Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Mozilla The Internet

Mozilla With Crypto Code Released 136

physicman writes "I just read on MozillaZine that there is finally a release containing the new crypto code. This means we will eventually get the chance to get access to secure Websites with our favorite nearly-in-beta-stage browser. " Mozilla's really been making a lot of progress recently -- and it looks great.
This discussion has been archived. No new comments can be posted.

Mozilla With Crypto Code Released

Comments Filter:
  • Run a beta version of a browser for "secure" transactions over the internet. I think that you will find some problems with that.
  • Does the US gov approve of all that Netscape is doing? the 128-bit enc browser is available anywhere given you "say" you're american...

    Now the crypto is opensource?

    I'm still waiting for Netscape 6.0 ;-)
  • Will this be folded into Debian Potato's US distro?
    Are there issues redistributing?
    I rather hope not; I am writing this with plain M14
    and liking it lots.
  • Kinda about time..I know I shouldn't push it, but
    AOL/Netscape have taken long enough. Though when I
    have time then I'll be able to play with what looks like a great browser. It'll match will the rest of the GTK arena that is my home..All those
    pretty GTK themes on my browser.It'll also allieviate the poor browsing selection for Linux/Alpha!
  • Good Morning!

    While you were asleep in the past few months, the US government published new rules on cryptography. You can find more details on how this affected Mozilla on their their website [mozilla.org].
  • Umm... I'll take beta open-source security over closed-source x.0 security any day, thanks. We all know security through binary obscurity doesn't work...
    ~luge
  • Run a beta version of a browser for "secure" transactions over the internet. I think that you will find some problems with that.

    wow! A first post with some substantive content!

    Of course there are some problems with that. However, if the crypto code is secure, I would have little trouble using it for my everyday banking online. I'm only dealing with hundreds of dollars at a time, though - if I was dealing with tens of thousands, I'd be paranoid about such stuff.

    How many people worry about security on the internet, while not keeping their credit card carbons? Or, for that matter, trusting their credit cards to $6.00/hour clerks in stores they frequent? Or keeping a 4-digit PIN for their ATM card? A beta browser using existing tested crypto code seems to be safer than most of those ideas.

  • The cryptographic code cannot be open source until the RSA patents expire later this year. Then, I imagine, it'll be fair game. I'll greet that news with much rejoicing, as the user of Linux on an alternative [apple.com] architecture.

    Hopefully the good folks at mozilla.org will cross-compile as much of these crypto libraries as possible in the meanwhile. Heck, I'd let them do it natively on my machine.

    John
  • The lack of crypo was one of the last obstacles to my using Mozilla as my everyday browser. Thanks to all the folks who have contributed to Mozilla. Now, if only they'd post that AIX build .... mmmm.
  • by Anonymous Coward
    i don't have any macintoshes or intel machines, so i can't run the binary releases. has anyone successfully built this thing on solaris and/or irix? (preferably irix, my solaris machine is gimpy)
  • by um... Lucas ( 13147 ) on Thursday March 09, 2000 @07:23AM (#1214857) Journal
    In all honesty, how else will anyone find that the implementation is flawed, if that happened to be the case. There's plenty of secure sites which you can go to that don't need credit card information. Or users and/or testers can visit secure sites and analyze their traffic, and compare it to the traffic that Netscape 4.7 and IE 5 would generate. Sounds like a good idea. It's not like Mozilla is in general use. Everyone knows that it's not ready for the primetime and uses it knowing that it's a work in progress.
  • It's certainly great news to see Mozilla release crypto-anything, but I find this release underwhelming in several aspects. In order to actaully use any of the crypto, you need a binary-only "Personal Security Manager" from iplanet that is only available for Windows and Linux systems.

    Of course this is not Netscape's or Mozilla's fault. The fault lies entirely with RSA Data Laboratories, who refuse to license their patented RSA algorithm to any open source projects. While liberalization of US export laws is very nice, I think we're going to have to wait until after the RSA patent expires on Sept. 20 before people outside of Netscape (well, US citizens anyway) can start to tinker with the cryptography software themselves.

    It's fascinating how RSA Data Laboratories was able to force the whole world to use RSA as their public key cryptography standard instead of the technically superior Diffie-Hellman/El Gamal algorithm. They did this by simply refusing to license Diffie-Hellman to anybody (yes, they owned a patent on that, back before it expired in 1997). Today the Diffie-Hellman algorithm has been out of patent protection for 3 years, but almost nobody uses it, because of the need to remain compatible with the large installed base of software that was forced to use RSA.

    Let's hope the current patent shenanigans that are holding back Mozilla crypto are the last adverse effects that the open source community will ever see from RSA Data Laboratories, Inc.

  • How strong is the encryption? Does your citizenship have to be verified like it did when netscape first did 128-bit crypto?
  • You won't get the theme support. the mozilla project doesn't currently have any plans to make them work either. check out http://www.linuxpower.org/display.php? id=168 [linuxpower.org] for an explanation from Christopher Blizzard. that link was posted on slashdot too. So, while you will have a solid browser, you won't have theme support
  • Like an article that was here yesterday plainly stated... Opensource software in general seems to be developed by programmers for programmers, rather than by programmers for users... You need to enlist some graphics people or UI engineers or something, before the interfaces can really be considered "snappy" or anything...

    I'd actually volunteer myself for something like that, being that most my background is in the graphic arts and printing spaces rather than the C, C++, Perl, Java, TCL, Perl, etc... space.
  • Because its for linux and its better than netscape 4.x. Also, its supposed to be better than IE eventually. CSS level 2 isnt even a defined standard yet (last i heard) and so IE does NOT support it, since its probably already different. Mozilla will introduce support for those technologies when they're released - not prematurly like IE which wants to boast more features and get people to say silly stuff like you just did.
  • by skHalasz ( 112471 ) on Thursday March 09, 2000 @07:33AM (#1214863)
    This means we will eventually get the chance to get access to secure Websites with our favorite nearly-in-beta-stage browser.

    This is a little misleading. The MozillaZine article tells you how you can set up Mozilla to browse secure sites right now. Today. I have done it and it appears to work fine.

  • by MRK ( 27619 ) on Thursday March 09, 2000 @07:35AM (#1214864)
    Someone outside the U.S. could implement a plugin that has the same API's as the binary iPlanet plugin using openssl library ... and then we wouldn't need to wait until the RSA patent expires...
  • by riggwelter ( 84180 ) on Thursday March 09, 2000 @07:35AM (#1214865) Homepage Journal
    In addition to office productivity software (StarOffice, KOffice, GNOME Office, ApplixWare - OK, that one's pretty well on the way to being sorted) the other major issue that the Open Source community needs to address is internet accessibility, and more specifically ease of use once online.

    Much as I hate to admit it, Internet Explorer is the browser to beat, largely because of M$'s [illegal?] bundling of it with the OS and OS integration, the average home user wants to be able to click on an icon that's there when they get their PC - that's IE.

    Mozilla is the only option for a compliant 'next-generation' browser. The browsers of the near future are going to have to be a one-stop-shop for net usage encompassing browsing with mail, news, instant messaging, chat, streaming media etc etc. This is possible with Mozilla. In addition, they have to be SECURE. When the traditional media report on the internet, and it's one of the rare occasions when it's not about porn, it's about shopping online, banking online, share dealing online. Security is a big BIG issue here.


    People who say they shouldn't be including this in beta software have clearly missed the point of beta software. If it doesn't get beta tested, how the hell is it ever going to be made ready for release to the general public?


    Go, download this version, test it, try it, even buy stuff with it, be as careful when doing so as you should be with any browser, but most of all, when you break it report it or fix it.

    --

  • When I first tried out Mozilla, it was unusable, as expected of early software of its type. M14 is very nice and stable, as it seems. I believe that it renders pages better and looks better than Netscape 4.7, despite what some people may say. I don't care for the password remembering stuff and other IE-like features, but I don't have to use them. This is a browser that will be used in the mainstream eventually (as Netscape 6.0), so it isn't a bad thing to have those things. Hopefully we see the jump to "beta" quality code soon.
  • Mozilla's UI is hugely configurable, and you're complaining about it's looks?

    In the spirit of open source, if you can do better, then fix the damn thing. If not, then wait until someone comes up with something better. If it's that bad, they will.

    It's pretty lame to complain about something that is fully configurable by any user.
  • What happened to dynamic reflow (or whatever you call it). I used to load slashdot in M13 (I think it was M13, maybe earlier) and it would progressively display as it loaded. Now it does the old Netscape thing of waiting for the last </table> before displaying anything. Give me back my reflow!
  • Although the Mozilla coders have disabled all other theme support in favour of XUL, the scrollbars on my copy use the GTKStep theme ...


    Chris Wareham
  • honestly, I think it is quite sexy. so much better than how Netscape looks under linux.
  • by um... Lucas ( 13147 ) on Thursday March 09, 2000 @07:47AM (#1214873) Journal
    Nothing needs to be the best at everything, nor should they even try.

    Browsers of the future SHOULD NoT try to encompass every task a user might want to do. Look at the current Netscape for instance... I actually like it the best of any of the browsers, but so far as it's email client goes, I'm much happier with Outlook Express... For it's Address book, again, i like outlook much more... For web page composition, Dreamweaver rules.

    Mozilla should focus on shipping a kick ass browser only... Think Navigator, not Communicator. The simpler the client, the less likely bugs will surface, the easier it is for people to download, and the sooner it can hit the actual beta stage followed by 1.0.

    There's so much progress that's been made on all the fronts... Instant messaging, Streaming Media, etc... They have huge head starts in infrastructure, usability and market saturation. There's no need to replace them And they're not broken... Don't fix them.

    Just as everyone gripes with Microsoft bundling the kitchen sink with their OSes... I'd much prefer not to have to download an email client that i won't use, codecs for a streaming system that i won't use, instant messaging that i won't use, and page layout software i won't use just to get a browser which i might like to use.
  • Yes it is.
    I guess you haven't tried Mozilla say 6 months ago. Current M14 is like from another planet if you compare it with M8 or older. They look like a bit same as it does now, but frankly, they weren't for real use. Now Mozilla is.
    And not to mention the time (About a year ago, if I remeber right) before Gecko and GTK+.
  • by Mathieu Lu ( 69 ) on Thursday March 09, 2000 @07:53AM (#1214876) Homepage

    From: http://www.fsf.org/fun/jokes/softw are.terms.html [fsf.org]:

    Alpha Test Version: Too buggy to be released to the paying public.

    Beta Test Version: Still too buggy to be released.

    Release Version: Alternate pronunciation of "Beta Test Version".

    I understand Mozilla is soon-to-be-beta, and this might scare away people from it's encryption, but could a possible crypto-related Open Source security hole be worse than a closed source 'to-be-enhanced-feature'?

    And talking about 'to-be-enhanced-features', have you seen the <IMG SRC="file:///c:\CON\NUL"> bug with IE/Win98? It makes the whole machine crash and burn. You can possibly also send this in html-email to outlook-users. Apparently (you might want to confirm this information), this was posted on BugTraq a year ago, but has recently been reposted because it was never fixed.

    Shit happens.

  • Just tested it at fortify.net [fortify.net]
  • Since Mozilla most likely will be the browser of the future Joe Desktop Linux system, I would suggest to those folks who have 'white-hat hack' in their blood to start to look for ways around the encryption, such as forcing a known encrypt key using trojans or BO or something of the sort. With open-source, you can bet the crackers will be looking for ways into the system. Mozilla needs to be ripped apart to work on its vulnerabilities. White-hatters can help secure it probably better than the programmers. Open-source can adapt far more quickly. Mozilla is the future for Linux. Aesthetics aside (pretty looks come after functionality), I'm looking for more security and stability than what IE and NS offers.
  • At last I can use Mozilla on sourceforge!

    We're getting there people!
    --

  • Have a look at bug 17325 [mozilla.org].
  • Yes I have to agree to that... I don't use IE more than I have to, because I don't like the way it's a security disaster, saving passwords like that and letting bad code run on your machine a little here and there. It made me so sad when Mozilla asked me to save a password... Come on guys make something new! Something good! Whats the use for the crypto if we're gonna handle passwords like that? I've had my hopes high for Mozilla... but M14 seems to do a worse job at rendering where M13 did just fine so I'm not sure what to think now...
  • This is great! I'm quite impressed. Even if mozilla does crash every so often, the feel of the mozilla client is 10x better than Netscape navigator. It also seems to work well enough to be usable. Previous releases of mozilla and the technology previews of Opera were downright sad. I could barely get them started before they would crash. Even if they did hang on for a while, the rendering engine couldn't deal with half of the web pages I went to. Mozilla M14 may be the release that takes mozilla over the top! :-) Jason
  • by Col. Klink (retired) ( 11632 ) on Thursday March 09, 2000 @08:41AM (#1214889)
    > Will this be folded into Debian Potato's US distro?

    Considering that Potato is currently in a freeze, I would imagine not. Perhaps it will go into Woody...
  • If you find a ftp server running win9x just change the directory to c:\con and ...BOOM! no more ftp serving. When I first read about this i thought it was a joke. Well, looks like win9x users get what they pay for, sigh.
  • True. Just try Hotmail.
  • Okay, I read the whole bug. Exactly what is being decided there?

    You know, Lynx lets you *set* the amount of data recieved between rendering passes. Surely that wouldn't be too difficult to implement.
  • I've been following Mozilla's development since the beginning. Unfortunately, I have not been able to seriously use Mozilla for more than a few minutes due to it's lack of Crypto support. I know this wasn't the fault of Mozilla and company, but rather the US of A's stoopid encryption laws.

    Finally, I can now start using Mozilla and do my part as a user to make this browser the best it can be! While I wish the entire thing were open source, what I (and most other people) care about is simply having viable alternatives. Now we all have one.

    Open Source certainly enables choice (look at Linux and all the variations of BSD), but it's not the only way to develop software. Believe me, I'm looking forward to the day RSA's patent expires. Then we'll have some real choices.

    -- PhoneBoy
  • It's strong and available to everyone.
  • Almost all the source code has been, or soon will be, released. Only the parts specific to RSA await the expiry of the patent. Until then, you can substitute your own RSA implementation (taken from, say, OpenSSL) and build your own binary from these sources. OK, it would be illegal if you're in the US, but you can do it.
  • by jelwell ( 2152 ) on Thursday March 09, 2000 @09:12AM (#1214897)
    I've been using the crypto version for a couple of days now (as a third party developer on the Mozilla project). I've noticed a lot of SSL sites actively enforce browser agents be what they believe to be the most current web browsers. Wellsfargo does this among others. In paticular wellsfargo won't let you sign in with Mozilla because it asks you to "Upgrade" to Netscape 4.X. That's a downgrade in my opinion.

    I've created a template form [singleclick.com] that you can fill out and then copy the results into your e-mail client to mail off to websites that aren't allowing you to log in because it thinks you should "Upgrade your browser".

    Joseph Elwell.

  • Works beautifully there. Too bad it's not on my banks 'approved browser list'. One step at a time I guess.
  • It's fascinating how RSA Data Laboratories was able to force the whole world to use RSA as their public key cryptography standard instead of the technically superior Diffie-Hellman/El Gamal algorithm. They did this by simply refusing to license Diffie-Hellman to anybody (yes, they owned a patent on that, back before it expired in 1997). Today the Diffie-Hellman algorithm has been out of patent protection for 3 years, but almost nobody uses it, because of the need to remain compatible with the large installed base of software that was forced to use RSA.

    Very interesting. Can anyone confirm this? I can only seem to find that Public Key Partners, not RSADSI held the patent on Diffe-Hellman. Is there any connection between these two companies?

  • In the spirit of open source, if you can do better, then fix the damn thing. Excuse me, but that's the spirit of fucking laziness. Face it - Open Source software is just as bad as propriatery software when it comes to horrible, bloated interfaces. You thought IE was bad? Wait till you see what AOL does to Mozilla....
  • Sorry, my Slashdot number is lower. :)
  • I have you both beat.
  • The way to do this would be to make a PKCS#11 ("Cryptoki") module that does crypto in software. (PKCS#11 was designed for smartcard access.) PKCS#11 is a common standard supported by PSM, Communicator, all the Netscape/iPlanet servers, and other vendors' products as well.

    In fact, most of the "boilerplate" code you'd need is in the open NSS code released on mozilla.org -- but Mozilla/AOL/iPlanet can't do this, it'd have to be done outside the US.

    So get cracking!
  • I haven't been too fond of the Mozilla that comes with Debian slink, but this new one seems nice, if a touch pokey. I'll use it now, even if there are some minor bug issues.

    I'd help fix the bugs, if only they'd rewrite it in Perl...

  • I agree, 4 digit PIN's are useless. I know on one of my bank accounts my PIN is 12 digits (the maximum possible), but at my other 2 accounts 4 is the max! What is with these banks? Just because some people have trouble remembering more then a 4 digit PIN doesnt mean I do. Why, in this world of ever-increasing HD space is the maximum normally 4 digits? This astounds me.

  • Uhh, 4-digit PIN is a requirement if you travel anywhere. It is the standard for much of the world.

    But yeah, a lot of people are fooling themselves about this. I presonally don't even shop anywhere but online now anyway, except for large purchases. So much more convenient, don't have to waste any time in a store. I hate shopping.
  • Have you ever heard the truism

    "The simplest answer is the best"

    DSA/El Gamal is much more convoluted than RSA. RSA is simplicity and elegance in an algorithm. I trust RSA more because it is better understood, and since it is simpler, there are fewer attack vectors for a cryptanalyst.

  • Would you rather it not have any crypto support?

    The Mozilla Crypto FAQ [mozilla.org]. Read it. It explains how the developers will return to release this source and include it with Mozilla later, when the patents expire. Or maybe you'd rather they broke the patent and made the whole damn browser illegal?

    Think before you post...

  • Yes, well said!
    OE definitely has advantages- multiple POP accounts, for one, are something I've needed for a long while. Netscape's lack of support for such is simply unexcusable, IMO.
    Overall, it would certainly be better to be able to download the various components of Mozilla. I use ICQ, but very rarely. I have no need for another IM agent. The fact that every Netscape release I d'load FORCE installs AIM, with NO uninstall option, really pisses me off- gotta delete the directory, then hunt down all the registry keys for it. Argh.
    Why should I have to load a whole bunch of .dll's or whatever for components I have no interest in using. Netscape/M14 take long enough to load as it is.
    Of course, Mozilla will never be as fast as IE- the advantages of being tied directly to the OS instead of having to move through another layer are unbeatable. Unless/til MS opens their API's entirely, this will not be overcome. I would really dig being able to decide what I want to use to browse my system on Windows install- Netscape or Explorer?
    If Netscape can't do it all on a direct, API level, then don't TRY! Let me d'load and install the specific components I want to use- don't bunch everything together as 'program files', then give me lame optionals like RealPlayer and such.
    I'm also not all that impressed with how Mozilla is shaping up- an earlier poster hit it dead on when he said a 'poor imitation of IE'. Password saving? Ugh. Nav bar on left side? What was wrong with bookmarks? I want innovation! But sadly, perhaps MS actually had a point- as IE certainly seemed to be more innovative than M* is turning out to be. That's a sad, sad development.
  • I was thinking about the bundling deal just today. If Mozilla turns out a success, which is in high likelihood, what are the odds that vendors will ship PC's with Mozilla (or NS5, or whatever it ends up being called) installed, with a nice, shiny icon right on the desktop? Let the users choose their browser.

    Would the 800-pound gorilla dare to stop them, given that their current business practices in the "muscling of vendors" realm are currently under inspection?

    And what about AOL? Are they planning on making Mozilla their default browser, embedding it into AOL software much like IE is today embedded there? If so: instant market share!!

  • Hmmmm... but if you're going to save a password to disk, it's always going to have to be in a reversable form isnt it? I mean, most of the damn things are actually sent as plaintext in the end. Only way I can see is to password protect the passwords... but thats kinda worthless.
  • Has something changed? Richard Stallman has argued [gnu.org] that the MPL is not GPL compliant. Has his position changed? I think not. Last week Miguel of Gnome fame mentioned (no url) that Mozilla couldn't be included in Gnome because it is non-GPL compliant. -Unless I'm mistaken, Debian still doesn't allow non-GPL compliant code into their distribution.
  • Mozilla is no longer open source since now they are going ahead and including binary only stuff.

    There is no binary-only code hosted on mozilla.org as part of the Mozilla project. The Netscape Personal Security Manager binaries (which provide SSL support for Mozilla) have been provided by iPlanet, because they have the license from RSA to include the necessary code and algorithms to build a complete binary executable ready for use (in this case under the "Netscape" brand).

    All of the other code in PSM is or will be available in source form on the mozilla.org site [mozilla.org]. People who want to use that source code to build their own PSM binaries will be able to do so, as long as they have separate source code to implement the RSA-licensed parts.

    For reference, there are three sets of relevant source code needed to provide SSL support for Mozilla:

    • Source code in Mozilla itself to call out to PSM. This is already on the M14 branch in complete form.
    • Source code in PSM and the underlying Network Security Services (NSS) library, where the SSL protocol is implemented. Most of this source code is already available on mozilla.org; the rest will be released after being cleaned up for public release.
    • Source code in the RSA-proprietary library to do the actual encryption operations. This source code will never be available on mozilla.org (not being open source), and will have to replaced with equivalent code from other sources.

    As always, for more information see the Mozilla Crypto FAQ [mozilla.org].

  • Until I can log into E*Trade [etrade.com], I can't move over to Mozilla. And M14-crypto doesn't do E*Trade (for me).

    The only other thing keeping me from making the switch is the lack of support for mail filters. I get too much email to have it all swamp my Inbox

  • IE 5 supports 70% of CSS 2 [w3.org] (last I heard) but as you say, it's not really solidified yet, so Microsoft reckon they won't bother trying to get support up to 100%, maybe 95% at best. (I'm reliably working on hearsay here BTW)
    I suppose you could check out W3 [w3.org] for more info on CSS 1, 2 and (sigh) 3. (I really would rather if people got serious about standardising "standards" these days).

    Mozilla M14 supports CSS rather well as far as I can see, which is already a big improvement on Netscape 4.x

  • There is a solaris machine in the tinderbox, so solaris is considered a first-tier platform (ie, solaris build-breakage automatically closes the tree to checkins). Also, most of the memory-leak kinds of analysis of mozilla is done on solaris w/ Purify.
    I think Sun may distribute the binaries instead of mozilla.org though for some reason.

    Irix, I don't know, you could look on netscape.public.mozilla.builds on news.mozilla.org (NNTP) and you might find out...
  • ./configure --disable-mailnews

    there, that was easy, wasn't it?
  • The subject says it all.

    Potato (web subsection) alread includes mozilla m-13.

  • Actually, Debian allows software in their distribution as long as it conforms to the Debian Free Software Guidlines [debian.org], which the MPL does.

    Also, the Mozilla SSL implementation (in the Personal Security Manager and Network Services Services library) was released under both the MPL and GPL. This was done specifically to allow this code to be used in GPLed software. See the Mozilla Crypto FAQ [mozilla.org].

  • Your post is another example of Linux zealots attacking anything which does not come from the "golden fingers" of Linus Torveldes.

    No, I'd much rather it came from the hands of Bill Gauyetes.

    Internet Explorer has been proven to be far more standards compliant than any of the so-called browsers that run on Linux.

    Of course it's easy to make a "standards-compliant" browser when you can make your own standards and then force everyone to accept it.

    Ever heard the joke? How many microsoft programmers does it take to change a lightbulb? None, they declare darkness to be a new standard.

  • Although M14 crashed just as often as Netscape did for me, last night's nightly build has been rock-solid for me so far. My question is, do I need to have M14 to get the PSM? If so, i'd rather just stick with my stable Mozilla and no crypto.

    Mike Roberto
    - roberto@apk.net
    -- AOL IM: MicroBerto
  • Much as I hate to admit it, Internet Explorer is the browser to beat, largely because of M$'s [illegal?] bundling of it with the OS

    Funny, IE for the Mac is a /totally/ superior product to Navigator, and there's no OS bundling going on there. Microsoft has (finally?) produced a quality product, in IE 4.5 for the Mac, and this should be the baseline for Mozilla to shoot at.

    I build a new Mozilla out of CVS every couple of days on my Linux box at work, and it's getting very much better than it used to be. Soon it will surpass the (wretchedly bad) Navigator 4.x in functionality, and I can switch over for my daily work. The Mozilla team is to be commended for producing a workable, complex piece of software.

    That said, it's still unusable for me -- I can't abide by the software crashing every 10 minutes or so. And it sadly looks like the Mozilla team is shooting at doing nothing better than replacing the state of the art from two years ago.

    Why is are precious tuits being spent on replicating the worst parts of the comically inept Communicator? Why is there a mail/news client? Why is there a html editor? Neither of those two components address the true problem with the Free Software universe (at least as regards to web parity with the non-Free platforms): web browsing.

    In addition, it'd be nice to see the adaptability of iCab [www.icab.de], in particular, the excellent support for cookie management and content filtering. A free browser that did NOTHING BUT BROWSE would be huge huge winnage.

    Just my .02$.

    (jfb)
  • by Windigo The Feral (N ( 6107 ) on Thursday March 09, 2000 @11:24AM (#1214931)

    Mostaphalles dun said:

    I don't recall exactly when I saw this, around 1995/1996, but accessing the internet in some countries is/was punishable by death. I remember specificlly many African countries and in Singapore it was punishable by death to be on the net. I know this is not longer the truth in singapore but it may still be in some countries, i'd love to hear about it if anyone else knows anything about this. Oh yeah, the info was in a wired article... please reply if you know anything else on the topic...

    Well, I don't remember the article in question, but I can note on some stuff (mostly from having been on the net that long)...

    As far as I know, only one nation has ever had the death penalty for using the net, and that is Taliban-controlled areas of Afghanistan. (The Taliban-controlled areas have severe restrictions and/or outright bans on very nearly all media, including most print media, TV, movies, and even music--they outright make the Bad Old Days of sharia law in Iran look downright liberal in comparison.)

    Some countries in central Africa may well have had severe restrictions (including imprisonment, though I doubt the death penalty) for unapproved connections, and most of the Islamic countries have always had severe restrictions on Internet connections (usually requiring proxies, etc.)... don't remember seeing anything on death penalties, though.

    Myanmar may have had such a restriction; reportedly, modems are illegal unless specifically licensed by the government there, and an unlicensed modem can land one in prison for a good long time.

    Notably--most of thesee countries that would have problems with it don't make the net illegal as much as they'd make all "unathorised" or "unlicensed" publishers illegal--it's far more likely they'd get you for "publishing subversive publications" or the like.

    I can state with some certainty that Singapore wasn't one of the places that had the death penalty for using the net, though (I remember *.sg addys from 1992-1993), and the government finally started restrictions around 1996 or so (basically national firewall).

    As an aside: Most countries that are going to be so repressive as to literally mandate the death penalty for unlicensed connections to the net have very poor or no Internet connectability whatsoever. Many countries in central Africa pretty much only have UUCP connections to the rest of the world (mostly through stuff like Doctors Without Borders, and occasionally university connections), and an increasing number of those are actually getting full Internet at least for universities. Iran (Yes, Iran) even has full Internet, and even one or two ISPs operating there...

    About the only countries I know of with no Internet connections are Iraq, Libya, North Korea, and Afghanistan...Iraq is basically being shunned by the rest of the world and had most of its infrastructure bombed back into the stone age, and most of the folks there have more serious worries (like food and meds and shelter); Libya was likewise shunned due to UN sanctions (its domain is being operated as a vanity domain out of the UK) but this may change now that most UN sactions are being dropped; North Korea both is shunned and pretty much has walled itself off from the rest of the world (about the only country MORE isolated is Afghanistan), its people have more important things to worry about (like food) and the leaders are xenophobic enough to pretty much avoid anything like the net like the black plague; Afghanistan, well, it has the Taliban (fun with psychofundy Sunni Moslems that make the hardline mullahs in Iran seem downright grandfatherly) and I mentioned some of the fun stuff they ban earlier...as for the rest of Afghanistan, just about everything above a molehill was blown to smithereens long ago, they have more important stuff to worry about (like food, shelter, not having the entire country taken over by the Taliban, etc.). Short of a miracle, none of these folks are going to be getting Internet access anytime soon. :P

  • In paticular wellsfargo won't let you sign in with Mozilla because it asks you to "Upgrade" to Netscape 4.X.

    Wells Fargo won't even let me in with Netscape 4.72 for Windows. Last week they told me March 9th for the testing to be complete, but I'm still being redirected to the "denied" page. They're saying 1700 pst (-0800), now.

    At least in the case of Wells Fargo, they seem to actually do some testing of browsers. I can see that a browser could have secure crypto and defeat the crypto entirely by doing something else stupid. So for banking, useragent checking is appropriate. Imagine the liability if they approve a browser that leaves passwords in its cache...

  • Funny, IE for the Mac is a /totally/ superior product to Navigator, and there's no OS bundling going on there. Microsoft has (finally?) produced a quality product, in IE 4.5 for the Mac, and this should be the baseline for Mozilla to shoot at.
    Painful as it is for non-M$oft fans to admit (and yes, it stabs me too :+) IE5 is overwhelmingly superior in most respects to NS4.x - it is more stable, comes bundled with more plugins, loads faster and loads *pages* faster. If there was an IE5 for linux, I suspect there would be an eager user base.

    Perhaps this is a good thing, perhaps bad - but it gives the Mozilla team a hard target to reach.
    --

  • by slashdot-me ( 40891 ) on Thursday March 09, 2000 @11:46AM (#1214935)
    First off, performance and real usability issues should always take priority over eye candy. I don't have resources to waste on pretty bs.

    Why does mozilla break all the user interface rules (like middle button scrolling)? This pisses me off because they must have spent a bundle of time reimplementing the entire keyboard/mouse logic (incorrectly). Don't fix [break] it if it isn't broken.

    For an OS that started on text terminals, linux sure jacked up it's keyboard handling. Back in my windows days I didn't use the mouse (ever, 'cept browsing). With linux I have to use it all the time. I suppose it's really the windows manager / x server / apps fault but it makes the whole system suck.

    If you disagree you can post you reasons. If you have no reasons moderate me down instead.

    Ryan
  • However, since it just recently got updated (I think today or yesterday) to M14, it will likely be a short while before they have the crypto version.

    Posted using M14 on Debian :)
  • Um, actually, I think Mozilla does allow you to lock it's saved password database using a password. It may seem silly, but locking up fifty passwords using just one is kind of convenient.
  • Whenever I use netscape, I have the buttons not shown. Why? Because they're way too large! Even at 1024x768, they take up what I consider to be an unacceptable amount of my viewing area. IMO, Mozilla definitely did the right thing by making smaller buttons, and putting them on the same plane as the URL.

    As for the interface in general, I also like that better than Netscape (I'll not mention IE, which is truly hideous).

  • Everyone knows that it's not ready for the primetime and uses it knowing that it's a work in progress.

    Unfortunately this is not the case. Check out the mozilla newsgroups (especially wishlist) and see all of the "foo.com doesn't work in mozilla. This browser sux, IE is so much better" messages.


    ---
    Zardoz has spoken!
  • 1. The top one has got to be that I can't do standard *NIX middle-button-paste with Mozilla. I actually have to highlight text, then select "Copy", and then I can middle-button-paste. This is quite annoying...I don't want to use "Copy", that's one of the reasons I don't like Windows or MacOS.

    2. Almost as annoying is the fact that the middle button is no longer set to "Open link in new window". Again, that's one of the things I like about Netscape under Linux.

    3. I want to be able to define my own shortcut keys, because I will almost certainly never agree with the ones anyone else chooses.

  • Ok, I can understand that point. But the problem is Mozilla allows you to lock the password file. But what if you dont? Most users wont. The security problems for example IE has wont be much for a /. user, the problem is when it comes to all the clueless people out there who hardly know how to handle a computer.

    - Save the passwords? Oh how convenient...

    I refuse to call something intended for broad public use secure, until it's secure by default.

    Whats the use in having a burglar alarm if you dont tell anyone how to turn it on?

    Also, it still has to be reversably-encrypted, the passwords have to be sent plaintext. All someone really has to do is to get someone's password file, and run it through a password cracker with a huge list of words, and he'll break it if the user isn't exremely security-minded.

  • IIRC, RSADSI owned a stake in PKP while it was in operation.
  • The banks security responsibility for my browser ends at the transport encryption. They have done two things that really irritate me: The webpage says that browsers 4.something and later are acceptable, and also, specifically says that 4.72 netscape is allowed, when it isn't yet. I think they should allow any browser that can negotiate and ssl connection. If you're worried about what my browser does with it's cache as a liability issue, why aren't you worried about the liability of someone looking over my shoulder while I browse? For that matter, why doesn't anybody see the (10**4) pin for the atm as the weak point of banking security?
  • Don't forget, Mozilla's Open Source. AOL can't really do much to Mozilla that we can't fix; besides, I don't think they'll even touch the browser itself. The reason they don't use Netscape now is that they need an embeddable browser that they can integrate into their client software. So, Gecko is really all they want. The Mozilla shell we are using now probably won't even be touched.

    Besides, I don't think the UI is that bad. It's all a matter of taste, really, and that's where themes come in.

    Here's my [radiks.net] DeCSS mirror. Where's yours?

  • Okay, if there's a certain feature in IE that we don't like, we have to live with it. But Mozilla is open source, man. Just don't compile it in. Or run in simplebrowser if that's what you prefer. All of these extras can easily be removed, which makes it so much better than any other browser available; you can totally customize it. I can't even uninstall IE. I really don't understand all of this complaining.

    Here's my [radiks.net] DeCSS mirror. Where's yours?

  • This is bug 18895, which affects list boxes, and may or may not be fixed by beta. Eventually all widgets, including scrollbars will be cross platform and therefor skinnable. Which I think is pretty nice.
  • I kind of miss my drop-down location bar too. If you look up to the menus, you'll notice one labeled "go". Apparently, that functions the same as the drop-down menu. I hope they're not thinking of using that instead; I like the drop-down menu a lot more.

    Here's my [radiks.net] DeCSS mirror. Where's yours?

  • I downloaded a milestone for freebsd, ran it. According to top it ate up 60 seconds of cpu time before even displaying anything. Then I clicked on the left sidebar thing and it core dumped.

    Sweet piece of k0d3.
  • 1. yep. I hope they fix that

    2. Bug #6085. there is a patch attached, hopefully it gets checked in before beta

    3. You can (if so inclined) edit the XUL. But yes, there needs to be a pref dialog for this.
  • Considering I posted this from a potato box running M14 it's not that frozen :>
    I think you mean released distro instead.
  • Just wanted to mention that if you want to get crypto on mozilla, you really want to check out Fortify [fortify.net]

    --

  • If it uses RSA, inside the US, it doesn't matter where it was developed, the user needs a license from RSA (or to use RSAREF, see below).

    If it doesn't use RSA, it doesn't matter where it was developed, the user doesn't need a license from RSA.

    The whole 'outside the US' thing was the traditional response to export controls, not to the use of RSA. US-residing RSA users legally need to use either a licensed version of the RSA algorithm, or use the old RSAREF library that was released to the public (and is horribly slow and buggy).


    --
  • what am I missing? Everytime I get suckered by these announcements... someone always says 'Mozilla has made *so* much progress, its looking really great!' and I dutifully go any download it... I use linux at home, but win32 at work, so I download the windows version and install, and am presented with the buggiest, shitiest pile of dog-turd Ive ever seen... are people blind? The thing crashes every other minute, the widget set is attrocious and there are soooo many bugs you would probably finish quicker if you started again

    What am I missing? Is Mozilla really the 'killer app' everyone's been waiting for, or is everyone just so hopeful that they are blind to the fact that its a steaming pile on the carpet???

  • On a somewhat unrelated note, does anyone else think the Mozilla logo reminds them of the russian hammer & sickle logo?
  • Okay, lets stop with the assumptions. As someone has reiterated... IE is NOT fully standards compliant. With the exception of Mozilla, IE is the most standards compliant browser available. And yes, Mozilla is still buggy as hell... but thats because its ALPHA software. IE is release. I use windows fairly often - and im even considering an MCSE and such... but I dont back either browser totally. I like linux better than windows - whether some of that is subjective or not, its irrelivant - i like it better - so I'll use the best browser I can for it. Right now, thats NS4.x, soon it'll be mozilla. It'll probably never be IE. On windows, I'll probably use IE over Mozilla because I wont have to download it. (there goes that monopoly thing again). Also, if you want to have your oppinion respected a bit more, you should really post as something other than an anonymous coward... then we know who we're responding to.
  • Much as I hate to admit it, Internet Explorer is the browser to beat, largely because of M$'s [illegal?] bundling of it with the OS and OS integration, the average home user wants to be able to click on an icon that's there when they get their PC - that's IE.

    I think Internet Explorer is the browser to beat not only because almost all new pc's ship with it, but because it is the easiest to write attractive pages for. Just compare how much richer the Document Object Model is for IE than Netscape (haven't tested any DHTML in Mozilla yet). I've read the W3C specs, I've tore through the o'reilly books on web programming languages galore, and I've written and seen enough pages work brilliantly (and this is just javascript and css, nothing insecure) in IE that crash and burn in NS not because of bad code but because IE is just plain better at rendering the source it's given.

    That's what I WANT mozilla to be... the browser that I can write webpages for that are fun to look at (ie, use current authoring technology) but provide good content in Linux.
    B1ood

  • I can't wait until Mozilla makes a non-alpha or beta release! BTW, why does the logo look like China's flag?

    rbf aka pulsar
  • I'm actually the person who's implimenting the back-end component to handle the drop-down url bar. Wanna help?
  • Yes, but it would be nice to have the same mail manager on different platforms wouldn't it.
    It would be nice to have something a little less prone to macro viruses than Outlook and perhaps even something that uses less memory.
    It might even be nice to have a quick-and-dirty web-page editor which was standars compliant - it might take a couple of windows users away from Outlook Express!
  • Why does mozilla break all the user interface rules (like middle button scrolling)? This pisses me off because they must have spent a bundle of time reimplementing the entire keyboard/mouse logic (incorrectly). Don't fix [break] it if it isn't broken.

    Mozilla was started from a brand new codebase - they didn't fix/break netscape, they just threw it away and started again. If you don't like it, you know where you can stick it - mozilla.org, where you can place requests, bugs and even bug fixes. Alternatively you could just keep it to yourself and moan on and on.
  • Yeah ... Isn't it great ? =)
  • I feel the parent story Re:Internet=Death? [slashdot.org] should be a comment for the Ask Slashdot story about social factors and the Internet, but I am reading it from "Mozilla whit crypto code released".

    Human error or mangled database?
    --
  • I will not say anything in defense of the NSA-developed Digital Signature Algorithm, but El Gamal is a different matter. El Gamal is by no means more convoluted than RSA; in fact my experience is that El Gamal is a good deal simpler.

    Diffie-Hellman is extremely simple and was discovered a good deal earlier than RSA. El Gamal is a totally obvious extension of Diffie-Hellman, in which the Diffie-Hellman key exchange protocol is made into a public key cryptosystem in the simplest way possible: replace the predetermined secret exponent with an on-demand random one!

    The only reason it took seven years to develop El Gamal's algorithm is that the scientific culture at the time was predominantly convinced that algorithms (even cryptographic ones) had to be deterministic. If you had tipped off any researcher in the field about run-time randomization of Diffie-Hellman, they could have produced El Gamal's 1984 paper off the top of their head. RSA is deterministic, requiring no random numbers at run time. Ironically, nowadays all RSA implementations introduce randomization in some form because it is obvious that a purely deterministic algorithm is not secure: Would you trust an encryption algorithm where the messages "Yes" and "No" always encrypt to the same two output messages?

    As for your implication that RSA is more trustworthy than El Gamal, you might want to read Question 2.14 [clara.net] of the PGP DH vs. RSA FAQ, where various well-known experts assert that (as far as we know) all known ideas for solving the discrete log problem have direct applicability to factoring, whereas the reverse is not true. We know that factoring does not allow you to take discrete logs, whereas on the flip side there is strong evidence that if you can take discrete logs you can factor. All this and more is explained in the FAQ; the upshot is that most mathematicians, if forced to pick one of the two, would say that the factorization problem is likely to succumb before the discrete log problem succumbs. Of course the underlying hard problem is not the whole story, since neither RSA nor El-Gamal have been proven equivalent to the underlying hard problems, but it's the best we can do so far considering that no one has demonstrated any way to break the algorithms except through the underlying hard problems.

    Finally, the very simplicity of using the same key for both encryption and signing is also a liability, in that if both keys are the same then anyone who is able to get one key (for example by a court order) is then able to forge the other operation as well. In the current political climate, I'd certainly like my signature key to remain valid even if the government seizes my encryption key.

  • Apparently, it can do ETrade, but only some of the time, because of some weird timing bug. It will be fixed, but not in time for beta 1. Look at bug 24679 [mozilla.org].

    As for mail filtering, I'm not sure exactly what the status is on that, although there are a few bug specifically relating to mail filtering: here [mozilla.org], here [mozilla.org] and here [mozilla.org].

  • On windows much of the keyboard/mouse logic is handled by the OS (common dialogs/common controls). Doesn't linux (gtk/E/gnome/swamill/whatever) do something similar? Or does everyone have to reinvent the wheel?

    Ryan

Perfection is acheived only on the point of collapse. - C. N. Parkinson

Working...