From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@cyberpass.net
Message Hash: 786bd7ba5a229abcdffd654db8f7fdd808bfc42ea691f204456472f39bb48185
Message ID: <v04020a51b24c4b244dc8@[139.167.130.246]>
Reply To: N/A
UTC Datetime: 1998-10-16 02:16:51 UTC
Raw Date: Fri, 16 Oct 1998 10:16:51 +0800
From: Robert Hettinga <rah@shipwright.com>
Date: Fri, 16 Oct 1998 10:16:51 +0800
To: cypherpunks@cyberpass.net
Subject: RE: FYI: More on WebTV security
Message-ID: <v04020a51b24c4b244dc8@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain
--- begin forwarded text
From: Pablo Calamera <pablo@microsoft.com>
To: "'dstoler@globalpac.com'" <dstoler@globalpac.com>, rah@shipwright.com,
mac-crypto@vmeng.com
Cc: jimg@mentat.com
Subject: RE: FYI: More on WebTV security
Date: Thu, 15 Oct 1998 17:19:11 -0700
comments inserted, extraneous text deleted.
> -----Original Message-----
> From: dstoler@globalpac.com [mailto:dstoler@globalpac.com]
> Sent: Tuesday, October 13, 1998 5:39 AM
> To: Pablo Calamera; rah@shipwright.com; mac-crypto@vmeng.com
> Cc: jimg@mentat.com
> Subject: Re: FYI: More on WebTV security
>
> [stuff deleted]
> The press release implies that there is secure end-to-end
> email between two WebTV customers.
The wording is somewhat ambiguous though it does have more of a bent on the
security of the transport layer. Perhaps it could have been clearer and
specifically said that messages where encrypted during transport using 128
bit encryption.
> Perhaps I am overly cynical, but I am guessing that they are
> using SSL (TLS) from a web based email application on the
> client to WebTV's servers. I presume email data is decrypted
> at the servers, then re-encrypted to the recipient when she
> uses the WebTV client to read email.
Close. We could not even export SSL (TLS) with 128 encryption in this
scenario. We have a proprietary transport protocol that we use that employs
128 bit RC4.
> This approach would allow access to private email at the
> servers by WebTV employees or law enforcement agencies.
>
> Note the careful use of the phrases "unauthorized party" and
> "without posing undo risks to national security and law
> enforcement" in the press release.
>
> I believe that WebTV's email security is directly coupled to
> their ability to establish and enforce good security policy
> within their operation and the trustworthiness of the
> employees who have access to sensitive data.
Partially true. We believe a major component of our security is indeed in
the encrypted transport of your email from the service through the internet,
through a leased POP to your box. Our Privacy Policy and Terms of Service
are available for your viewing.
http://webtv.net/home/privacy_text.html
http://webtv.net/home/tos_text2.html
This level of protection goes beyond email to registration,
preferences/setup, "favorites" etc... Virtually all communications with the
WebTV service.
> I am concerned that carefully constructed wording of
> Microsoft's press release implies stronger email security
> than really exists. I hope I am wrong.
We believe that with the level of encryption and the quality of our network
operations that we have the best level of privacy protection for our users
of any online service. I agree that the carefully worded press release may
imply more than what we got. But we are very happy with this initial step.
It has taken a very long time just to get export approval for this
architecture and we look forward to further relaxation of export controls so
we can compete on even footing with our foreign competitors.
Pablo
> David Stoler
>
>
> Key paragraphs from Microsoft's press release:
>
> WebTV Networks has been granted the first export license to
> use strong 128-bit encryption for any user and any
> application in Japan and the United Kingdom. So, for example,
> an e-mail message with personal information sent from a WebTV
> subscriber in Japan to a second WebTV subscriber in Japan
> will be sent securely because there is no known technology by
> which an unauthorized party could intercept and decipher it.
>
> Therefore, as part of the WebTV Network, the WebTV-based
> Internet terminal (starting at under $100) is now the most
> secure communications device available from a U.S. company.
>
> "WebTV Networks' export approval is a significant step for
> industry and reflects the U.S. government's commitment to
> promoting e-commerce abroad," said William Reinsch, U.S.
> undersecretary for export administration. "The WebTV Network
> provides secure communications for its customers and partners
> without posing undue risks to national security and law enforcement."
>
>
>
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Return to October 1998
Return to “Robert Hettinga <rah@shipwright.com>”