From: jericho@dimensional.com Date: Tue, 31 Mar 1998 13:57:26 -0700 (MST) To: InfoSec News <isn@sekurity.org> Subject: [ISN] Aussies Out to Give Mozilla Crypto Punch Aussies Out to Give Mozilla Crypto Punch by James Glave 11:59am 30.Mar.98.PST A grassroots coalition of Australian researchers and developers have formed the Mozilla Crypto Group to do what Netscape Communications itself could not - bring strong cryptography to Communicator 5.0 users worldwide. The group said in a statement that its goal is to create a cross-platform Web browser by adding the full-strength cryptography provided by SSLeay, a free implementation of Netscape's Secure Socket Layer. SSL is the crypto protocol behind the Netscape Secure Server and the Netscape Navigator browser. Today's news addresses one of the biggest questions surrounding Tuesday's release of Netscape 5.0 source code. For legal reasons pertaining to Netscape's licensing of crypto algorithms from RSA Data Security, the company had stripped out the crypto from the application's code base. The 10-member group includes Tim Hudson and Eric Young, who spearheaded SSLeay, and Farrell McKay, who last year developed Fortify, a patch that beefed up the cryptographically weak export version of Netscape to full 128-bit strength. The group said in a statement that the upgraded Mozilla will support both weak legacy - 56-bit and less - and modern full-strength cryptographic keys. "At the moment the development plans and projects are in a state of flux," the group's FAQ states. "More detail will be added as we find out more about the Mozilla code base after it is released. The initial aim is to add HTTPS (Secure HTTP) support into the browser before tackling the other interesting areas [where] crypto is used," continued the statement. "We plan to make binaries of builds for at least the key development platforms available for testing, along with the source for the required interface modules for using SSLeay and the patches that will be necessary to the actual Mozilla source release," the FAQ continued. By developing the crypto support in Australia, without US technical support, the alliance neatly bypasses US Commerce Department regulations barring the export of most strong encryption technologies on the grounds that doing so would threaten US national security interests. But the Mozilla Crypto Group demonstrates the shortsightedness of that scheme, experts said. "The export policies assume that foreigners can't program," said Phil Zimmermann, a fellow with Network Associates and the creator of Pretty Good Privacy. "I applaud the publication of source code of any product that can have cryptography in it," Zimmermann added. "It's another step on the road [to worldwide strong encryption]," said Bruce Schneier, president of Counterpane Systems. "It's a good step, it's a good idea - SSLeay has been around for a while," he said. Different sections of code from the browser, christened Mozilla, will be stewarded by various developer organizations. On Friday, a Netscape engineer revealed that the sections of code pertaining to extensible markup language (XML) would be turned over to a coalition of XML developers. Representatives of the Mozilla Crypto Group could not immediately be reached for comment. -o- Subscribe: mail majordomo@sekurity.org with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated