[LWN Logo]

From: jericho@dimensional.com
Date: Tue, 31 Mar 1998 13:57:26 -0700 (MST)
To: InfoSec News <isn@sekurity.org>
Subject: [ISN] Aussies Out to Give Mozilla Crypto Punch



Aussies Out to Give Mozilla Crypto Punch
by James Glave 
11:59am  30.Mar.98.PST

A grassroots coalition of Australian researchers and developers have
formed the Mozilla Crypto Group to do what Netscape Communications itself
could not - bring strong cryptography to Communicator 5.0 users worldwide. 

The group said in a statement that its goal is to create a cross-platform
Web browser by adding the full-strength cryptography provided by SSLeay, a
free implementation of Netscape's Secure Socket Layer. SSL is the crypto
protocol behind the Netscape Secure Server and the Netscape Navigator
browser. 

Today's news addresses one of the biggest questions surrounding Tuesday's
release of Netscape 5.0 source code. For legal reasons pertaining to
Netscape's licensing of crypto algorithms from RSA Data Security, the
company had stripped out the crypto from the application's code base. 

The 10-member group includes Tim Hudson and Eric Young, who spearheaded
SSLeay, and Farrell McKay, who last year developed Fortify, a patch that
beefed up the cryptographically weak export version of Netscape to full
128-bit strength. 

The group said in a statement that the upgraded Mozilla will support both
weak legacy - 56-bit and less - and modern full-strength cryptographic
keys. 

"At the moment the development plans and projects are in a state of flux,"
the group's FAQ states.  "More detail will be added as we find out more
about the Mozilla code base after it is released. The initial aim is to
add HTTPS (Secure HTTP) support into the browser before tackling the other
interesting areas [where] crypto is used," continued the statement. 

"We plan to make binaries of builds for at least the key development
platforms available for testing, along with the source for the required
interface modules for using SSLeay and the patches that will be necessary
to the actual Mozilla source release," the FAQ continued. 

By developing the crypto support in Australia, without US technical
support, the alliance neatly bypasses US Commerce Department regulations
barring the export of most strong encryption technologies on the grounds
that doing so would threaten US national security interests. 

But the Mozilla Crypto Group demonstrates the shortsightedness of that
scheme, experts said. 

"The export policies assume that foreigners can't program," said Phil
Zimmermann, a fellow with Network Associates and the creator of Pretty
Good Privacy. 

"I applaud the publication of source code of any product that can have
cryptography in it,"  Zimmermann added. 

"It's another step on the road [to worldwide strong encryption]," said
Bruce Schneier, president of Counterpane Systems. "It's a good step, it's
a good idea - SSLeay has been around for a while," he said. 

Different sections of code from the browser, christened Mozilla, will be
stewarded by various developer organizations. On Friday, a Netscape
engineer revealed that the sections of code pertaining to extensible
markup language (XML) would be turned over to a coalition of XML
developers. 

Representatives of the Mozilla Crypto Group could not immediately be
reached for comment. 


-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated