Slashdot Mirror
Open Source Mozilla Crypto Released
lunatik17 writes "NSS 3.1 Beta 1 has been released, including a new implementation of the RSA algorithm. This release provides, for the first time, a complete open-source implementation of the Netscape crypto libraries, and will be used in a future version of Personal Security Manager for Mozilla." This is the only significant feature I've found lacking in Mozilla.
I'm surprised no one's mentioned that you already can read SSL pages in Mozilla, by installing the Personal Security Manager. It's an XP thingy, so you just need to start Mozilla with write privileges, then visit the website:
http://docs.iplanet.com/docs/manuals/psm/psm-mo
and click on the Install Personal Security Manager. Then you can do all your on-line banking and shopping and stuff. I've tried it on the latest nightly build and it works a charm.
Er, you do know that they released their claim on RSA about two weeks before their patent was going to expire anyway?
The theory that they did it for PR reasons makes a lot more sense than your conspiracy theory.
/.
/. If the government wants us to respect the law, it should set a better example.
The fact that RSA released the RSA algorithm into the public domain two weeks before it would have become public domain anyway says very little about the security of RSA. In fact, RSA keys of 4096 bits are still very hard to crack, AFAIK.
And there are other encryption algorithms in use in open source software already, like Diffie-Hellman, another public key algorithm which is supported by NSS 3.1.
The RSA algorithm has been public knowledge since it was developed. It's release (a few weeks in advance of the patent expiration) simply means people can use it without a license from RSA.
RSA has not been cracked. Some specific RSA keys of particular lengths (e.g., 512 bits) have been discovered. That's no big deal, since we already know roughly how much computational power it should take to crack a given key. And some weaknesses in particular implementations of RSA have been noted. But it's reasonably well understood how much (implementation-independent) security is provided by a given key length, and notwithstanding advances in factoring, that has stood up pretty well.
RSA may or may not have something better but top secret up their sleeves, but if so it hasn't been exposed to the scrutiny of the RSA algorithm. And the most likely areas for improvement are in computational efficiency and things like that, not in security per se.
As important a project as the Mozilla Project is, I honestly don't think that the press it's been getting in recent months has been helping the cause that much. Even though I know that it's a solid design and that when it does eventually come out, it'll be damn powerful, it's looking more and more like it's starting to catch the Daikatana Syndrome.
Remember way, way back when you first heard of Daikatana? Romero (and the community) was pimping that game well ahead of it's ready date. At first, there was general excitement; I even remember a friend telling me that "It'll demolish Quake 2!" (To Romero's credit, Daikatana does indeed put Quake 2 to shame.) Of course, after the initial wave of interest, people quickly began to see that Daikatana was not only a ways from going gold, it had pretty substantial work left to be done. When the game finally did come out, it was already the big in-joke; the fact that there were still some nasty bugs and that the gameplay was only average only served to heighten the humiliation. Romero's "Quake 2 killer" had the distinct dishonor of poking an already pulverized corpse with a pointy stick.
Now, I know that Mozilla isn't on a corporate schedule, and I know that getting it done right is more important than getting it out the door fast. But honestly, How will it reflect on the Open Source Movement as a whole if, by the time the first full version of Mozilla is released, it ends up being the version 4 browser killer in a world of version 7 browsers? What happens if, heaven forfend, Mozilla turns out to be inferior to the commercially available browsers of the day?
On that note, I think that a little less front-page coverage would be a good thing for Mozilla, even here on Slashdot. Expectations are running perhaps a bit too high for a product that still has a fair way to go before release; even some of us geeks are starting to feel the least bit worried that the trumpets have been blaring a bit too loudly for a bit too long now...
Obliteracy: Words with explosions
I'm sorry, but this is completely clueless.
The reason RSA released their algorithm into the public domain (where it belonged from the very beginning) was that the patent would have expired a week later anyway. Once it expired, RSA would have been forced to release the algorithm into the public domain; this is the way all patents work (you're granted a legal monopoly on whatever is patented for a limited amount of time, up to seventeen years if you keep renewing the patent. In exchange for that monopoly, you must release the item being patented into the public domain once the patent expires).
Also, just because an algorithm is public doesn't mean it is not secure. In fact, all known and trusted algorithms are publicly well-known (many are also patented, so they can't actually be used without a license). This is done for precisely the same reason software is Open-Sourced: peer review. You want people to try and crack the algorithm, because only if people try their hardest and still can't break it is your algorithm really secure.
Also, as for RSA being cracked, while you are technically correct there's the fact that the crack only works on keys up to a certain, relatively small, length. Make your keys nice and long (1024 bits or more, if I remember right; keep in mind that's not even 0.2K) and the crack is useless.
So no, RSA's releasing of the algorithm is no indication whatsoever that it's not secure enough.
----------
Finally, a Mozilla discussion so I can gripe about memory usage. For the record, I've never had a single complaint about Mozilla, etc. Here is my first.
Running gtop reports a memory footprint of Mozilla (build 2000080712) of 169708k. I'm assuming this is counting resident, shared, and virtual. However, I can run VMWare running Win98 running IE5.5 and use only 120768k. What's up with that?
What is Mozilla doing that it needs more memory than an OS, an OS virtualizer, and a browser?
-tim
It's great to see that the open source browsers can finally be used for "secure" use over the internet, but at the same time I'm wondering why they're using the now-public RSA encryption algorithm.
I'm not an encryption expert, but surely it seems to me that any algorithm that has been released by a company into the public domain cannot be particularly secure, and indeed the RSA has been cracked already. RSA have obviously got something better up their sleeves, and why should open source products always lag behind their closed source counterparts when it comes to innovation?
What we really need is to develop new encryption algorithms for our products rather than relying on the left-overs from commercial products.