The software is at: http://mozilla-crypto.ssleay.org/press/19980403-01/index.html This article is at: http://www.wired.com/news/news/technology/story/11465.html If you want to follow the various links, I recommend surfing to the original HTML version and following them. Cryptozilla Thwarts Feds Crypto Ban by Michael Stutz 7:20pm 3.Apr.98.PST Marc Andreessen has said that open development on Communicator's newly freed source code is going to offer unprecedented software innovations. So when a group of open-source developers released on Friday a strong cryptography version of Netscape's browser for Windows 95 and NT, dubbed Cryptozilla, Andreessen's prophecy was fulfilled - in spades. Soon after Netscape's announcement that they would free their source code, the Mozilla Crypto Group (MCG) was formed to produce a version of the browser with 128-bit encryption - the kind that US-based companies are forbidden by law to export. "What we're forbidden from doing is exporting either cryptographic code or code that is designed to have crypto easily added to it," said Netscape engineering manager Tom Paquin. Part two of the equation, he said, was that putting such code on a server that anybody could download from could be construed as export. But the regulations and restrictions that apply to software products don't apply to cooperatively developed, open-source software, which is primarily distributed over the Internet. As if to underscore this point, Cryptozilla has quickly demonstrated the futility of the US government's attempts to ban the export of software programs that include strong encryption. "We knew that Netscape was serious about [releasing the source code], and that it was clear that what was going to come out [from subsequent developments] was going to be a useful browser," said MCG developer Tim Hudson. For users, Cryptozilla presents the option of using a browser for surfing and making transactions that has a higher degree of security built in. Support for secure mail and other transactions will be added as development ensues. Netscape's Secure Sockets Layer (SSL) is the protocol used to provide secure Web browsing via encryption. However, the SSL source code used in Communicator includes source licensed from RSA Data Security and other companies that forbid the redistribution of their code. Enter Australian programmer Eric A. Young, who wrote a free implementation of SSL from scratch - SSLeay. His comrade Tim Hudson then developed SSLeay implementations in a number of open-source network applications. Then, with several other developers, they founded the MCG, which is also supported by the Distributed Systems Technology Centre, a security-focused cooperative-research center backed by the Australian government. And at about 7:15 p.m. EST Wednesday night, they birthed "Cryptozilla" - a crypto-powered browser that was compiled to run on Red Hat Linux, a popular distribution of the cooperatively developed operating system. The application took all of 15 hours to create, and the group confirmed their success by testing it on several SSL-powered Web sites. "Alert Webmasters of secure sites with a high profile should have noticed a Mozilla 5 coming from an AU location connecting with full security," Hudson said. Today at about 11 a.m. EST, the group did it again and released their first Cryptozilla executable for 32-bit MS Windows systems. By mid-afternoon, versions were available for both Windows 95 and Windows NT. Hudson said that the group is now concentrating on setting up procedures so that access to their Cryptozilla source code can be opened up to other developers in an organized fashion. They will do this by using sophisticated open-source tools for managing multiple revisions of the source code as developers add new improvements. "A significant portion of the group have practical experience in this area in the form of being core Apache Group members," he said. Apache is the world's most popular Web server - and is also a cooperatively developed, open-source, free-software product. As long as these open-source, free-software projects continue to thrive, attempts at banning the export of strong cryptography may prove futile - digital source code is easily duplicated and is not stopped by political boundaries. "The mathematicians have figured this out, and have got the governments beat," said Netscape's Paquin, who asserted that governments can't stop the development and distribution of strong crypto through technical means. "Cryptography will [inevitably] spread over the whole globe, and with it the anonymous transactions systems that it makes possible," wrote Eric Hughes in the 1993 "A Cypherpunk's Manifesto." Administrators at a Department of Defense military computer installation in North Carolina had their own taste of this today when a not-for-export copy of the Pretty Good Privacy encryption software was finally removed from their machines, after illegally being available for the world to download for more than two years. On a corresponding Web page it was touted as the "ultimate in email security!" It was finally removed this morning at 6:57 a.m. EST. A counter on the site showed that it was downloaded a total of 93 times. Officials at the site were not available for comment.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:55 PDT