Slashdot Mirror
Netscape Receives Strong Crypto Export Permission
Greg Miller writes "According to
this article
, Netscape has received approval to distribute the 128-bit encryption version of Communicator outside the U.S. They've also received limited permission to distribute SuiteSpot servers with strong encryption." [Update: 12/05 03:42 by michael : Slashdot got burned, this article is bogus. See below.]
Update:: We were fooled. Someone posted this on http://www.activewin.com/frames/frmhome.shtml as new news (suckered them!), which apparently misled the slashdot submitter and us. This is an old press release from 1997 talking about exporting software for certain specialized banking purposes. As far as I know, it's still illegal to generally export 128-bit crypto products.
Thanks to the alert posters in the threads below and to alecf who was bright enough to submit it in the stories inbox (which any of the assorted slashdot authors who are online might be reading) for a fast response. Sorry for the "desinformation" (is that a pun?).
Thawte actually sells a certificate for the standard $125, plus a $200 one-time enrollment, that will allow netscape 4.7, ie5.x, to "unlock" the 128bit encryption that's in the browser, but just been disabled, during a visit to your site.
There's been a utility around for quite awhile that just flips a couple bits in your exportable netscape executable, and wala, you've got full 128bit SSL.
Let's take this step by step so you can understand it... I'll use small words (most slashdot folk need small words anyway, from what I've seen):
1. The US gov't declares encryption a munition
2. The US gov't bans export of encryption as it bans export of other munitions
3. [missing link]
4. The US gov't now says it's OK to export this or that type of encryption.
Refer back to item 3 (missing link). Think about it. I'll leave that as an excersize to the reader. May get a few more neurons firing for you.
> ...www.fortify.com...
You mean: www.fortify.net
--j
I'm a nature photographer.
I didn't read the article as I learned it was bogus, but this is relevant...
My share trading account with Barclay's Stockbrokers Ltd in the UK doesn't work with a Browser that doesn't have 128-bit encryption capabilities.
It's not the case that my IE/Netscape is the US version with 128-bit as standard, but it does have some 128-bit capability.
WHOZ MY BITCH, JOO ARE ESP IF JOO IZ A KARMA HOEBAG
"So, Mrs. Jones, you expect us to believe that you can positively remember not raping and eating babies on the evening of May 3, 1989?"
"Yes, I neither raped nor ate a baby ever, including May 3 of 89."
"Well, this is strange to me, that you can so positively recall not doing something. May I remind the court that this is the very same Suzy Jones who on Monday could not remember her 98 character passphrase, but on Tuesday suddenly was gifted with total recall, not erring by a single character, despite the fact that this 'passphrase' is, to you and I, nothing more than a nonsensical string of uppercase letters, lowercase letters, numbers and punctuation. Will you, perhaps, tomorrow remember eating these babies, ma'am?"
Again, food for thought. Let me reiterate how much I appreciate all of this feedback. Please, everyone, feel free to drop me an e-mail as other angles on this situation occur to you. I'm always anxious to hash this over.
-"S"HM
Much Love,
"S"HM
*****
(I refuse to spellcheck out of contempt for your belief system)
Why? I guess if you're worried about people's irrational feelings..
One of the most labor and resource intensive ways to get credit cards is by sniffing 40 bit SSL traffic and decrypting that. I wouldn't be surprised if it has never happened. There would be no motive for it.
In most situations, the 40 bit SSL connection will be the most secure the card number is at any point in its journey.
A more reasonable way for someone to get your credit card is by stealing a stack of carbons from their retail job. Or copying the database off of the "secure" webserver.
And even then, it doesn't matter to you. It's the bank's problem. You have laws protecting you, and will find it very easy to get the charges removed. Considering how laughably insecure credit cards are, it's obvious that the banks don't care too much.
It's far worse to think courts will be able to subpoena private keys than that prosecutors might invent incriminating plaintext and claim it was derived from a defendant's cyphertext. You wouldn't have to reveal your key just to demonstrate that a particular plaintext wasn't encrypted by it.
It's been frustrating not having readily available Netscape RPMs with strong encryption.
The NSA just realized that if they allow strong e-commerce crypto, but still block strong email encryption, the big companies will stop complaining and we'll never be able to export PGP (legally, that is!).
Exactly. A lot of the noise towards opening up the U.S.'s export restrictions on crypto have been coming from big companies that want to do e-commerce. Greater e-commerce is in the U.S. government's best interest, as American companies currently dominate that scene, and stand to make a lot of taxable income if the whole world can use strong encryption to buy from them.
Once those companies get strong encryption exports for e-commerce, they'll be quiet and happy. No one will be strongly lobbying (with money to really make the government change its mind) for further opening up, and exports of crypto in other areas like email will never happen.
Plus, I'm sure the intelligence impact to the NSA of not being able to read https connections is minimal, unless it turns out that they're using credit card fraud to supplement their budget or something.
It is interesting to note how this seems to fall in line with the Microsoft trial. If it is the case (as it seems to be) that this crypto export allowance has only been given to Netscape it would seem like the government is starting to work towards breaking the Microsoft dominance by giving its compeititors an advantage (if only in a PR sense).
Mr. Schneir is very correct, as usual (the man is an absolute godsend for those of us that like encryption but don't like working for a gov :) ). But note that those figures assume a brute force attack. Just as there is more than one way to skin a cat, there is more than one way to break encryption. IIRC brute-force is analogous to the worst-case scenario from algorithmic analysis, in that it can't get any less efficient than that (i.e. any special tricks or shortcuts save cpu time).
Now, understand that I am by no means a conspiracy theorist, but the NSA (and similar governmental agencies) have many, many things going for them when it comes to breaking codes: money (lots of it, were talking on a government, a-million-bucks-is-lunch-money scale), brains (lots and lots of really intelligent people really into their jobs in close proximity to one another), and time (they've been doing this for decades non-stop since the late forties, admittedly not with the current algorithms but half of those they came up with).
*shrug* It isn't the NSA I'm worried about anyway when it comes to my browser, just some snot-nosed punque with a sniffer his big brother coded... ;^)
That only applies to a brute force attack. There's always the possibility that they've found some fancy mathematical trick to speed the process up by a few million orders of magnitude.
Well, breaking RC4 seems significantly more likely than a 128 bit brute force, but OTOH you can change which ciphers you use. If the NSA could break any SSL cipher, that's bad, since TripleDES, RC2, and RC4 are all used by SSL (well, IDEA is in there too but nobody uses it). If TripleDES is broken, you can safely say that all is lost. It's used in everything: S/MIME, PGP, GnuPG, banks use it, basically anything you can think of uses it. And you can set it to use TripleDES only if you want (I do). In any case, if nobody but the NSA can break RC4 (if an academic discovered an attack it would be published by now), then I'm pretty happy: as I've stated elsewhere, they don't want my CC #. And that's all I'm protecting with SSL.
This information is out of date, and the /. story is just a heap of desinformation.
The article mentioned in the story is several years old and the only export that has been approved is the capability to unlock stron encryption when talking to servers that present a particular kind of certificate.
Please, check your stories!
You are making presumptions about the legal system which have yet to be demonstrated. Who is to say that any court will accept any plaintext that was not produced under the aegis of the court system as a decrypted version of the ciphertext in question? Is that any different than hearsay? I suspect that the court would demand that the ciphertext be decrypted under the presence of court appointed administrators.
As an example, DNA testing is sent to court approved labs. I have yet to see a court allow a lawyer walk in with his own DNA tested evidence by an unkown testing entity.
I know it is the modus operandi here to adopt the most paranoid stance with regard to data privacy and any actions that would seem to undermine it, but people need to stop and think before voicing their opinions. It seems that most people grab the first thing that jumps in their mind and jot down a couple of lengthy paragraphs in the hope that their words can reinforce their shallow thinking.
Hates people who have stupid little sigs
Don't assume that just because *you* don't have the resources *they* don't.
Maybe Netscape will be able to turn the tide of IE if it is the only browser that is 128bit in the Non-US market.
Of course, the Non-US made browsers already are going to have 128Bit Encryption in them. How long until IE is 128Bit is exportable?
And again, of course, how hard is it to gte a 128Bit Encryption browser outside of the US? Not very!
Linux O Muerte!
Okay, I live in Canada, and I say they better give us in US/Canada stronger crypto..... sure the rest of the world needs stronger crypto, but I still want 256 bit or higher.
How can this not break many laws in the us anyhow?
nil*
what is the real purpose in having only certain programs exportable with 128-bit encryption? Once one browser is exportable, the cat is really out of the bag. Not that it hasn't always been obtainable...
Interested in open source engine management for your Subaru?
Paranoid amongst us: take note. The NSA no longer considers 128 bit encryption secure enough to trouble them.
The comment about DESCHALL having broken 56 bit "last week" was suggestive to me, but at the bottom, note:
SOURCE Netscape Communications Corp. -0- 06/24/97
Past news. Ah well.
--j
I'm a nature photographer.
Now people outside the U.S. won't have to make the little visit to fortify.net afterwards :-)
It was always incredibly easy to get it anyway, but it's nice that there's now government permission. Definately a step in the right direction.
--
grappler
Vidi, Vici, Veni
now hopefully people can feel more secure with their credit card on line.
It has been statistically shown that helmets increase the risk of head injury.
~=Keelor
Good catch, I should've noticed the name change not having been picked up.
I also see that the contact phone numbers are listed as being in the 415 area code. Netscape (err, AOL Mountain View) changed area codes (to 510) some time back.
--j
I'm a nature photographer.
US is the only North Americans that count. OpenBSD is garbage.
For all intents and purposes, Canada is a part of the USA. You speak the same language, probably even watch the same TV shows we do, etc. I'm really amazed Canada's provinces haven't become states of the USA.
ahahahaha, you stupid bitch! Someone corrected you dumb ass !!!
One would suspect this-- I'd love for it to be the case-- but it won't be, not if the Clinton Admin's present stance becomes policy. The specific power that law enforcement agencies would be granted would be the right to not have to reveal how they arrive at plaintext (similar to the right law enforcement currently has to not reveal sources of "anonymous" tips.) The right to not-reveal would include the power to not have anyone looking over their shoulder (who has oversight over the NSA?) Remember, this isn't like a lawyer wandering in with his own evidence; this is the cops wandering in with their own evidence-- which is entirely normal.
I recognize that this reads as paranoid clap-trap, but I do believe this threat is very real. Witness the kinds of abuses committed by the Phillie PD or LAPD, each of which are currently being investigated on several thousand counts of fabricating evidence, as well as sundry other abuses.
(pardon the spelling-- I'm in a hurry) -"S"HM
Much Love,
"S"HM
*****
(I refuse to spellcheck out of contempt for your belief system)
Fortify (available to those outside the US/Canada) *forces* strong encryption to be used if it's available. That means that it would still be better than depending on the bank to insist on strong crypto. written with a Fortify(TM) patched Netscape(TM)...
Sreeram.
Netscape will be able to use 128bit with more servers. That doesn't really change anything for most users. The only servers will still be those approved by the U.S. govt.
On the other hand, Opera will use 128bit with any server, not just those approved by the U.S. The beta is due this month.
Either that or 128 bits is too weak. So much for the NSA being overwhelmed, eh ?
I don't want a proprietary extension to the open source browser, I want strong encryption to come in the open source distribution.
The only good thing I can see in this is a thorn in the eye of Internet Explorer, but even as such I can't see it as having significant effect, the exportation laws are by neccessity more of a hinderance to truely international development efforts like the Open Source community than proprietary developers.
The silly exportation rule need to come down completely. Granted if this is a first step, that could be a good thing, but it will probably be long until the good old American paranoia steps back. Until then this can only serve to unfairly unbalance the market. Similar allowances will probably soon follow for IE, which means that browsers that distribute source with their programs will be the loser.
Eythain
Silly... If this becomes a problem, one could simply run MD5 or similar checksum on the plain text, and prepend it to the encrypted messages. You could then tell whether a given plain text was the appropriate one for the encrypted text. Or if it is a public key algorithm, you can show that the plain text presented doesn't encrypt to the encrypted text...
or without https http://www.fortify.net/README_ma in.html#comparison
This is Fortify for Netscape, a program that provides world-wide, unconditional, full strength 128-bit cryptography to users of Netscape Navigator (v3 and v4) and Communicator (v4).
In the latter case, the defendant would have to expose her private encryption key to the courts (seeing as how persons being prosecuted definitely don't retain the right to keep their encrypt/decrypt methods secret.) Thus, she'd, again be forced into giving herself away to one extent or another.
-"S"HM
Much Love,
"S"HM
*****
(I refuse to spellcheck out of contempt for your belief system)
(score: -1, using the words "karma whore")
Get over yourself Signal_11.
The moderation here is screwed up, and everyone knows it. We are sick of seeing your posts moderated up to +4 or better just for pandering to the prejudices of the moderators. We know that the way to get points is to extoll the virtues of Linux, bash Microsoft, and flam Mac users. That's not the point of a comments page. It's for posting your opinion not for sucking up to the moderators.
You abuse the system. It's as much the moderators' fault as yours, but since the moderators are anonymouse, there's no way to flame them, and thus you get to bear the brunt of our frustration. But then, what did you expect for selling yourself out to gain slashdot karma?
0 1 - just my two bits
Now it will take the script kiddies your local cable segment 3 hours to crack the encryption for your credit card transaction rather than 5 minutes. This is truly a momentus occasion.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Not really. It depends what resources you have though. In britain, gchq could esily brute force 128-bit crypto (and probably does... just using 128-bit crypto here is probably enough to get you noticed, since most people are sheep who use 40-bit MS products.)
There's more then one :)
It always makes me pleased to see these other AC's screaming at you for your drivelous posts.
And it's not jealousy, it's rage. Because you get scored up for no real reason. If you post it, it gets scored up. No matter how dumb or smart the post.
So it's more the moderators fault then you.. but you're the one who gets the karma.. So it's your fault too.
KARMA WHORE!!
Cause we all know thats the best position to be in...
Have you ever been to Canads? It's significantly different to the US. It's more like Britain and France mixed together into some sort of unholy mess, with added ice and snow.
The difference between slashdot and the news media you're used to is that they don't tell you when they get the story wrong.
--
Michael Sims-michael at slashdot.org
There would probably be serious issues with "financing rogue elements" in other countries if US companies were to actually try to finance such work.
Can you imagine the hysterics some people would get into if SGI were to pay someone in the Netherlands to produce non-US-exportable computer hardware for export to China? That could seriously hamper domestic efforts to simply get the restrictions eased/lifted.
In any case, they'd have to get the people writing the code outside access to the strong crypto code, or at least hooks to it. There might be more legal trouble with that than simply exporting the binary-only software.
Oh well.
Jon
-- http://www.cerastes.org
https://www.fortify.net/README_main.html#compariso n n
or without https http://www.fortify.net/README_main.html#compariso
This is Fortify for Netscape, a program that provides world-wide, unconditional, full strength 128-bit cryptography to users of Netscape Navigator (v3 and v4) and Communicator (v4).
What exactly were you trying to say? Were you correcting me on something? I know what fortify is - that's why I made the comment I did.
--
grappler
Vidi, Vici, Veni
I will trust a cryptosystem foo-X if it is discovered in Iran, Pakistan, Libya or North Korea. :)
go home !!!!
I don't know. The feds aren't really the bad guys. At least to our businesses here in the U.S. They just want to make sure we have all the possible advantages over foreign competition. And what's so bad about that? The Japanese government is 10x worse any day of the week.
And when you think about it, the fed is only acting in their own interest. I mean, the taxes from American businesses help pay their taxes. They get nothing from foreign companies.
So, I tend to think that things are pretty much as they should be as long as the feds don't bite the hand that feeds it.
Thats exactly what popped into my mind when I read the article. Why Netscape? What did Netscape offer to get this "special" treatment? Why not all the other software devs? My company still has 2 versions of its software. One for domestic and one for international delivery.
I also noticed some interesting "this is great, will give netscape an advantage over microsoft" posts. Intersting how many slashdotters hate government control until it can hurt MS. It can also give Netscape an advantage over a number of other private and open source companies who want to export too. Don't forget that in your war cries against MS. If the feds can attack MS, they can attack you too.
----- LoboSoft specializes in Digital Language Lab
Maybe I'll continue to use Fortify just in case. I cannot see the Oz gov. taking any notice of me 8-)
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
the court requests that she divulge her private key. She refuses, claiming to not be able to remember the key (just about her only recourse, short of simply giving them the key.)
the law enforcement agency brings forth their cryptotext and dummied plaintext, which reveals the defendant to have been embroiled in all manner of nefarious business.
the defendant's only defense is to come forward with the session key, which she can only retrieve with her private key-- QED she knew the key all along. Perjury. Unless she's the president, she's going to get hucked into teh slammer.
I don't want this nit-picking to detract from your point: the session key angle is good, and I'm really glad that you brought it forward. Goes to show that you can't keep a good algo down.
If we can find a way out of the "perjury trap," I'll finally get to sleep soundly again. -"S"HM
Much Love,
"S"HM
*****
(I refuse to spellcheck out of contempt for your belief system)
>>They just want to make sure we have all the possible advantages over foreign competition. And what's so bad about that?
Bad enough if they have to screw other countries to do that.
See, the worst part is that lately, Sig11 has been posting replies to the AC's, defending himself, laughing at them. If it wasn't obvious enough, he's feeding the trolls and feeding on the controversy.
So that makes him more then a Karma Whore, it makes him a small time Media Whore. He loves it too.
-One of the AC's who's always after him, posting logged in because the previous poster was brave enough to as well.
I think it probably means nothing, that it is just a direct quote of some Netscape PR-material that like mention Netscape products a lot. But of course, it could mean exactly what it says, and that there is a backdoor in SuiteSpot for the three letter agencies. Putting a backdoor in the server side software would make perfect sence, because as we all know, Communicator 5.0 will be open source, meaning that any backdoors in Communicator would eventually be discovered.
Probably nothing, but OTOH, one should never trust the NSA/CIA/XXX.
Hmmm. So I can't reply if something is stupid or attacks my position? Hmm... that's going to put a serious damper on debating...
Yea, I see your point, but it really does come down to the US government deciding what is secure and what is not secure for you.
One should always be cynical of these crypto liberalization announcements, but I think the chances of the NSA being able to break 128-bit crypto are slim.
The "missing link" you refer to above is usually not secret. We've seen lots of crypto liberalization announcements and they've always had strings attached (more like steel cables). In the case of this old 1997 announcement I think the string was that you had to be a bank, which would mean you have to make all transactions available to the feds anyway.
Other strings that we've seen attached:
People who say the NSA are way ahead of the civilian state-of-the-art in cryptography are usually using old examples. Just look at Skipjack. The algorithm was made public and after just a couple of weeks of analysis it was hanging by a thread. Not a large margin of security at all.
run anonymiser and just watch those domains validate themselves.
"Netscape Communications Corporation (Nasdaq: NSCP) today announced [...]
Once the AOL purchase went through, NSCP was no longer listed on Nasdaq.
Cheers,
ZicoKnows@hotmail.com
The 128 bit version is not or not yet available on Netscape's page (the link is blocked). Maybe it takes a while to update that page, or the whole thing is just a rumor (I hope it's true).
How is netscape going to survive if they can't sell off our personal info and statistics when we download communicator with encryption? We may never see the next release.
./diff two human minds? I'd sure like to see the results line by line.
Time, will tell.
Imagine the processor power required to
-Scott Ruttencutter
Scott Ruttencutter
We Apprentice Developers and Designers
Hmmm... this troubles me. Does this mean they can break 128 easily? If so, how? It's still too tough to brute force it, isn't it?
-rt-
** Evil Canadians are taking over the world. Learn about the conspiracy
Don't trust it. For that matter, PGP 2.x isn't trustworthy either. Anything the U.S. gov't says is "OK" to export, is not to be considered reliable security.
Maybe I've seen "Conspiracy Theory" one too many times, there seem to be some scary implications to this. Specifically, if investigators cannot be compelled to reveal how they decoded encrypted info, then they could conceivably take an encrypted doc which they could positively attach to the defendant (i.e. an encrypted document the defendant admits to, or can be convincingly illustrated to a court of law to be, the owner of) and then present in court ANY plaintext as being its source. These investigators (and, under the new regs, this would include domestic-charter, as well as foreign-charter, law-enforcement) could make up the foulest, nastiest, most incriminating admission in the world and claim it to be the plaintext. With a decent algorithm (i.e. ANY strong algo) there is NO WAY to verify that a plaintext and cryptotext match up without the key (that's the point of encryption, for godssakes.) As the investigators cannot be made to reveal HOW they got plain from cipher, the only defense the defendant could make would be to decrypt the doc in question before the court herself, and that would require her to expose to the court her cryptosystem and key (the latter, of course, being a far more damning exposure than the former, assuming she uses strong crypto.) I.E., in the end, she would be giving up the one thing that protected her. Even if the case is thrown out of court (which, God-willing, it would be, seeing as how the investigators would have to admit to submitting false, or at least spurious, evidence,) the defendant would still be up a creek, as all her past and present encrypted data would be exposed.
Any even worse scenario: another clause in these regs permits courts to subpoena private keys (previously considered unconstitutional, as it forces a person to incriminate herself.) If the defendant refused to do so, claiming to have forgotten the key, and the prosecution later played its dummied-plaintext trump card, she would be put in the position of either 1) going to prison for heinous crimes she never even considered committing or 2) admitting to perjury.
This would seem to be a very-much bad situation that we, as citizens, are being put into. The NSA, again, has designed a brilliant protocol.
Just food for thought. This is the sort of thing that keeps me up late, watching TV and talking to the dog.
-"S"HM
Much Love,
"S"HM
*****
(I refuse to spellcheck out of contempt for your belief system)
Can any provide any supporting documentation that shows that something new has happened with respect to Netscape Communicator and encryption export restrictions?
Don't doubt it. 128 is old hat nowadays so don't doubt that they can get through it. Brute force is not the way. It takes too long. There are already algorithms for cracking DES.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Immediate? Not really! I still get:
Bad Domain DNS NAME:
Host Name: adsl-145-99-x-x.snelnet.nl
IP Address: 145.99.x.x
Your DNS name probably won't be accepted.
Still have to go to Zedz and Fortify...
-------
Warning: Slashdot may contain traces of nuts.
OK so this is a hoax but it is indeed possible to get 128 bit encryption on Netscape just by using an Australian product: Fortify As it's not made in the US it doesn't violate any US export laws.
--
Oops, I apologise for my rotten spelling above. I guess thats what the "preview" button is for, huh...
posting logged in because the previous poster was brave enough to as well.
I did a little experiment a few months ago. I flamed the same posts with the same basic arguments, once logged in, and once as an AC. The logged-in posts either went up or got left alone, and all the AC posts got put down to -1.
0 1 - just my two bits
Is it possible to get RPMs for the 128bit netscape? I've got one site I have to go to that requires 128 bit encryption. Everytime I upgrade my RH distribution, I get the latest international version and then have to download the 128 bit version seperately from netscape and copy the binary over...yada-yada-yada. Big pain in the ass. I would so like to just be able to download an rpm for the secure version....
I want to make a few points very clear. It is legal to import strong crypto in all of the free world. One of the best crypto repositories is on
this network. (It is replay.com now changed to
some god-awful name like zedz.nl which rhymes with
'feds' - How could you Alex!) What is it that makes
America feel superior in a field long dominated by
Europe? Finally it should be very advantageous for
any American company to develop crypto outside the USA and get the MUCH bigger world market in addition to the (isolationist) US market. This is
really silly and i laugh at the US like anyone else.
I love it, score:0. There's a fine line between replying to defend yourself and replying to feed the trolls. You did the latter. You made posts that just attacked the AC's.
:P Part of posting is posting responsibly. Not hoarding Karma and feeding trolls. I'm glad this is catching up to you.
http://slashdot.org/com ments.pl?sid=99/12/05/1054206&cid=73
So, in conclusion,
But you're still a Karma whore and have admitted it publically in the sid=moderation thread.
Get a life
Except for the harm it does to US software houses, the ban is ineffective. I don't know anyone outside the US who who uses encryption and DOESN'T use at least 128bits as their low level crypto option.
I guess Nav sucks so bad the gov doesn't consider it a threat no matter what!
Sorry. Troll.
Check out Project Upper/Mute, an all-around awesome compiler fra
Adding more bits doesn't make it anymore secure up to a certain point. Same reason why a 8128 bit RSA key is no more secure than a 3096 bit one in reality... just slower. New algorithms need to be invented to take advantage of higher bit sizes. 128 bit crypto used in SSL is supposedly similar in strength to 2048 bit RSA.
I don't understand why companies such as Netscape and Microsoft don't just pay someone like the SSLeay developers to develop strong encryption in their products outside of the US and be done with it.
See, there's this country just north of the USA that's already able to use the 128 bit versions, no problem.
Remember, Americans, you're not the only North Americans.
---
---
Book(n): Utensil used to pass time while waiting for the TV repairman
If Netscape's marketshare were to increase outside of U.S. borders (which is obviously a much larger market than the U.S.), might this possibly help with MS I.E.'s adhereance to the WWW3's standards that we are all concerned about MS "embracing and extending"? It seems it may also give Netscape a better foothold in the international market which will help Netscape 5/Mozilla's adoption (re-adoption)when they are released.
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Co-founder and designer at Music Nearby: http://musicnearby.com
When I went to "upgrade" IE 5 from 40-bit to 128-bit encryption it gave me this huge disclaimer:
Your use of the 128-bit High Encryption Software Component is subject to the following additional terms: Export Notice - The 128-bit High Encryption Software Component contains strong encryption features. The 128-bit High Encryption Software Component may be distributed in the United States, its territories, possessions and dependencies, and Canada without an export license. Export of the 128-bit High Encryption Software Component from the United States is regulated under "EI controls" of the Export Administration Regulations (EAR, 15 CFR 730-744) of the U.S. Commerce Department, Bureau of Export Administration (BXA). An export license or applicable license exception is required to export the 128-bit High Encryption Software Component outside the United States or Canada. For additional information see http://www.microsoft.com/exporting/.
You agree that you will not directly or indirectly export or re-export the 128-bit High Encryption Software Component (or portions thereof) to any country, other than Canada, or to any person or entity subject to U.S. export restrictions without first obtaining a Commerce Department export license or determining that there is an applicable license exception. You warrant and represent that neither the BXA nor any other U.S. federal agency has suspended, revoked, or denied your export privileges.
Now why can Netscape export it? Maybe the figure Netscape crashes so much it dosent matter...
When netscape receives the same permission on its open sourced mozilla project... only then will I believe we're receiving real security.
I might be mistaken, but read this:
International users who have Netscape Communicator do not need to download a new version of Netscape Communicator to take advantage of the strong encryption capabilities being announced today. Negotiation of the strong encryption between International versions of Netscape Communicator and Netscape SuiteSpot servers approved for export to banks occurs through a unique mechanism based on a special-use digital certificate. Approval of this certificate based mechanism is the culmination of months of effort between Netscape and numerous government agencies. Netscape and VeriSign have worked closely together to develop digital certificates that allow Netscape SuiteSpot servers to initiate strong communications sessions with Netscape Communicator. VeriSign will issue special-use digital certificates pending final approval from the United States Department of Commerce. Banks around the world can obtain Netscape Communicator and Netscape SuiteSpot servers with strong encryption immediately.
this seems to imply that in order for users to use 128bit, they have to be talking with a netscape suitespot server, which means that general 128bit encryption has not really been legalized, but only 128bit encryption between two software programs created by the same software house
What do you think ?
-- the cake is a lie
All this means is they can now trivially break 128-bit encryption or will have the capacity to do so in the near future....
I've never heard of any institutions (banks etc) offering 128-bit secure connections outside of the US
Here in Estonia we have at least two banks - Hansabank and Union Bank who use 128-bit encryption in their internet banking pages.
Here are the internet banking pages: Hansabank and Union Bank. There you can choose between 128-bit and 40-bit security.
I am not sure about the third major bank because I am not their client.
You're taking it pretty well, since it's all stupid anyhow. I get it too, for some reason.
:)
:)
I see about a billion AC's in this thread not marked as "Offtopic". I wonder why *you* got moderated down... Hmm.
And, for future reference, guys, my Anonymous posts don't get treated that badly. But I have seen that behavior happen before. Try posting the same thing you would have posted anyhow, anonymously. And see if anyone looks at these silly "comment" things, anyhow.
But more people *do* see the logged-in posts, because some people do set their threshold above 0, guys. (I usually set mine to 1, unless I see a lot of "x comments below blah threshold", or I'm really interested in the thread, but lately I've been setting mine to -1, out of moderator mistrust) And if you see a post, and you like it, you might moderate it up.
Also, there is a lot of Anonymous Coward distrust, because they offer *no* way to contact them. They are definitely more admirable when they do. Even a slashdot account is enough, and an e-mail address (anonymous or not) is a nice touch. I distrust Anonymous Cowards because they have no reason to be accountable for what they do or say, and I don't know if I'm talking to the same person. I could post anonymously to myself and make it look like I'm being harassed to get scored up. How messed up is that? If I have a discussion with someone, and I can't see a face, I'd at least like to have a name. But really intelligent commentary will do.
---
pb Reply or e-mail rather than vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Someone's probably already pointed this out (although I didnt find a reference myself), but there already is a third-party 128-bit encryption add-in for Netscape Navigator and Communicator. I guess its pretty old news, but might be useful for those who hadn't heard of it... It can be found at http://www.fortify.net
free experimental electronic music netlabel at www.viablehybrid.com
It was my fault that the article got posted - I misread something I was sent and then jumped at the chance of posting it...I'll be posting a note about it later. On another note - 128-Bit export restrictions have been eased for certain Countries. Byron Hinson http://www.activewin.com
The article states
"International users who have Netscape Communicator do not need to download a new version of Netscape Communicator to take advantage of the strong encryption capabilities being announced today. Negotiation of the strong encryption between international versions of Netscape Communicator and Netscape SuiteSpot servers approved for export to banks occurs through a unique mechanism based on a special-use digital certificate."
This is a capability that's beein in both IE and Netscape for a while. It's called "Server Gated Crypto", and it works like this:
An exportable browser connects to a bank's server. The bank sends the browser a special certificate that has an extension which tells the browser to do Server Gated Crypto. They both drop connection and reconnect, with the domestic-grade encryption.
This does not mean that Netscape is able to export 128bit crypto freely, nor does it mean they can stop making different versions. It means that the ability for the export browser to use domestic crypto is controlled at the CA (like VeriSign) and not in the browser. The CA gets permission to issue these special certs to a certain group of customers (banks, mostly), and THAT controls the crypto.
It was an interesting attempt to relax crypto just enough to assuage the privacy advocates cry of "but, e-commerce needs strong crypto".
Citizens Against Plate Tectonics