Mozilla to Include Crypto

Willy Wonka passed us the news that Mozilla's M14 release will include crypotography on the branch. If you'd care to add your eyeballs to the debugging process, please do: Christine Begle posts in the n.p.m.seamonkey newsgroup, "We need help from the Mozilla community to test the crypto-enabled M14 candidate builds. Some tests and test plans will be posted to mozilla.org sometime on Tuesday." That's today, folks.

Re:Thats nice, but where is Java?

[Matts]

Dude, it's in there.

You just need to complain to Sun to get a Java 1.3 implementation out of the door so that you can use JNI (or whatever the appropriate acronym is) to plug it into Mozilla.

Re:How about other algorithms?

[stripes]

Umm.. how about implementing other encryption algorithms. Perhaps of non-US origin? Try GOST from Russia for example.

RSA is a public key algo, one key to encrypt, a diffrent key to decrypt. GOST is a private key algo, on key that can either encrypt or decrypt. If you have a public key algo you can publish your encryption key in a "well known place", and anyone can use it to send messages only you can decrypt (read). With a private key cryptosystem you can not publish the key, anyone that had it could not only send messages, but read them.

To replace RSA in a functional sense you need another public key algo. The only one I know of is a circular arc or some similar thing, "only" discovered within the last decade (five years I think), and not understood by cryptographers well enough to trust all that much. I think GPG can/does use it.

The other problem is that would only be a functional replacment, it won't interoperate with SSL implmentations using RSA. For that only RSA will do. Which can be used outside the USA patent free. In the USA we have to wait until later this year (Septemberish).

P.S. the reason PGP/GPG/SSL uses a public key system plus a private key system is that public key systems are slow and bulky. They greatly expand the size of the data you encrypt with them (like sending a 8-bit value with a 1024bit RSA key gives a 1024bit ciphertext). So they make a random sesison key encrypt it with the public key system, sent it, and send the rest of the message encrypted in the session key using the private key cryptosystem. This give three points of attack, the public key system, the private key system, and the random number gennerator used to make the session keys, so obviously this would be avoided if it could!

Re:Do any distributions ship with Mozilla?

[luge]

Whenever Debian freezes it will ship with Mozilla (not sure which build, though.) Advancement of Mozilla is pretty crucial for Debian, since (unlike other distributions that would ship Mozilla as a supplement to Netscape) Debian doesn't distribute Netscape with the core of the distro. Until there is a usable Mozilla, Debian will continue to ship without a "serious" browser.
Grain of salt: I'm posting this from yesterday's build, so I (personally) consider Mozilla pretty damn fine stuff. But it's just not quite ready for mainstream acceptance (which is my Debian isn't in great shape, web-wise.)
~luge

I would prefer to see stabilty

[NYC]

Personally, I would like to see a nice, quick, and STABLE browser. Who needs Java to surf the web? If you want Java, just use Netscape.

The latest Mozilla release does not even compile sucessfully on my IRIX box, let alone run correctly.

--Ivan, weenie NT4 user: bite me!

RSA algorithm is what will become public domain.

[cpeterso]

if the binary is public domain, wouldn't the source be public domain? And would patent law require them to publish their code?

The RSA binaries won't be public domain. I believe the patent on the RSA algorithm expires this autumn. With the algorithm in the public domain, anyone can legally write their own RSA code. BTW, how long do patents last? I think it's 17 years.

fortify.net ; www.openssl.org

[billstewart]

Fortify.net is a UK site with software that fixes Netscape 40-bit browsers so they'll do 128-bit. One useful feature the web page has is an SSL checker
https://www.fortify.net/sslcheck.html
which tells you what level of encryption you're running.

www.openssl.org has an Open Source implementation of SSL. I think their latest version is 0.95.

Re:SOCKS support

[adric]

I believe that M15 is (currently) the target milestone for adding SOCKS support. See bug 16103 for more info.
---

Re:I might add

[blakestah]

I don't get this.

I can download the binary and use RSA FOC.

I can go to the ibm hosted patent site and download the RSA patent.

I am not legally allowed to implement the patent, although I can
legally download source that implements the patent in other
countries.

I just don't see that not allowing the source to be open is such
a big deal. I mean, the cat is out of the bag. I cannot legally
distribute software using RSA until September, but I can
possess source code that would implement it if compiled, and
I can FREELY possess binaries that implement it (such as
netscape, IE, ssh - for non-commercial use...)

Exactly how much of a head start is it going to be for mozilla
to distribute the source ?

I also realize the REAL issue is that mozilla NEEDS permission to
distribute the source, and that is the real hangup. It all seems
so silly.

Re:wont run with 16 megabytes of ram

[puetzk]

No, mozilla won't run in 16 Mb of RAM. If that's all you have I suggest you use browsers from when computers had 16 Mb of RAM.

simplebrowser (./run-mozilla.sh ./simplebrowser) might, though it's more of a debug tool at this point. It's mozilla's layout engine sans chrome. I'm not sure, though, that the milestone tarballs include it and/or all it's pieces.

Otherwise, you may find w3m more your style. It's a textg-mode browser but with support for mouse (xterm or gpm), tables, frames, etc.

Re:RSA algorithm is what will become public domain

[Frank+Hecker]

The RSA binaries won't be public domain.

To clarify this a little more: the security library for Netscape Communicator (which will also be in the iPlanet PSM binaries that will work with Mozilla) incorporates proprietary code from RSA Security, and some of that code implements the RSA public key algorithm, on which RSA Security has a patent in the U.S.

Once the RSA patent expires then other people in the U.S. may write and release code implementing the RSA algorithm without requiring a patent license from RSA. However the code supplied by RSA Security will still be proprietary. What the expiration of the patent will allow is creation of an alternative RSA implementation which is open source and can be freely used with the Mozilla source base.

I believe the patent on the RSA algorithm expires this autumn.

September 20, 2000 (which actually is in the summer, but just barely). And yes, patents normally are for 17 years.

What will it have? Find the answers.

[jelwell]

I'm seeing a lot of posts that ask about this or that. Try downloading Mozilla. Mozilla currently supports Javascript up to 1.5 and CSS 1 & 2. Download the build - give it a shot.

The SSL code will be included in the tip - not the mozilla tree. This means - no one will see the code that is owned by RSA. So using cvs on the tree wont get you all the crypto code - it will probably download at least one small binary file that includes the patented RSA code. Which later this year will fall into public domain.

Don't forget to help out on the Mozilla project - Mozilla runs great on Mac, Linux, Win32 and all sorts of variant UNIX operating systems as well as OS's I've never even heard of.
Joseph Elwell.

I'd like to appeal to everyone...

[moonboy]

I'd like to appeal to everyone. If you like Linux and especially Open Source Software, please download this release of Mozilla (and future releases as well) and use it, abuse it, and break it. Then, report those bugs! This is going to be one of the biggest coups for Open Source Software and show a lot of detractors that OSS is a viable method for developing quality software. It will also blow away a lot of FUD concerning security issues, etc. of OSS (because it's open.) Thanks.

kuro5hin.org

I might add

[luge]

One important note: the crypto in M14 will not be Open Source. Rather, M14 will incorporate hooks which will be usable with a binary-only crypto module from iPlanet (the offspring of the Netscape-Mozilla alliance.) For more on the situation, read this mozillazine post.

Re:I might add

[BigBaldGuy]

Hi. I'm one of the developers who is working on getting the crypto stuff out of our internal tree and into the M14 branch.

It is true that for the moment, this branch will only be useful with a binary-only module that we are cranking out for both 4.x and Netscape 6 browsers.

However, as you will see here, we are in the process of getting all the source code that we legally can out there. We made tarballs available a few weeks ago, and though that code doesn't build, at least you can get an idea of how the binary piece works.

We're still working on patent issues, as you might guess, along with a number of other things, before we can have a fully working build in the mozilla tree. But we're getting there.

Mark Welch -- Crypto/PKI developer -- Sun|Netscape Alliance

Re:I might add

[puetzk]

I (the person who built the M13 binaries for Linux/PowerPC) am working on this. While I can't have the source either, I think I have a netscape employee who is going too be helping on PowerPC at least. Other people on other platforms, go to irc.mozilla.org #mozcrypto and I expect you will find helpful people who want this to work just as much as you do.

Chant with me... September 30th... (RSA's patent will expire and SSL won't be such a legal PITA). Right now it has to be binary-only or not at all, due to legal restrictions.

Re:I might add

[john_boy]

Ugh. This isn't a flame; unlike some others, I'm not going to go ape just because I can't get the source to a couple of the components of one of the apps I run.

But whenever I hear 'binary-only,' it turns out to mean Linux-x86 only. As someone who runs Linux (yes, real Linux, new kernels and all) on a PowerPC, this won't be the first almost-must-have goodie denied to me -- and I'm sure folks who run on other open source OSes, even on the x86, can relate.

John

Re:If it's not Open Source, it's crap!

[Mike+Shaver]

When you're done banding together to implement RSA without violating their patents, please drop us a line. (Have fun storming the castle!)

Re:PGP...vote for it then.

[VValdo]

Join bugzilla.

it's bug #22687

Vote early (and as the old joke goes, vote often)

W
-------------------

Re:If it's such a coup...

[Zico]

Besides, we don't want Mozilla to be like the bug-laden products of some companies out there...do we?

Don't pick on RedHat like that -- they're still Open Source and could use our support now that their stock's been tanking.

Cheers,
ZicoKnows@hotmail.com

Restrictions? Well, none!

[griffjon]

Well, that's not strictly true. No export to the T-7 (the 7 state supportors of terrorism; Iran, Iraq, etc.), and the code has to be fwd'd to BXA:

(B) For post-export reports and certification letters, you may submit them electronically to crypt@bxa.doc.gov (suggested file formats include spreadsheets, tabular text or structured text), or to the Department of Commerce, Bureau of Export Administration, Office of Strategic Trade and Foreign Policy Controls, 14th Street and Pennsylvania Avenue, N.W., Room 2705, Washington, DC 20230, Attn: Encryption Reports. A copy must also be mailed to Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-6000.

http://www.bxa.doc.gov/Encryption/qanda.htm

http://www.bxa.doc.gov/Encryption/licchart.htm
Product
Previous Licensing Mechanism
Update99 Licensing Mechanism
Technical Review
Reporting

Source Code (publicly available, unrestricted)
IL/ELA
TSU
No3,4
No

Source Code (publicly available with restrictions)
IL/ELA
ENC
No3,4
Yes

Notes:
3. No review of foreign products(s)
4. BXA Notification at time of export is required

Do any distributions ship with Mozilla?

[dsplat]

Once this is stable, it could be the answer to secure open source e-commerce. Apache on the server and Mozilla on the client. Both open for peer review, which is the only thing in crypto that gives much assurance of security. To quote the Crypto-Gram Newsletter, September 15, 1999:

As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice.

Re:Mozilla... reaching critical mass?

[lostboy]

From the ngLayout FAQ:

For XML formatting, why is Gecko supporting CSS rather than XSL in the first release?

Simple: CSS1 is a finished, fully adopted, and mature two-year-old standard; XSL isn't done yet. As Tim Bray, the coeditor of the XML standard, has written:

"Microsoft's XSL efforts are very impressive, but (readers will pardon us being something of a broken record on this subject) XSL is in the future. We are convinced that from the point of view of the largest number of users, the most important things that Microsoft could do in IE 5 would be:
1.Ensure interoperability of XML and stylesheets with other browsers, and
2.Build in conformance to existing, stable, well-understood standards such as CSS 1.0.

Innovation, of course, is fine and necessary, and we salute Microsoft's leadership in this area. But innovation needs to be built on a foundation of interoperability and playing by existing well-understood rules." He further adds that "It seems obvious to me that for anyone who wants to deploy XML in production mode right now, XML + CSS is the way to go ..." ("Microsoft Outlines XML Support in IE5 Beta 2" at http://www.xml.com/xml/pub/98/10/ie5-2.html)

-=snip=-

I understand their reasoning, but damnit, I want my XSL! It's very weird giving XML demos in IE.

Re:Crypto .. exportability

[evil_one]

Since the U.S. govt slackened off some of the export regulations, the crypto can be available as long as it is not knowingly exported to a restricted country. Also, since mozilla is using hooks to a binary - the same way the shockwave flash plugin works - one can develop one's own crypto modules if so desired.

www.mozillazine.org vs. Censorware

[John+Hurliman]

Curses! http://www.mozillazine.org is blocked by SurfWatch! Just when I was about to get a stable browser that works, the filtering companies decide open source software is against their morals :-(