Slashdot Mirror
Mozilla With Crypto Code Released
physicman writes "I just read on MozillaZine that there is finally a release containing the new crypto code. This means we will eventually get the chance to get access to secure Websites with our favorite nearly-in-beta-stage browser.
" Mozilla's really been making a lot of progress recently -- and it looks great.
Run a beta version of a browser for "secure" transactions over the internet. I think that you will find some problems with that.
Slashdot social engineering at it's finest
Good Morning!
While you were asleep in the past few months, the US government published new rules on cryptography. You can find more details on how this affected Mozilla on their their website.
Of course this is not Netscape's or Mozilla's fault. The fault lies entirely with RSA Data Laboratories, who refuse to license their patented RSA algorithm to any open source projects. While liberalization of US export laws is very nice, I think we're going to have to wait until after the RSA patent expires on Sept. 20 before people outside of Netscape (well, US citizens anyway) can start to tinker with the cryptography software themselves.
It's fascinating how RSA Data Laboratories was able to force the whole world to use RSA as their public key cryptography standard instead of the technically superior Diffie-Hellman/El Gamal algorithm. They did this by simply refusing to license Diffie-Hellman to anybody (yes, they owned a patent on that, back before it expired in 1997). Today the Diffie-Hellman algorithm has been out of patent protection for 3 years, but almost nobody uses it, because of the need to remain compatible with the large installed base of software that was forced to use RSA.
Let's hope the current patent shenanigans that are holding back Mozilla crypto are the last adverse effects that the open source community will ever see from RSA Data Laboratories, Inc.
You won't get the theme support. the mozilla project doesn't currently have any plans to make them work either. check out http://www.linuxpower.org/display.php? id=168 for an explanation from Christopher Blizzard. that link was posted on slashdot too. So, while you will have a solid browser, you won't have theme support
This is a little misleading. The MozillaZine article tells you how you can set up Mozilla to browse secure sites right now. Today. I have done it and it appears to work fine.
Someone outside the U.S. could implement a plugin that has the same API's as the binary iPlanet plugin using openssl library ... and then we wouldn't need to wait until the RSA patent expires...
Much as I hate to admit it, Internet Explorer is the browser to beat, largely because of M$'s [illegal?] bundling of it with the OS and OS integration, the average home user wants to be able to click on an icon that's there when they get their PC - that's IE.
Mozilla is the only option for a compliant 'next-generation' browser. The browsers of the near future are going to have to be a one-stop-shop for net usage encompassing browsing with mail, news, instant messaging, chat, streaming media etc etc. This is possible with Mozilla. In addition, they have to be SECURE. When the traditional media report on the internet, and it's one of the rare occasions when it's not about porn, it's about shopping online, banking online, share dealing online. Security is a big BIG issue here.
People who say they shouldn't be including this in beta software have clearly missed the point of beta software. If it doesn't get beta tested, how the hell is it ever going to be made ready for release to the general public?
Go, download this version, test it, try it, even buy stuff with it, be as careful when doing so as you should be with any browser, but most of all, when you break it report it or fix it.
--
Listening for the sound of the coming rain...
Although the Mozilla coders have disabled all other theme support in favour of XUL, the scrollbars on my copy use the GTKStep theme ...
Chris Wareham
From: http://www.fsf.org/fun/jokes/softw are.terms.html:
Alpha Test Version: Too buggy to be released to the paying public.
Beta Test Version: Still too buggy to be released.
Release Version: Alternate pronunciation of "Beta Test Version".
I understand Mozilla is soon-to-be-beta, and this might scare away people from it's encryption, but could a possible crypto-related Open Source security hole be worse than a closed source 'to-be-enhanced-feature'?
And talking about 'to-be-enhanced-features', have you seen the <IMG SRC="file:///c:\CON\NUL"> bug with IE/Win98? It makes the whole machine crash and burn. You can possibly also send this in html-email to outlook-users. Apparently (you might want to confirm this information), this was posted on BugTraq a year ago, but has recently been reposted because it was never fixed.
Shit happens.
> Will this be folded into Debian Potato's US distro?
Considering that Potato is currently in a freeze, I would imagine not. Perhaps it will go into Woody...
-- Don't Tase me, bro!
I've created a template form that you can fill out and then copy the results into your e-mail client to mail off to websites that aren't allowing you to log in because it thinks you should "Upgrade your browser".
Joseph Elwell.
Have you ever heard the truism
"The simplest answer is the best"
DSA/El Gamal is much more convoluted than RSA. RSA is simplicity and elegance in an algorithm. I trust RSA more because it is better understood, and since it is simpler, there are fewer attack vectors for a cryptanalyst.
The subject says it all.
Potato (web subsection) alread includes mozilla m-13.
Mostaphalles dun said:
Well, I don't remember the article in question, but I can note on some stuff (mostly from having been on the net that long)...
As far as I know, only one nation has ever had the death penalty for using the net, and that is Taliban-controlled areas of Afghanistan. (The Taliban-controlled areas have severe restrictions and/or outright bans on very nearly all media, including most print media, TV, movies, and even music--they outright make the Bad Old Days of sharia law in Iran look downright liberal in comparison.)
Some countries in central Africa may well have had severe restrictions (including imprisonment, though I doubt the death penalty) for unapproved connections, and most of the Islamic countries have always had severe restrictions on Internet connections (usually requiring proxies, etc.)... don't remember seeing anything on death penalties, though.
Myanmar may have had such a restriction; reportedly, modems are illegal unless specifically licensed by the government there, and an unlicensed modem can land one in prison for a good long time.
Notably--most of thesee countries that would have problems with it don't make the net illegal as much as they'd make all "unathorised" or "unlicensed" publishers illegal--it's far more likely they'd get you for "publishing subversive publications" or the like.
I can state with some certainty that Singapore wasn't one of the places that had the death penalty for using the net, though (I remember *.sg addys from 1992-1993), and the government finally started restrictions around 1996 or so (basically national firewall).
As an aside: Most countries that are going to be so repressive as to literally mandate the death penalty for unlicensed connections to the net have very poor or no Internet connectability whatsoever. Many countries in central Africa pretty much only have UUCP connections to the rest of the world (mostly through stuff like Doctors Without Borders, and occasionally university connections), and an increasing number of those are actually getting full Internet at least for universities. Iran (Yes, Iran) even has full Internet, and even one or two ISPs operating there...
About the only countries I know of with no Internet connections are Iraq, Libya, North Korea, and Afghanistan...Iraq is basically being shunned by the rest of the world and had most of its infrastructure bombed back into the stone age, and most of the folks there have more serious worries (like food and meds and shelter); Libya was likewise shunned due to UN sanctions (its domain is being operated as a vanity domain out of the UK) but this may change now that most UN sactions are being dropped; North Korea both is shunned and pretty much has walled itself off from the rest of the world (about the only country MORE isolated is Afghanistan), its people have more important things to worry about (like food) and the leaders are xenophobic enough to pretty much avoid anything like the net like the black plague; Afghanistan, well, it has the Taliban (fun with psychofundy Sunni Moslems that make the hardline mullahs in Iran seem downright grandfatherly) and I mentioned some of the fun stuff they ban earlier...as for the rest of Afghanistan, just about everything above a molehill was blown to smithereens long ago, they have more important stuff to worry about (like food, shelter, not having the entire country taken over by the Taliban, etc.). Short of a miracle, none of these folks are going to be getting Internet access anytime soon. :P
-Windigo The Feral (NYAR!)
First off, performance and real usability issues should always take priority over eye candy. I don't have resources to waste on pretty bs.
Why does mozilla break all the user interface rules (like middle button scrolling)? This pisses me off because they must have spent a bundle of time reimplementing the entire keyboard/mouse logic (incorrectly). Don't fix [break] it if it isn't broken.
For an OS that started on text terminals, linux sure jacked up it's keyboard handling. Back in my windows days I didn't use the mouse (ever, 'cept browsing). With linux I have to use it all the time. I suppose it's really the windows manager / x server / apps fault but it makes the whole system suck.
If you disagree you can post you reasons. If you have no reasons moderate me down instead.
Ryan
Whenever I use netscape, I have the buttons not shown. Why? Because they're way too large! Even at 1024x768, they take up what I consider to be an unacceptable amount of my viewing area. IMO, Mozilla definitely did the right thing by making smaller buttons, and putting them on the same plane as the URL.
As for the interface in general, I also like that better than Netscape (I'll not mention IE, which is truly hideous).
WMBC freeform/independent online radio.
1. The top one has got to be that I can't do standard *NIX middle-button-paste with Mozilla. I actually have to highlight text, then select "Copy", and then I can middle-button-paste. This is quite annoying...I don't want to use "Copy", that's one of the reasons I don't like Windows or MacOS.
2. Almost as annoying is the fact that the middle button is no longer set to "Open link in new window". Again, that's one of the things I like about Netscape under Linux.
3. I want to be able to define my own shortcut keys, because I will almost certainly never agree with the ones anyone else chooses.
WMBC freeform/independent online radio.
The banks security responsibility for my browser ends at the transport encryption. They have done two things that really irritate me: The webpage says that browsers 4.something and later are acceptable, and also, specifically says that 4.72 netscape is allowed, when it isn't yet. I think they should allow any browser that can negotiate and ssl connection. If you're worried about what my browser does with it's cache as a liability issue, why aren't you worried about the liability of someone looking over my shoulder while I browse? For that matter, why doesn't anybody see the (10**4) pin for the atm as the weak point of banking security?
-fb Everything not expressly forbidden is now mandatory.
If it uses RSA, inside the US, it doesn't matter where it was developed, the user needs a license from RSA (or to use RSAREF, see below).
If it doesn't use RSA, it doesn't matter where it was developed, the user doesn't need a license from RSA.
The whole 'outside the US' thing was the traditional response to export controls, not to the use of RSA. US-residing RSA users legally need to use either a licensed version of the RSA algorithm, or use the old RSAREF library that was released to the public (and is horribly slow and buggy).
--