Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netscape Receives Strong Crypto Export Permission

Posted by Hemos on from the letting-it-out-at-last dept.

Greg Miller writes "According to this article , Netscape has received approval to distribute the 128-bit encryption version of Communicator outside the U.S. They've also received limited permission to distribute SuiteSpot servers with strong encryption." [Update: 12/05 03:42 by michael : Slashdot got burned, this article is bogus. See below.]

Update:: We were fooled. Someone posted this on http://www.activewin.com/frames/frmhome.shtml as new news (suckered them!), which apparently misled the slashdot submitter and us. This is an old press release from 1997 talking about exporting software for certain specialized banking purposes. As far as I know, it's still illegal to generally export 128-bit crypto products.

Thanks to the alert posters in the threads below and to alecf who was bright enough to submit it in the stories inbox (which any of the assorted slashdot authors who are online might be reading) for a fast response. Sorry for the "desinformation" (is that a pun?).

8 of 137 comments (clear)

  1. Desinformation by Anonymous Coward · · Score: 3

    This information is out of date, and the /. story is just a heap of desinformation.

    The article mentioned in the story is several years old and the only export that has been approved is the capability to unlock stron encryption when talking to servers that present a particular kind of certificate.

    Please, check your stories!

    1. Re:Desinformation by JohnG · · Score: 3
      Yes there is! I will use it in a sentence
      "When yous comes to Slashdot yous can git desinformation, dats all about da issues." It's obvious to me that the poster is either from the ghetto or was an extra on deliverence. :)

  2. ... by Signal+11 · · Score: 3

    Paranoid amongst us: take note. The NSA no longer considers 128 bit encryption secure enough to trouble them.

    1. Re:... by Issue9mm · · Score: 3

      Actually, from what I got out of the article, 128 is only acceptable (at least at this point) between SuiteSpot servers and Netscape browsers. They're not going to implement any more encryption into the browser.

      This has been around for awhile, as Server Gated Crypto, and both IE and Netscape have this functionality. It's not that the NSA can break it (although I'm in no position to say that they can't, it's still possible), but that the only transactions being encrypted in this manner are going to be hand picked, to issue certificates, and probably only for bank/commerce transactions.

      PS, all ACs, notice how I get my point across WITHOUT having to call him a karma whore? or bash his use of "..." as a subject. Remember, it's a free world, and it's his prerogative. Some of us actually appreciate intelligent conversation, regardless of its intent, and (last time I checked), he's still perfectly free to choose whatever subject he wants.

      I'll shut up now and post so that I can be flamed.

  3. Ummm, is this out of date? by Joe+Decker · · Score: 4

    The comment about DESCHALL having broken 56 bit "last week" was suggestive to me, but at the bottom, note:

    SOURCE Netscape Communications Corp. -0- 06/24/97

    Past news. Ah well.

    --j

    --
    I'm a nature photographer.
  4. a little off topic, but still salient-- I think by Savage+Henry+Matisse · · Score: 4
    This Netscape-news fits into the whole "Clinton Administration's new attitude towards crypto export" issue. One aspect of these relaxed regs, highlighted by a Wired News article several weeks ago (sorry, couldn't find the URL)but ignored pretty much everywhere else, is that investigators will no longer need to reveal their methods for arriving at a plaintext from a cryptotext for which they had no key.

    Maybe I've seen "Conspiracy Theory" one too many times, there seem to be some scary implications to this. Specifically, if investigators cannot be compelled to reveal how they decoded encrypted info, then they could conceivably take an encrypted doc which they could positively attach to the defendant (i.e. an encrypted document the defendant admits to, or can be convincingly illustrated to a court of law to be, the owner of) and then present in court ANY plaintext as being its source. These investigators (and, under the new regs, this would include domestic-charter, as well as foreign-charter, law-enforcement) could make up the foulest, nastiest, most incriminating admission in the world and claim it to be the plaintext. With a decent algorithm (i.e. ANY strong algo) there is NO WAY to verify that a plaintext and cryptotext match up without the key (that's the point of encryption, for godssakes.) As the investigators cannot be made to reveal HOW they got plain from cipher, the only defense the defendant could make would be to decrypt the doc in question before the court herself, and that would require her to expose to the court her cryptosystem and key (the latter, of course, being a far more damning exposure than the former, assuming she uses strong crypto.) I.E., in the end, she would be giving up the one thing that protected her. Even if the case is thrown out of court (which, God-willing, it would be, seeing as how the investigators would have to admit to submitting false, or at least spurious, evidence,) the defendant would still be up a creek, as all her past and present encrypted data would be exposed.

    Any even worse scenario: another clause in these regs permits courts to subpoena private keys (previously considered unconstitutional, as it forces a person to incriminate herself.) If the defendant refused to do so, claiming to have forgotten the key, and the prosecution later played its dummied-plaintext trump card, she would be put in the position of either 1) going to prison for heinous crimes she never even considered committing or 2) admitting to perjury.

    This would seem to be a very-much bad situation that we, as citizens, are being put into. The NSA, again, has designed a brilliant protocol.

    Just food for thought. This is the sort of thing that keeps me up late, watching TV and talking to the dog.

    -"S"HM

    --
    Much Love,
    "S"HM
    *****
    (I refuse to spellcheck out of contempt for your belief system)
  5. Easy way to get 128bit encryption by linuxci · · Score: 3

    OK so this is a hoax but it is indeed possible to get 128 bit encryption on Netscape just by using an Australian product: Fortify As it's not made in the US it doesn't violate any US export laws.
    --

  6. Misleading article. Here's the translation by drig · · Score: 4

    The article states
    "International users who have Netscape Communicator do not need to download a new version of Netscape Communicator to take advantage of the strong encryption capabilities being announced today. Negotiation of the strong encryption between international versions of Netscape Communicator and Netscape SuiteSpot servers approved for export to banks occurs through a unique mechanism based on a special-use digital certificate."

    This is a capability that's beein in both IE and Netscape for a while. It's called "Server Gated Crypto", and it works like this:

    An exportable browser connects to a bank's server. The bank sends the browser a special certificate that has an extension which tells the browser to do Server Gated Crypto. They both drop connection and reconnect, with the domestic-grade encryption.

    This does not mean that Netscape is able to export 128bit crypto freely, nor does it mean they can stop making different versions. It means that the ability for the export browser to use domestic crypto is controlled at the CA (like VeriSign) and not in the browser. The CA gets permission to issue these special certs to a certain group of customers (banks, mostly), and THAT controls the crypto.

    It was an interesting attempt to relax crypto just enough to assuage the privacy advocates cry of "but, e-commerce needs strong crypto".

    --
    Citizens Against Plate Tectonics