Slashdot Mirror
Open Source Mozilla Crypto Released
lunatik17 writes "NSS 3.1 Beta 1 has been released, including a new implementation of the RSA algorithm. This release provides, for the first time, a complete open-source implementation of the Netscape crypto libraries, and will be used in a future version of Personal Security Manager for Mozilla." This is the only significant feature I've found lacking in Mozilla.
Yeees, the FAQ was last updated on the 10th of this month - after the RSA early release. However, they're not very forthcoming about the legality of it all. They say;
"Now that the RSA patent is in the public domain, Mozilla crypto development can proceed with minimal restrictions"
Now, just what does "minimal" mean, coz they're a bit short on detail? What's the legal standing for us EU folks? You said;
"Is it just me or has the number of people posting to stories who have not looked at the content been increasing to a critical S/N ratio?"
Don't worry - it's just you!!
Slán,
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
RSA released the patent to public domain 2 weeks ago.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Not necessarily "better encryption". It has just been around and under scrutiny for a longer time, so people have more faith that there really are no holes in it that in some newly developed algorithm.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
Yep! This is my concern & the reason for my question. I'm a developer based in Ireland. So I download the NSS code & hack it into some other application. I then release the lot under the GPL, as required, and the app and source somehow ends up in a country that the US doesn't like. Am I liable?
....)
(My guess it that I'm not. However, since DeCSS I'm not so sure anymore
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
My apologies for not expanding on what "minimal" means. I'll update the FAQ to clarify this. Basically the remaining restrictions have to do with people in the U.S. not being able to "knowingly" export crypto code to a few countries (Iran, Iraq, etc.), together with requirements for moizlla.org to notify the US Bureau of Export Administration and NSA when new crypto code gets posted to the mozilla.org site.
Again, I'll update the FAQ to include a more complete explanation.
I'm surprised no one's mentioned that you already can read SSL pages in Mozilla, by installing the Personal Security Manager. It's an XP thingy, so you just need to start Mozilla with write privileges, then visit the website:
http://docs.iplanet.com/docs/manuals/psm/psm-mo
and click on the Install Personal Security Manager. Then you can do all your on-line banking and shopping and stuff. I've tried it on the latest nightly build and it works a charm.
This is the only significant feature I've found lacking in Mozilla. How about having a session of pages rendered correctly without crashing? :)
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Mozilla doesn't support java, nor does it support the Java 1.3 plugin.
I'm amazed how many people spout this sort of statement without testing their assertions. Just installed the Java 1.3 beta plugin on Mozilla build 2000091908 on my NT 4.0 SP6a workstation. No problems - works like a charm.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Actually, GPG/PGP support would be one of the worst things that could happen to Mozilla and the Net at large.
The reason: we already have a real, actual Internet standard for secure e-mail: S/MIME
Internet standards matter, folks! If you don't believe it, just ask Microsoft - they had to learn the lesson the hard way a few years ago, and barely moved fast enough to avoid oblivion. The Mozilla team show no such agility, sadly.
It was this about-face even more than their abuse of power that established them as the standard Internet platform in so much of the corporate world. Like it or not, Microsoft currently sticks to the important Internet standards better than the Netscape folks.
"The future's good and the present is nothing to sneeze at." - Roblimo's last
if you throw a quatum computer at any sort of modern encryption it will be cracked in an instant
Completely untrue and uninformed. If Quantum computers are one day able to make 1024 bit RSA keys "insecure", moving to 2048 or 4096 bit keys will almost surely still be secure. Quantum computers may possibly make things more inconvenient, but technology will also favor the users of cryptography, and allow them to use more powerful encryption. As qubits grow, so will key lengths.
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
There seems to be one slight point you are missing....every "secure" site out there (AFAIK) uses RSA encryption. We want apache and mozilla to be able to play with everyone else ASWELL as offering technically superior solutions.
Also while RSA has been cracked, the costs of cracking are still appreciable for correct strength encryption (i.e. not that 40 or 56 bit stuff the US government wanted to make all the terrorists use so they could read their communications). AFAIK if you use 1024 bit RSA encryption it is going to take millions of dollars years to break it and that is good enough for my email, even 128 bit encryption is going to take $100,000 a week or two to open. If you are sending data that could have someone willing to spend a fortune to gain access, the best thing to do is to invest a bit of time yourself into verifying the best route for transfering the data taking into account the entire process (key-exchange, route of couriers for possible ambush if any physical acts, tapped lines etc. etc.).
What this NSS is about is howto stop Joe Publics purchase of their T -Shirt online from giving their credit card details to anyone who can packet sniff the route.
Never underestimate the dark side of the Source
I find it exceptionally fast, except when it forces my machine to swap, which it does too often for my liking. Speed doesn't seem to be the problem, memory usage is. The only other major quibble I have is with the ftp client. It's pretty poor compared to even the 4.x version. I only use 4.x for checking my bank details and other security related sites. Other than that I'm using Mozilla all day every day.
Er, you do know that they released their claim on RSA about two weeks before their patent was going to expire anyway?
The theory that they did it for PR reasons makes a lot more sense than your conspiracy theory.
/.
/. If the government wants us to respect the law, it should set a better example.
The fact that RSA released the RSA algorithm into the public domain two weeks before it would have become public domain anyway says very little about the security of RSA. In fact, RSA keys of 4096 bits are still very hard to crack, AFAIK.
And there are other encryption algorithms in use in open source software already, like Diffie-Hellman, another public key algorithm which is supported by NSS 3.1.
[...]I'm not an encryption expert,[...]
Obviously.
--K
Yeah, I know, IHBT.
---
No, NSS is based on the original SSL library that Netscape developed for Netscape Navigator 1.0 and subsquently enhanced through the years. NSS is independent of OpenSSL/SSLeay and (to my knowledge) doesn't have any code in common with it.
NSS is going to be included with Netscape 6 (as it was with Netscape COmmunicator 4.x), and Netscape (actually, iPlanet, the Sun/Netscape Alliance) donated the code for use with Mozilla as well; the iPlanet developers also created new code for the RSA algorithm and other crypto algorithms, to replace the code originally used, which was from the proprietary BSAFE crypto library created by RSA Security.
There's no reason in theory why OpenSSL couldn't be used with Mozilla as well, either as an alternative SSL implementation to NSS or just as a crypto library called by NSS; however no one has yet developed and released all the code necessary to make OpenSSL work with Mozilla. You should contact the OpenSSL developers for more information, as I don't have any special knowledge of what their plans are relating to Mozilla.
Another half feature that'll cause my browser to randomly crash at the worst time possible.
In theory you can use any JVM with Mozilla. I haven't tried it myself, and don't know if the full support is there yet, but when it is, it'll be far more powerful than Netscape 4.x in this respect. The flash plugin works right now, in fact I was using it yesterday. Just download it and bung it in the plugins directory. Done job.
The web configurator you describe is already present in a simpler way with the installer program. You can choose which components you wish to install and it will download those only. It doesn't deal with plugins, but I see no reason why it shouldn't in the future.
If you check the link you will see:
and it offers the Mozilla Crypto FAQ as a link to discuss the implications of the expiration of the RSA patents.Is it just me or has the number of people posting to stories who have not looked at the content been increasing to a critical S/N ratio?
Never underestimate the dark side of the Source
Except they released it a little while ago.
As previously seen on slashdot.
Just the words send shivers of delight down my spine... "open source crypto".
But really, it's great to have Mozilla developments like this. Go Netscape!
More importantly, because of the patent, it was released years ago. Remember, the tradeoff in filing a patent is that the government publishes it when you file. So, everyone and their sister has had access to RSA- it's in just about every encrytion textbook, and has been widely discussed and tested (which is why the other poster can confidently discuss how long it takes to brute force it.) The original poster just doesn't have a clue, that's all.
~luge
IAAL,BIANLY
Can you imagine how useless Netscape 1.0 would be on today's web? No JS, no https, no HTML 4.0, no CSS, etc. Mozilla is huge because it attempts to follow all the standards and implement all the technologies, which have grown exponentially since the time of 1.0. If 1.0 had had to do all of that, it wouldn't have run at all.
Point being- don't get nostalgic. In this case, at least, it reeks of not knowing what is going on.
~luge
IAAL,BIANLY
The RSA algorithm has been public knowledge since it was developed. It's release (a few weeks in advance of the patent expiration) simply means people can use it without a license from RSA.
RSA has not been cracked. Some specific RSA keys of particular lengths (e.g., 512 bits) have been discovered. That's no big deal, since we already know roughly how much computational power it should take to crack a given key. And some weaknesses in particular implementations of RSA have been noted. But it's reasonably well understood how much (implementation-independent) security is provided by a given key length, and notwithstanding advances in factoring, that has stood up pretty well.
RSA may or may not have something better but top secret up their sleeves, but if so it hasn't been exposed to the scrutiny of the RSA algorithm. And the most likely areas for improvement are in computational efficiency and things like that, not in security per se.
As important a project as the Mozilla Project is, I honestly don't think that the press it's been getting in recent months has been helping the cause that much. Even though I know that it's a solid design and that when it does eventually come out, it'll be damn powerful, it's looking more and more like it's starting to catch the Daikatana Syndrome.
Remember way, way back when you first heard of Daikatana? Romero (and the community) was pimping that game well ahead of it's ready date. At first, there was general excitement; I even remember a friend telling me that "It'll demolish Quake 2!" (To Romero's credit, Daikatana does indeed put Quake 2 to shame.) Of course, after the initial wave of interest, people quickly began to see that Daikatana was not only a ways from going gold, it had pretty substantial work left to be done. When the game finally did come out, it was already the big in-joke; the fact that there were still some nasty bugs and that the gameplay was only average only served to heighten the humiliation. Romero's "Quake 2 killer" had the distinct dishonor of poking an already pulverized corpse with a pointy stick.
Now, I know that Mozilla isn't on a corporate schedule, and I know that getting it done right is more important than getting it out the door fast. But honestly, How will it reflect on the Open Source Movement as a whole if, by the time the first full version of Mozilla is released, it ends up being the version 4 browser killer in a world of version 7 browsers? What happens if, heaven forfend, Mozilla turns out to be inferior to the commercially available browsers of the day?
On that note, I think that a little less front-page coverage would be a good thing for Mozilla, even here on Slashdot. Expectations are running perhaps a bit too high for a product that still has a fair way to go before release; even some of us geeks are starting to feel the least bit worried that the trumpets have been blaring a bit too loudly for a bit too long now...
Obliteracy: Words with explosions
Mozilla doesn't support java, nor does it support the Java 1.3 plugin. I find this considerably lacking.
Mozilla does support Java on Win32 (yuk!) - the implementation is not there yet on Linux. Mozilla doesn't wrap it up internally as Netscape 4.x did. Check out Project Blackwood for details on the implementation.
Mozilla should eventually come with a web configurator of sorts that would allow people to configure the browser before they download it.
That sounds vaguely possible, but it strikes me that it's easier to have that as something launched by the browser once you have downloaded it rather than by some packaging agent at the server.
As in, I want flash, java, and shockwave. I check them, and I download the browser with these things installed (be they plug-ins or otherwise).
I have no trouble running Flash in Mozilla. I haven't tried the latest Shockwave plugin. Mozilla has plugin-compatability with Netscape plugins, so just set them up for Netscape and they work in Mozilla.
I doubt the plugin manufacturers would have much problem with this (unless they were Microsoft), and it could usher in a new wave of recent-java browsers.
There may be licensing problems with having all the plugins on one server - from what I see, most plugins are distributed from the creator's websites and not from, say, the Netscape plugin collection.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
I'm sorry, but this is completely clueless.
The reason RSA released their algorithm into the public domain (where it belonged from the very beginning) was that the patent would have expired a week later anyway. Once it expired, RSA would have been forced to release the algorithm into the public domain; this is the way all patents work (you're granted a legal monopoly on whatever is patented for a limited amount of time, up to seventeen years if you keep renewing the patent. In exchange for that monopoly, you must release the item being patented into the public domain once the patent expires).
Also, just because an algorithm is public doesn't mean it is not secure. In fact, all known and trusted algorithms are publicly well-known (many are also patented, so they can't actually be used without a license). This is done for precisely the same reason software is Open-Sourced: peer review. You want people to try and crack the algorithm, because only if people try their hardest and still can't break it is your algorithm really secure.
Also, as for RSA being cracked, while you are technically correct there's the fact that the crack only works on keys up to a certain, relatively small, length. Make your keys nice and long (1024 bits or more, if I remember right; keep in mind that's not even 0.2K) and the crack is useless.
So no, RSA's releasing of the algorithm is no indication whatsoever that it's not secure enough.
----------
If security is the only thing you've been missing from Mozilla, I'm glad for you. Java is STILL missing from it, though it's being worked on. For folks like me who use java applets all over the place, this is a show stopper. I've used PSM, and it's been fine where it's accepted. I'd be more interested if there was a declaration that the mail client would get gpg - then it would come close to matching an ie/outlook combo. Till then.... (sigh).
Finally, a Mozilla discussion so I can gripe about memory usage. For the record, I've never had a single complaint about Mozilla, etc. Here is my first.
Running gtop reports a memory footprint of Mozilla (build 2000080712) of 169708k. I'm assuming this is counting resident, shared, and virtual. However, I can run VMWare running Win98 running IE5.5 and use only 120768k. What's up with that?
What is Mozilla doing that it needs more memory than an OS, an OS virtualizer, and a browser?
-tim
It's great to see that the open source browsers can finally be used for "secure" use over the internet, but at the same time I'm wondering why they're using the now-public RSA encryption algorithm.
I'm not an encryption expert, but surely it seems to me that any algorithm that has been released by a company into the public domain cannot be particularly secure, and indeed the RSA has been cracked already. RSA have obviously got something better up their sleeves, and why should open source products always lag behind their closed source counterparts when it comes to innovation?
What we really need is to develop new encryption algorithms for our products rather than relying on the left-overs from commercial products.
Nope, you're wrong. OpenSSH and Gnupg are open source and no one has managed to crack them. The reason is not that it isn't possible, but because both algorithms use keys significantly large to necessitate a fleet of machines years of churning to break the encryption.
If you have the time, try cracking an encryption book, it's pretty cool stuff.
I'm not trying to be snide or anything but I think that is a problem particular to your machine. I've been running the nightly builds as well as the "stable" releases for several months now. Debugging code or not, Mozilla is as fast on my machine (PII 366mhz Thinkpad 770Z) as any other similarly capable browser I've tried, including IE 5 and Netscape 4.7, and generally pretty stable. While I don't doubt it may be running slow on your machine, don't be so sure it is the debugging code.
Personally the only real problems I have (besides some already documented bugs) are that it doesn't work with Acrobat reader properly and that sites that do secure banking refuse the connection. (and yes I have the SSL stuff installed) Other than that I use it for 90% of the web browsing I do and it generally works pretty well and is really quite fast. My experiences with it lead me to believe that people complaining about the slowness of it either have some compatibility issues unresolved or are using a very old build. (it was slow for me too at first) While it certainly isn't production code yet, it's getting close and getting there pretty quickly.
.. you just haven't been able to use it without
royalties because of a patent.
That patent is now expiring, without the possibility of a renewal, so RSA released the patent 2 weeks before the expiry. They wouldn't have made much money from it in such a short time,
and so it was a PR stunt.
They have kept it for 20 years(?) or so, and it is one of the most widely used algorithms for public key encryption.
It is still quite good, and an algorithm being old does not necessary equal bad quality. Some of the most regularly used algorithms were developed in the 60-70's.
The RSA-patent aslo has nothing to do with opensource.
2^63, I think -- you've got an off-by-one error.
-- the most controversial site on the Web
Mozilla doesn't support java, nor does it support the Java 1.3 plugin. I find this considerably lacking. Mozilla should eventually come with a web configurator of sorts that would allow people to configure the browser before they download it. As in, I want flash, java, and shockwave. I check them, and I download the browser with these things installed (be they plug-ins or otherwise) I doubt the plugin manufacturers would have much problem with this (unless they were Microsoft), and it could usher in a new wave of recent-java browsers.
I've been using CSS2 constructs on my pages for ages now, and testing them in Mozilla. Granted, there are some things I can't do thanks to IE's broken (and much more incomplete) CSS2 support, but in particular I've found :before and :after to be quite safe.
DNA just wants to be free...
I still can't stand how slow Mozilla runs on my dual-500!
Think it's about time they released a version with all that debugging code ripped out. The slow UI is a big turnoff.
-Pete
Soccer Goal Plans
Compare this to a few months ago (Every 5 minutes) and it is a vast improvement. I have downloaded other netscape releases less stable than this. If you can't live with restarting your web browser several times a day now though, wait a few months before trying mozilla out.
There have been some significant bug fixes recently. The find on page feature now works when the page has frames, meaning I can now use mozilla to browse the javadocs. Also textareas have gotten a lot more useable and stable recently.
Most of the bugs that I am finding in the nightly builds are now regressions that are usually fixed within a day, so if something major isn't working in the build you download, try again in a couple days.