--
The shareholder is always right.
Turns out you set a ld_preload when you run the mozilla running scripts. It also turns out that runsocks ALSO uses a ld_preload. You can merge the two ld_preload commands and that actually works pretty well (Or has when I tried it, YMMV.)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Lets see if the Mozilla Team and the Apache team manage to hack that in to their software before I beat them to it...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Just to clarify, there most certainly WILL be XSLT support in Mozilla. Everyone agrees on this. It's just too late at this point to add it in to the initial Mozilla release. I am dying for it too, but if it will set back an initial Mozilla release by another 2-3 months (which it will) then I'll pass for now. If it's not being worked on by the first point release, there are plenty of us who will go write it ourselves. It's Open Source, it will get there, it's just that debugging the already built functionality has to take precedence at this point so the first release can get out the door cleanly.
- I can copy/paste in and out of the program
- save preferences easier (i think this has been fixed but i don't do CVS)
- use CRYPTO!
- Have it save the size of my window (fixed too?)
- pages like www.cleveland.com will load (java shit)
how's the outlook for m14? Think i'll be able to trash netscape finally?
- Mike Roberto
-- roberto@apk.net
--- AOL IM: MicroBerto
Berto
> Do any distributions ship with Mozilla?
Yes. Suse 6.3 includes Milestone 12. I believe 6.2 had a milestone as well.
norom
>I can download the binary and use RSA FOC.
yes.
>I can go to the ibm hosted patent site and >download the RSA patent.
yes.
> I am not legally allowed to implement the patent, although I can
> legally download source that implements the patent in other
> countries.
But you can't have that source in the U.S. So you can only download it from other countries to other countries. In the U.S. it's RSA's way or no way.
> I just don't see that not allowing the source to be open is such
> a big deal. I mean, the cat is out of the bag. I cannot legally
> distribute software using RSA until September, but I can
> possess source code that would implement it if compiled, and
No you can't, I don't think.
> I can FREELY possess binaries that implement it (such as
> netscape, IE, ssh - for non-commercial use...)
There is a library - RSAREF - written by RSA implementing the RSA algorithm. It's license permits non-commercial use, but forbids any modifications whatsoever to it's code, which is structured in a way that doesn't expose APIs needed for https. As I understand it, for SSL, the commercial library from RSA, BSAFE, is needed, as well as some further modifications. BSAFE allows modifications, but forbids the distribution of modified source (or even source at all). So closed-source it is, until the patent expires. Even then, it will be necessary to re-write the code to use something else, as RSA's copyright on their library will still be valid. It will just be legal to use something else.
> Exactly how much of a head start is it going to be for mozilla
> to distribute the source ?
huh? the source can't be distributed, becasuse that would violate it's licensing terms.
> I also realize the REAL issue is that mozilla NEEDS permission to
> distribute the source, and that is the real hangup. It all seems
> so silly.
mozilla can't violate the terms of Netscape's RSA license, because that would void Netscape's license to have RSA code. So it's never going to open in its current form, but I would expect to see an OpenSSL-based replacement for the plugin sometime soon, probably distributed only to non-US users at first and replacing the RSA-licensed one after the patent expires.
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
This isn't done because there isn't any good way to grab those events for links. Some changes to the event model are pending (for other features as well), but this is stuck waiting on them. Go vote for bug #6085, that (believe it or not) actually does influence a bug's priority... there's a hackish patch that implements this attached to the bug, but nobody wants to merge it because it's pretty ugly (or so I'm told)
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
Yeah, a bunch of people have been working on optimizing the repaints and, on UN*X platforms, X11 protocol usage.
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
Umm.. how about implementing other encryption algorithms. Perhaps of non-US origin? Try GOST from Russia for example.
Here are links to GOST and others.
--
>(8< ~ we come in peace
unless i've forgotten more of my math than i think i did, this is impossible. there is no way to find an "equivalent (but mathematically distinct)" function to the RSA function. this is because if you have two functions f and g such that f(x)=g(x) for all x (as would be required) then f=g. Of course, they may be written differently (i.e. a trivial case of functions written differently would be f=tan(x), g=sin(x)/cos(x)). However, this does not mean that these are not the same exact function.
Browsers support SSL now, and that includes encryption. What's being added? Encrypted E-mail support?
RSA is not something like a sorting algorithm or a FFT; the Perl slogan There's More Than One Way to Do It is not applicable here. If we model the core RSA function m=c^e mod n as an bijective function f() from Z/Z_n -> Z/Z_n (the field defined by the integers modulo), simple uniqueness considerations on the operators over the field dictate that there is no other function g() that maps the same bijection between Z/Z_n -> Z/Z_n that is distinct from f(). Neccesarily, if f(x)=g(x) for all inputs {x|x E Z/Z_n}, the function f()==g() for a sufficiently broad generalization of the underlying field (irrespective of the specific structure of the field). Essentially, any shortcut that allows the computation of the RSA function without carrying out the same operation means that the RSA function has an some extremely unexpected properties. RSA is probably broken if it ever gets to that point.
Your statement is not strictly true. In order to define equality of two functions, we must establish the mathematical space under which the functional operations are carried out. In the case of the reals, the space has enough underlying structure (ie. Taylor series, Cauchy-Dedekind representations) that we can prove equality for a certain small minority of functions defined over the reals. This is not as trivial as it seems; a theorem by Richardson states that [handwaving here; read the proof for the details] even for a surprisingly simple class of expressions over R (the rational numbers), the predicative identity E=0, where E is a any finite, recursively definable expression under the certain strict constraints, is not decidable. Your posting is not generally correct, but nonetheless applicable for the question of the RSA function, unless there is something very surprising that we have yet to discover about it.
Ouch, that's embarassing. My thesis advisor would probably have had me drawn and quartered for that. I misstated Richardson's theorem: R is the class of expressions formed by: 1) The rationals, PI, and ln(2) 2)A single dependent variable x 3) The operations of addition and multiplication, and 4) The sine, cosine, exponential, and absolute value functions. Composition is allowed, of course. The predicate E=0 cannot be decided for arbitrary E in R.
I think the above paragraph is right, but I'm not sure I got all the details right and those little proof demons always lurk in the details...
I understand what you mean, I've seen bunches of these "binary=linux-x86" only programs... but I don't think it'll apply in this case.
Tomorrow will be cancelled due to lack of interest
Dude, it's in there.
You just need to complain to Sun to get a Java 1.3 implementation out of the door so that you can use JNI (or whatever the appropriate acronym is) to plug it into Mozilla.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
Whenever Debian freezes it will ship with Mozilla (not sure which build, though.) Advancement of Mozilla is pretty crucial for Debian, since (unlike other distributions that would ship Mozilla as a supplement to Netscape) Debian doesn't distribute Netscape with the core of the distro. Until there is a usable Mozilla, Debian will continue to ship without a "serious" browser.
Grain of salt: I'm posting this from yesterday's build, so I (personally) consider Mozilla pretty damn fine stuff. But it's just not quite ready for mainstream acceptance (which is my Debian isn't in great shape, web-wise.)
~luge
IAAL,BIANLY
The latest Mozilla release does not even compile sucessfully on my IRIX box, let alone run correctly.
--Ivan, weenie NT4 user: bite me!
--weenie NT4 user: bite me!
"Computers are nothing but a perfect illusion of order" -- Iggy Pop
if the binary is public domain, wouldn't the source be public domain? And would patent law require them to publish their code?
The RSA binaries won't be public domain. I believe the patent on the RSA algorithm expires this autumn. With the algorithm in the public domain, anyone can legally write their own RSA code. BTW, how long do patents last? I think it's 17 years.
cpeterso
https://www.fortify.net/sslcheck.html
which tells you what level of encryption you're running.
www.openssl.org has an Open Source implementation of SSL. I think their latest version is 0.95.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I believe that M15 is (currently) the target milestone for adding SOCKS support. See bug 16103 for more info.
---
not plane, nor bird, nor even frog...
I don't get this.
I can download the binary and use RSA FOC.
I can go to the ibm hosted patent site and download the RSA patent.
I am not legally allowed to implement the patent, although I can
legally download source that implements the patent in other
countries.
I just don't see that not allowing the source to be open is such
a big deal. I mean, the cat is out of the bag. I cannot legally
distribute software using RSA until September, but I can
possess source code that would implement it if compiled, and
I can FREELY possess binaries that implement it (such as
netscape, IE, ssh - for non-commercial use...)
Exactly how much of a head start is it going to be for mozilla
to distribute the source ?
I also realize the REAL issue is that mozilla NEEDS permission to
distribute the source, and that is the real hangup. It all seems
so silly.
No, mozilla won't run in 16 Mb of RAM. If that's all you have I suggest you use browsers from when computers had 16 Mb of RAM.
./simplebrowser) might, though it's more of a debug tool at this point. It's mozilla's layout engine sans chrome. I'm not sure, though, that the milestone tarballs include it and/or all it's pieces.
simplebrowser (./run-mozilla.sh
Otherwise, you may find w3m more your style. It's a textg-mode browser but with support for mouse (xterm or gpm), tables, frames, etc.
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
To clarify this a little more: the security library for Netscape Communicator (which will also be in the iPlanet PSM binaries that will work with Mozilla) incorporates proprietary code from RSA Security, and some of that code implements the RSA public key algorithm, on which RSA Security has a patent in the U.S.
Once the RSA patent expires then other people in the U.S. may write and release code implementing the RSA algorithm without requiring a patent license from RSA. However the code supplied by RSA Security will still be proprietary. What the expiration of the patent will allow is creation of an alternative RSA implementation which is open source and can be freely used with the Mozilla source base.
I believe the patent on the RSA algorithm expires this autumn.
September 20, 2000 (which actually is in the summer, but just barely). And yes, patents normally are for 17 years.
I'm seeing a lot of posts that ask about this or that. Try downloading Mozilla. Mozilla currently supports Javascript up to 1.5 and CSS 1 & 2. Download the build - give it a shot.
The SSL code will be included in the tip - not the mozilla tree. This means - no one will see the code that is owned by RSA. So using cvs on the tree wont get you all the crypto code - it will probably download at least one small binary file that includes the patented RSA code. Which later this year will fall into public domain.
Don't forget to help out on the Mozilla project - Mozilla runs great on Mac, Linux, Win32 and all sorts of variant UNIX operating systems as well as OS's I've never even heard of.
Joseph Elwell.
I'd like to appeal to everyone. If you like Linux and especially Open Source Software, please download this release of Mozilla (and future releases as well) and use it, abuse it, and break it. Then, report those bugs! This is going to be one of the biggest coups for Open Source Software and show a lot of detractors that OSS is a viable method for developing quality software. It will also blow away a lot of FUD concerning security issues, etc. of OSS (because it's open.) Thanks.
kuro5hin.org
Co-founder and designer at Music Nearby: http://musicnearby.com
One important note: the crypto in M14 will not be Open Source. Rather, M14 will incorporate hooks which will be usable with a binary-only crypto module from iPlanet (the offspring of the Netscape-Mozilla alliance.) For more on the situation, read this mozillazine post.
IAAL,BIANLY
When you're done banding together to implement RSA without violating their patents, please drop us a line. (Have fun storming the castle!)
it's bug #22687
Vote early (and as the old joke goes, vote often)
W
-------------------
-------------------
This is my SIG. There are many like it, but this one is mine.
Besides, we don't want Mozilla to be like the bug-laden products of some companies out there...do we?
Don't pick on RedHat like that -- they're still Open Source and could use our support now that their stock's been tanking.
Cheers,
ZicoKnows@hotmail.com
http://www.bxa.doc.gov/Encryption/licchart.htm
Product
Previous Licensing Mechanism
Update99 Licensing Mechanism
Technical Review
Reporting
Source Code (publicly available, unrestricted)
IL/ELA
TSU
No3,4
No
Source Code (publicly available with restrictions)
IL/ELA
ENC
No3,4
Yes
Notes:
3. No review of foreign products(s)
4. BXA Notification at time of export is required
Returned Peace Corps IT Volunteer
The net will not be what we demand, but what we make it. Build it well.
From the ngLayout FAQ:
..." ("Microsoft Outlines XML Support in IE5 Beta 2" at http://www.xml.com/xml/pub/98/10/ie5-2.html)
For XML formatting, why is Gecko supporting CSS rather than XSL in the first release?
Simple: CSS1 is a finished, fully adopted, and mature two-year-old standard; XSL isn't done yet. As Tim Bray, the coeditor of the XML standard, has written:
"Microsoft's XSL efforts are very impressive, but (readers will pardon us being something of a broken record on this subject) XSL is in the future. We are convinced that from the point of view of the largest number of users, the most important things that Microsoft could do in IE 5 would be:
1.Ensure interoperability of XML and stylesheets with other browsers, and
2.Build in conformance to existing, stable, well-understood standards such as CSS 1.0.
Innovation, of course, is fine and necessary, and we salute Microsoft's leadership in this area. But innovation needs to be built on a foundation of interoperability and playing by existing well-understood rules." He further adds that "It seems obvious to me that for anyone who wants to deploy XML in production mode right now, XML + CSS is the way to go
-=snip=-
I understand their reasoning, but damnit, I want my XSL! It's very weird giving XML demos in IE.
Curses! http://www.mozillazine.org is blocked by SurfWatch! Just when I was about to get a stable browser that works, the filtering companies decide open source software is against their morals :-(