IP: Netscape, Fortify & the NSA

[Dave Farber <farber () cis upenn edu>]

From: Vin McLellan <vin () shore net>




G'day Dave,
        With the Euro Parliament report on NSA snooping in Europe due
today, I thought this might interest you for IP.  Regards, _Vin
---------


Date: Tue, 27 Jan 1998 03:00:13 -0500
To: risks () csl sri com
From: Vin McLellan <vin () shore net>
Subject: Netscape, Fortify & the NSA


        In a recent post to RISKS, John Wilson <jowilson () mtu edu> worried
about what unscruprilous folk, unwilling to acknowledge or respect
interests other than their own, might inflict on the public now that
Netscape has decided to release the source code for the Netscape 5.0
browser.


>  [ ... } I wonder how many Trojan horses will
> have to be dealt with then.  "Oh, look, the latest version of Netscape
> ... click here."  Possibilities include tracking software built in the
> browser, routines to copy personal information, including credit card
> numbers, as well as the more "mundane" risks of simple file deletion/disk
> wiping.


        What the Mr. Wilson overlooks, perhaps, is what some unscrupulous
folk, unwilling to acknowledge or respect interests other than their own,
have already done to tens of millions of Internet users -- and what they
were able to get away with largely because Netscape's source code was
unavailable.


        By forbidding the export of web servers and browsers with strong
crypto to non-American users (with a few narrow and humiliating
exceptions,) US policymakers have left the commercial, professional, and
personal correspondence and web-based transactions of millions of
non-American citizens all but naked to eavesdropping by criminals (petty
and organized,) industrial spies, gossip-mongers, aggressive office-pols,
wannabe blackmailers, rogue cops, managers with feudal delusions, and
curious 14 year-olds with access to a contemporary PC (or -- if they they
want to pop secrets free within hours -- the computational resources of a
typical college computer lab.)


        The image and reputation of the US, and of American engineering and
technology, has suffered grevious harm so as to allow the NSA to gain what
transient enlightenment it could from it's world-wide "Echelon" sweeps of
the data lines and communications spectrum. Reaction to the scheduled
release, today, of a report by the Civil Liberties and Interior Committee
of the European Parliament on the NSA's systematic snooping on all European
telephone, fax, and digital communiations may indicate how bitter that
resentment has become.  (Swedish parliamentarians were outraged recently to
discover that the confidentiality of encrypted traffic on their Lotus Notes
system was apparently dependent on the self-restraint of the NSA -- which
demanded partial access to the Notes crypto-key before the product was
shipped abroad.)


        The web -- and in particular, Netscape's browser, due to its
popular success and widespread use -- has become the focus of much concern
and attention from those who believe that privacy and optional
confidentiality are fundamental to the dignity and liberty of any man or
woman, anywhere.  SSL, the encrypted channel built into the WWW spec,


offered the first encryption systems that was universially available, to
the far reaches of the global Internet.  The problem was, only Americans
got strong (128-bit) crypto.  US export policy allowed vendors to ship only
weak easily-broken 40-bit crypto in browsers exported to non-Americans, so
the browsers freely downloaded off the Microsoft and Netscape ftp sites
world-wide were almost always insecure, providing security of poor quality
by design and government fiat.


        Non-American webservers can offer strong-crypto alternatives to the
innovative American products which paced the technology -- and even the
crippled export-level American webservers can have their weak SSL
encryption enhanced by java applets (Brokat's Xpresso <www.brokat.de>) or
proxy/translators (C2's SafePassage <www.c2.net>) -- but it was only a few
months ago that Farrell McKay's remarkable freeware product, Fortify,
became widely available. <http://www.fortify.net>


        Fortify allows anyone anywhere to upgrade a Netscape browser
(Navagator v3 or Communicator v4) with weak or export-strength crypto into
one with the 128-bit SSL capabilities for confidentiality (and secure
e-commerce) that Americans take for granted when they do business on the
web.  An executive with one of the big international auditing firms told me
a month ago that Fortify is "all over Africa," particularly in banking.
"It's free, and it's legally available from its British website.  They'd be
idiots not to use it! I recommend it to all my international clients."


        McKay's program installs itself directly in the Netscape browser to
upgrade it's SSL code, so that anyone with a export-quality browser can get
a 128-bit strong-crypto link when he connects to a webserver that is itself
capable of establishing a strong SSL connection.


        Unfortunately, McKay's magic did not extend to strengthening the
S/MIME crypto has added encryption for electronic mail to recent versions
of both the Netscape and the Microsoft browsers.  McKay gave international
users of Netscape a secure 128-bit SSL channel, but neither he -- nor,
apparently, anyone else -- has been able to do the same with the S/MIME
routines which were also crippled and weakened to 40-bit crypto, by
government order, before export.


        The web is popular, but e-mail is still the "killer app."


        Strong SSL, now universally available, enables many types of
form-based transactions on the Web -- but freely-available strong S/MIME
for private mail will break the dam.  Some dream it could change the world.
Farrell McKay fervently believes that getting the Netscape source in
circulation among those who can pick it apart is the gateway to a future in
which everyone can expect their mail to be confidential  (at least until
some local lawmen shows up, with proper authority to demand access from one
of the correspondents.)


        "I live in the hope that there will be entire armies of enthusiatic
programmers all busily building strong crypto facilities into the v5.x
releases," he exulted in a note he sent me yesterday from Australia. "This
move really opens up a huge number of possibilities for the international
community."




        Many American think that's just great, on balance. ("All men are
created equal," and stuff like that.)   Virtually all non-Americans have no
doubt.  Much of the world is hoping that electronic commerce will be the
backbone of the 21st Century economy -- and you practically have to rate a
limousine in Washington, D.C., before you can believe that international
finance and trade will go online if the merchants, bankers, and businessmen
believe that American spooks have rigged a party-line, and may or may not
be listening.


        Having Netscape browser source-code in circulation won't change
much overnight, of course. Given US restrictions on the export of privacy
products, the release of the Netscape source code will doubtless be
restricted too.  Netscape's cryptographic modules will either not be
released in source, or will be forbidden for export. Still, with all _but_
the Netscape privacy code accessible to clever programmers world-wide, it
becomes all but certain that -- as  Netscape cryptographer Tom Weinstein
suggested yesterday -- "some enterprising individuals outside the US (will)
replace the missing pieces."


        Odd what Americans have to do to get a quality product to the world
market, huh?


        Suerte,
                _Vin




"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A thinking man's Creed for Crypto/ vbm.


*     Vin McLellan + The Privacy Guild + <vin () shore net>    *
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548