Slashdot Mirror
Mozilla With Crypto Code Released
physicman writes "I just read on MozillaZine that there is finally a release containing the new crypto code. This means we will eventually get the chance to get access to secure Websites with our favorite nearly-in-beta-stage browser.
" Mozilla's really been making a lot of progress recently -- and it looks great.
Run a beta version of a browser for "secure" transactions over the internet. I think that you will find some problems with that.
Slashdot social engineering at it's finest
Does the US gov approve of all that Netscape is doing? the 128-bit enc browser is available anywhere given you "say" you're american...
;-)
Now the crypto is opensource?
I'm still waiting for Netscape 6.0
Use my userscript to add story images to Slashdot. There's no going back.
Will this be folded into Debian Potato's US distro?
Are there issues redistributing?
I rather hope not; I am writing this with plain M14
and liking it lots.
"Think of it as evolution in action."
Kinda about time..I know I shouldn't push it, but
AOL/Netscape have taken long enough. Though when I
have time then I'll be able to play with what looks like a great browser. It'll match will the rest of the GTK arena that is my home..All those
pretty GTK themes on my browser.It'll also allieviate the poor browsing selection for Linux/Alpha!
The lack of crypo was one of the last obstacles to my using Mozilla as my everyday browser. Thanks to all the folks who have contributed to Mozilla. Now, if only they'd post that AIX build .... mmmm.
i don't have any macintoshes or intel machines, so i can't run the binary releases. has anyone successfully built this thing on solaris and/or irix? (preferably irix, my solaris machine is gimpy)
Of course this is not Netscape's or Mozilla's fault. The fault lies entirely with RSA Data Laboratories, who refuse to license their patented RSA algorithm to any open source projects. While liberalization of US export laws is very nice, I think we're going to have to wait until after the RSA patent expires on Sept. 20 before people outside of Netscape (well, US citizens anyway) can start to tinker with the cryptography software themselves.
It's fascinating how RSA Data Laboratories was able to force the whole world to use RSA as their public key cryptography standard instead of the technically superior Diffie-Hellman/El Gamal algorithm. They did this by simply refusing to license Diffie-Hellman to anybody (yes, they owned a patent on that, back before it expired in 1997). Today the Diffie-Hellman algorithm has been out of patent protection for 3 years, but almost nobody uses it, because of the need to remain compatible with the large installed base of software that was forced to use RSA.
Let's hope the current patent shenanigans that are holding back Mozilla crypto are the last adverse effects that the open source community will ever see from RSA Data Laboratories, Inc.
How strong is the encryption? Does your citizenship have to be verified like it did when netscape first did 128-bit crypto?
You won't get the theme support. the mozilla project doesn't currently have any plans to make them work either. check out http://www.linuxpower.org/display.php? id=168 for an explanation from Christopher Blizzard. that link was posted on slashdot too. So, while you will have a solid browser, you won't have theme support
Like an article that was here yesterday plainly stated... Opensource software in general seems to be developed by programmers for programmers, rather than by programmers for users... You need to enlist some graphics people or UI engineers or something, before the interfaces can really be considered "snappy" or anything...
I'd actually volunteer myself for something like that, being that most my background is in the graphic arts and printing spaces rather than the C, C++, Perl, Java, TCL, Perl, etc... space.
Because its for linux and its better than netscape 4.x. Also, its supposed to be better than IE eventually. CSS level 2 isnt even a defined standard yet (last i heard) and so IE does NOT support it, since its probably already different. Mozilla will introduce support for those technologies when they're released - not prematurly like IE which wants to boast more features and get people to say silly stuff like you just did.
This is a little misleading. The MozillaZine article tells you how you can set up Mozilla to browse secure sites right now. Today. I have done it and it appears to work fine.
Someone outside the U.S. could implement a plugin that has the same API's as the binary iPlanet plugin using openssl library ... and then we wouldn't need to wait until the RSA patent expires...
Much as I hate to admit it, Internet Explorer is the browser to beat, largely because of M$'s [illegal?] bundling of it with the OS and OS integration, the average home user wants to be able to click on an icon that's there when they get their PC - that's IE.
Mozilla is the only option for a compliant 'next-generation' browser. The browsers of the near future are going to have to be a one-stop-shop for net usage encompassing browsing with mail, news, instant messaging, chat, streaming media etc etc. This is possible with Mozilla. In addition, they have to be SECURE. When the traditional media report on the internet, and it's one of the rare occasions when it's not about porn, it's about shopping online, banking online, share dealing online. Security is a big BIG issue here.
People who say they shouldn't be including this in beta software have clearly missed the point of beta software. If it doesn't get beta tested, how the hell is it ever going to be made ready for release to the general public?
Go, download this version, test it, try it, even buy stuff with it, be as careful when doing so as you should be with any browser, but most of all, when you break it report it or fix it.
--
Listening for the sound of the coming rain...
When I first tried out Mozilla, it was unusable, as expected of early software of its type. M14 is very nice and stable, as it seems. I believe that it renders pages better and looks better than Netscape 4.7, despite what some people may say. I don't care for the password remembering stuff and other IE-like features, but I don't have to use them. This is a browser that will be used in the mainstream eventually (as Netscape 6.0), so it isn't a bad thing to have those things. Hopefully we see the jump to "beta" quality code soon.
"You spoony bard!" -Tellah
Mozilla's UI is hugely configurable, and you're complaining about it's looks?
In the spirit of open source, if you can do better, then fix the damn thing. If not, then wait until someone comes up with something better. If it's that bad, they will.
It's pretty lame to complain about something that is fully configurable by any user.
What happened to dynamic reflow (or whatever you call it). I used to load slashdot in M13 (I think it was M13, maybe earlier) and it would progressively display as it loaded. Now it does the old Netscape thing of waiting for the last before displaying anything. Give me back my reflow!
Matt. Want XML + Apache + Stylesheets? Get AxKit.
Although the Mozilla coders have disabled all other theme support in favour of XUL, the scrollbars on my copy use the GTKStep theme ...
Chris Wareham
honestly, I think it is quite sexy. so much better than how Netscape looks under linux.
Yes it is.
I guess you haven't tried Mozilla say 6 months ago. Current M14 is like from another planet if you compare it with M8 or older. They look like a bit same as it does now, but frankly, they weren't for real use. Now Mozilla is.
And not to mention the time (About a year ago, if I remeber right) before Gecko and GTK+.
From: http://www.fsf.org/fun/jokes/softw are.terms.html:
Alpha Test Version: Too buggy to be released to the paying public.
Beta Test Version: Still too buggy to be released.
Release Version: Alternate pronunciation of "Beta Test Version".
I understand Mozilla is soon-to-be-beta, and this might scare away people from it's encryption, but could a possible crypto-related Open Source security hole be worse than a closed source 'to-be-enhanced-feature'?
And talking about 'to-be-enhanced-features', have you seen the <IMG SRC="file:///c:\CON\NUL"> bug with IE/Win98? It makes the whole machine crash and burn. You can possibly also send this in html-email to outlook-users. Apparently (you might want to confirm this information), this was posted on BugTraq a year ago, but has recently been reposted because it was never fixed.
Shit happens.
Just tested it at fortify.net
Since Mozilla most likely will be the browser of the future Joe Desktop Linux system, I would suggest to those folks who have 'white-hat hack' in their blood to start to look for ways around the encryption, such as forcing a known encrypt key using trojans or BO or something of the sort. With open-source, you can bet the crackers will be looking for ways into the system. Mozilla needs to be ripped apart to work on its vulnerabilities. White-hatters can help secure it probably better than the programmers. Open-source can adapt far more quickly. Mozilla is the future for Linux. Aesthetics aside (pretty looks come after functionality), I'm looking for more security and stability than what IE and NS offers.
"First things first, but not necessarily in that order."
- Doctor Who
We're getting there people!
--
A buddhist walks up to a hot dog stand and says ``Make me one with everything.''
Yes I have to agree to that... I don't use IE more than I have to, because I don't like the way it's a security disaster, saving passwords like that and letting bad code run on your machine a little here and there. It made me so sad when Mozilla asked me to save a password... Come on guys make something new! Something good! Whats the use for the crypto if we're gonna handle passwords like that? I've had my hopes high for Mozilla... but M14 seems to do a worse job at rendering where M13 did just fine so I'm not sure what to think now...
Tomorrow will be cancelled due to lack of interest
This is great! I'm quite impressed. Even if mozilla does crash every so often, the feel of the mozilla client is 10x better than Netscape navigator. It also seems to work well enough to be usable. Previous releases of mozilla and the technology previews of Opera were downright sad. I could barely get them started before they would crash. Even if they did hang on for a while, the rendering engine couldn't deal with half of the web pages I went to. Mozilla M14 may be the release that takes mozilla over the top! :-) Jason
I've been following Mozilla's development since the beginning. Unfortunately, I have not been able to seriously use Mozilla for more than a few minutes due to it's lack of Crypto support. I know this wasn't the fault of Mozilla and company, but rather the US of A's stoopid encryption laws.
Finally, I can now start using Mozilla and do my part as a user to make this browser the best it can be! While I wish the entire thing were open source, what I (and most other people) care about is simply having viable alternatives. Now we all have one.
Open Source certainly enables choice (look at Linux and all the variations of BSD), but it's not the only way to develop software. Believe me, I'm looking forward to the day RSA's patent expires. Then we'll have some real choices.
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.
Almost all the source code has been, or soon will be, released. Only the parts specific to RSA await the expiry of the patent. Until then, you can substitute your own RSA implementation (taken from, say, OpenSSL) and build your own binary from these sources. OK, it would be illegal if you're in the US, but you can do it.
I've created a template form that you can fill out and then copy the results into your e-mail client to mail off to websites that aren't allowing you to log in because it thinks you should "Upgrade your browser".
Joseph Elwell.
Very interesting. Can anyone confirm this? I can only seem to find that Public Key Partners, not RSADSI held the patent on Diffe-Hellman. Is there any connection between these two companies?
The way to do this would be to make a PKCS#11 ("Cryptoki") module that does crypto in software. (PKCS#11 was designed for smartcard access.) PKCS#11 is a common standard supported by PSM, Communicator, all the Netscape/iPlanet servers, and other vendors' products as well.
In fact, most of the "boilerplate" code you'd need is in the open NSS code released on mozilla.org -- but Mozilla/AOL/iPlanet can't do this, it'd have to be done outside the US.
So get cracking!
I'd help fix the bugs, if only they'd rewrite it in Perl...
Carefree highway, let me slip away on you.
Have you ever heard the truism
"The simplest answer is the best"
DSA/El Gamal is much more convoluted than RSA. RSA is simplicity and elegance in an algorithm. I trust RSA more because it is better understood, and since it is simpler, there are fewer attack vectors for a cryptanalyst.
The Mozilla Crypto FAQ. Read it. It explains how the developers will return to release this source and include it with Mozilla later, when the patents expire. Or maybe you'd rather they broke the patent and made the whole damn browser illegal?
Think before you post...
Tomorrow will be cancelled due to lack of interest
Hmmmm... but if you're going to save a password to disk, it's always going to have to be in a reversable form isnt it? I mean, most of the damn things are actually sent as plaintext in the end. Only way I can see is to password protect the passwords... but thats kinda worthless.
Tomorrow will be cancelled due to lack of interest
Has something changed? Richard Stallman has argued that the MPL is not GPL compliant. Has his position changed? I think not. Last week Miguel of Gnome fame mentioned (no url) that Mozilla couldn't be included in Gnome because it is non-GPL compliant. -Unless I'm mistaken, Debian still doesn't allow non-GPL compliant code into their distribution.
Life is like an egg better scrambled than fried. -- Ken Sawatari
There is no binary-only code hosted on mozilla.org as part of the Mozilla project. The Netscape Personal Security Manager binaries (which provide SSL support for Mozilla) have been provided by iPlanet, because they have the license from RSA to include the necessary code and algorithms to build a complete binary executable ready for use (in this case under the "Netscape" brand).
All of the other code in PSM is or will be available in source form on the mozilla.org site. People who want to use that source code to build their own PSM binaries will be able to do so, as long as they have separate source code to implement the RSA-licensed parts.
For reference, there are three sets of relevant source code needed to provide SSL support for Mozilla:
As always, for more information see the Mozilla Crypto FAQ.
Until I can log into E*Trade, I can't move over to Mozilla. And M14-crypto doesn't do E*Trade (for me).
The only other thing keeping me from making the switch is the lack of support for mail filters. I get too much email to have it all swamp my Inbox
Life is like an egg better scrambled than fried. -- Ken Sawatari
I suppose you could check out W3 for more info on CSS 1, 2 and (sigh) 3. (I really would rather if people got serious about standardising "standards" these days).
Mozilla M14 supports CSS rather well as far as I can see, which is already a big improvement on Netscape 4.x
The Leyden-Gath converse to the Goldbach conjecture: "The sum of two odd primes is an even number"
The subject says it all.
Potato (web subsection) alread includes mozilla m-13.
No, I'd much rather it came from the hands of Bill Gauyetes.
Internet Explorer has been proven to be far more standards compliant than any of the so-called browsers that run on Linux.
Of course it's easy to make a "standards-compliant" browser when you can make your own standards and then force everyone to accept it.
Ever heard the joke? How many microsoft programmers does it take to change a lightbulb? None, they declare darkness to be a new standard.
Tomorrow will be cancelled due to lack of interest
Although M14 crashed just as often as Netscape did for me, last night's nightly build has been rock-solid for me so far. My question is, do I need to have M14 to get the PSM? If so, i'd rather just stick with my stable Mozilla and no crypto.
Mike Roberto
- roberto@apk.net
-- AOL IM: MicroBerto
Berto
Mostaphalles dun said:
Well, I don't remember the article in question, but I can note on some stuff (mostly from having been on the net that long)...
As far as I know, only one nation has ever had the death penalty for using the net, and that is Taliban-controlled areas of Afghanistan. (The Taliban-controlled areas have severe restrictions and/or outright bans on very nearly all media, including most print media, TV, movies, and even music--they outright make the Bad Old Days of sharia law in Iran look downright liberal in comparison.)
Some countries in central Africa may well have had severe restrictions (including imprisonment, though I doubt the death penalty) for unapproved connections, and most of the Islamic countries have always had severe restrictions on Internet connections (usually requiring proxies, etc.)... don't remember seeing anything on death penalties, though.
Myanmar may have had such a restriction; reportedly, modems are illegal unless specifically licensed by the government there, and an unlicensed modem can land one in prison for a good long time.
Notably--most of thesee countries that would have problems with it don't make the net illegal as much as they'd make all "unathorised" or "unlicensed" publishers illegal--it's far more likely they'd get you for "publishing subversive publications" or the like.
I can state with some certainty that Singapore wasn't one of the places that had the death penalty for using the net, though (I remember *.sg addys from 1992-1993), and the government finally started restrictions around 1996 or so (basically national firewall).
As an aside: Most countries that are going to be so repressive as to literally mandate the death penalty for unlicensed connections to the net have very poor or no Internet connectability whatsoever. Many countries in central Africa pretty much only have UUCP connections to the rest of the world (mostly through stuff like Doctors Without Borders, and occasionally university connections), and an increasing number of those are actually getting full Internet at least for universities. Iran (Yes, Iran) even has full Internet, and even one or two ISPs operating there...
About the only countries I know of with no Internet connections are Iraq, Libya, North Korea, and Afghanistan...Iraq is basically being shunned by the rest of the world and had most of its infrastructure bombed back into the stone age, and most of the folks there have more serious worries (like food and meds and shelter); Libya was likewise shunned due to UN sanctions (its domain is being operated as a vanity domain out of the UK) but this may change now that most UN sactions are being dropped; North Korea both is shunned and pretty much has walled itself off from the rest of the world (about the only country MORE isolated is Afghanistan), its people have more important things to worry about (like food) and the leaders are xenophobic enough to pretty much avoid anything like the net like the black plague; Afghanistan, well, it has the Taliban (fun with psychofundy Sunni Moslems that make the hardline mullahs in Iran seem downright grandfatherly) and I mentioned some of the fun stuff they ban earlier...as for the rest of Afghanistan, just about everything above a molehill was blown to smithereens long ago, they have more important stuff to worry about (like food, shelter, not having the entire country taken over by the Taliban, etc.). Short of a miracle, none of these folks are going to be getting Internet access anytime soon. :P
-Windigo The Feral (NYAR!)
Wells Fargo won't even let me in with Netscape 4.72 for Windows. Last week they told me March 9th for the testing to be complete, but I'm still being redirected to the "denied" page. They're saying 1700 pst (-0800), now.
At least in the case of Wells Fargo, they seem to actually do some testing of browsers. I can see that a browser could have secure crypto and defeat the crypto entirely by doing something else stupid. So for banking, useragent checking is appropriate. Imagine the liability if they approve a browser that leaves passwords in its cache...
First off, performance and real usability issues should always take priority over eye candy. I don't have resources to waste on pretty bs.
Why does mozilla break all the user interface rules (like middle button scrolling)? This pisses me off because they must have spent a bundle of time reimplementing the entire keyboard/mouse logic (incorrectly). Don't fix [break] it if it isn't broken.
For an OS that started on text terminals, linux sure jacked up it's keyboard handling. Back in my windows days I didn't use the mouse (ever, 'cept browsing). With linux I have to use it all the time. I suppose it's really the windows manager / x server / apps fault but it makes the whole system suck.
If you disagree you can post you reasons. If you have no reasons moderate me down instead.
Ryan
However, since it just recently got updated (I think today or yesterday) to M14, it will likely be a short while before they have the crypto version.
:)
Posted using M14 on Debian
WMBC freeform/independent online radio.
Um, actually, I think Mozilla does allow you to lock it's saved password database using a password. It may seem silly, but locking up fifty passwords using just one is kind of convenient.
www.timcoleman.com is a total waste of your time. Never go there.
Whenever I use netscape, I have the buttons not shown. Why? Because they're way too large! Even at 1024x768, they take up what I consider to be an unacceptable amount of my viewing area. IMO, Mozilla definitely did the right thing by making smaller buttons, and putting them on the same plane as the URL.
As for the interface in general, I also like that better than Netscape (I'll not mention IE, which is truly hideous).
WMBC freeform/independent online radio.
1. The top one has got to be that I can't do standard *NIX middle-button-paste with Mozilla. I actually have to highlight text, then select "Copy", and then I can middle-button-paste. This is quite annoying...I don't want to use "Copy", that's one of the reasons I don't like Windows or MacOS.
2. Almost as annoying is the fact that the middle button is no longer set to "Open link in new window". Again, that's one of the things I like about Netscape under Linux.
3. I want to be able to define my own shortcut keys, because I will almost certainly never agree with the ones anyone else chooses.
WMBC freeform/independent online radio.
- Save the passwords? Oh how convenient...
I refuse to call something intended for broad public use secure, until it's secure by default.
Whats the use in having a burglar alarm if you dont tell anyone how to turn it on?
Also, it still has to be reversably-encrypted, the passwords have to be sent plaintext. All someone really has to do is to get someone's password file, and run it through a password cracker with a huge list of words, and he'll break it if the user isn't exremely security-minded.
Tomorrow will be cancelled due to lack of interest
IIRC, RSADSI owned a stake in PKP while it was in operation.
The banks security responsibility for my browser ends at the transport encryption. They have done two things that really irritate me: The webpage says that browsers 4.something and later are acceptable, and also, specifically says that 4.72 netscape is allowed, when it isn't yet. I think they should allow any browser that can negotiate and ssl connection. If you're worried about what my browser does with it's cache as a liability issue, why aren't you worried about the liability of someone looking over my shoulder while I browse? For that matter, why doesn't anybody see the (10**4) pin for the atm as the weak point of banking security?
-fb Everything not expressly forbidden is now mandatory.
Here's my DeCSS mirror. Where's yours?
Here's my DeCSS mirror, where's yours?
I downloaded a milestone for freebsd, ran it. According to top it ate up 60 seconds of cpu time before even displaying anything. Then I clicked on the left sidebar thing and it core dumped.
Sweet piece of k0d3.
Considering I posted this from a potato box running M14 it's not that frozen :>
I think you mean released distro instead.
"Think of it as evolution in action."
--
Care about electronic freedom? Consider donating to the EFF!
If it uses RSA, inside the US, it doesn't matter where it was developed, the user needs a license from RSA (or to use RSAREF, see below).
If it doesn't use RSA, it doesn't matter where it was developed, the user doesn't need a license from RSA.
The whole 'outside the US' thing was the traditional response to export controls, not to the use of RSA. US-residing RSA users legally need to use either a licensed version of the RSA algorithm, or use the old RSAREF library that was released to the public (and is horribly slow and buggy).
--
what am I missing? Everytime I get suckered by these announcements... someone always says 'Mozilla has made *so* much progress, its looking really great!' and I dutifully go any download it... I use linux at home, but win32 at work, so I download the windows version and install, and am presented with the buggiest, shitiest pile of dog-turd Ive ever seen... are people blind? The thing crashes every other minute, the widget set is attrocious and there are soooo many bugs you would probably finish quicker if you started again
What am I missing? Is Mozilla really the 'killer app' everyone's been waiting for, or is everyone just so hopeful that they are blind to the fact that its a steaming pile on the carpet???
Simon
The real linux_penguin has Slashdot ID 101961. Anyone else is an impostor. Including Bruce Perens.
On a somewhat unrelated note, does anyone else think the Mozilla logo reminds them of the russian hammer & sickle logo?
Okay, lets stop with the assumptions. As someone has reiterated... IE is NOT fully standards compliant. With the exception of Mozilla, IE is the most standards compliant browser available. And yes, Mozilla is still buggy as hell... but thats because its ALPHA software. IE is release. I use windows fairly often - and im even considering an MCSE and such... but I dont back either browser totally. I like linux better than windows - whether some of that is subjective or not, its irrelivant - i like it better - so I'll use the best browser I can for it. Right now, thats NS4.x, soon it'll be mozilla. It'll probably never be IE. On windows, I'll probably use IE over Mozilla because I wont have to download it. (there goes that monopoly thing again). Also, if you want to have your oppinion respected a bit more, you should really post as something other than an anonymous coward... then we know who we're responding to.
I can't wait until Mozilla makes a non-alpha or beta release! BTW, why does the logo look like China's flag?
rbf aka pulsar
I'm actually the person who's implimenting the back-end component to handle the drop-down url bar. Wanna help?
I feel the parent story Re:Internet=Death? should be a comment for the Ask Slashdot story about social factors and the Internet, but I am reading it from "Mozilla whit crypto code released".
Human error or mangled database?
--
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
Diffie-Hellman is extremely simple and was discovered a good deal earlier than RSA. El Gamal is a totally obvious extension of Diffie-Hellman, in which the Diffie-Hellman key exchange protocol is made into a public key cryptosystem in the simplest way possible: replace the predetermined secret exponent with an on-demand random one!
The only reason it took seven years to develop El Gamal's algorithm is that the scientific culture at the time was predominantly convinced that algorithms (even cryptographic ones) had to be deterministic. If you had tipped off any researcher in the field about run-time randomization of Diffie-Hellman, they could have produced El Gamal's 1984 paper off the top of their head. RSA is deterministic, requiring no random numbers at run time. Ironically, nowadays all RSA implementations introduce randomization in some form because it is obvious that a purely deterministic algorithm is not secure: Would you trust an encryption algorithm where the messages "Yes" and "No" always encrypt to the same two output messages?
As for your implication that RSA is more trustworthy than El Gamal, you might want to read Question 2.14 of the PGP DH vs. RSA FAQ, where various well-known experts assert that (as far as we know) all known ideas for solving the discrete log problem have direct applicability to factoring, whereas the reverse is not true. We know that factoring does not allow you to take discrete logs, whereas on the flip side there is strong evidence that if you can take discrete logs you can factor. All this and more is explained in the FAQ; the upshot is that most mathematicians, if forced to pick one of the two, would say that the factorization problem is likely to succumb before the discrete log problem succumbs. Of course the underlying hard problem is not the whole story, since neither RSA nor El-Gamal have been proven equivalent to the underlying hard problems, but it's the best we can do so far considering that no one has demonstrated any way to break the algorithms except through the underlying hard problems.
Finally, the very simplicity of using the same key for both encryption and signing is also a liability, in that if both keys are the same then anyone who is able to get one key (for example by a court order) is then able to forge the other operation as well. In the current political climate, I'd certainly like my signature key to remain valid even if the government seizes my encryption key.