1998-10-13 - Re: FYI: More on WebTV security

Header Data

From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@cyberpass.net
Message Hash: e62807a1d756c502799ac507af9626e4b0102bcf984fcc7791701e5c3637559a
Message ID: <v04011722b24904a8f519@[139.167.130.246]>
Reply To: N/A
UTC Datetime: 1998-10-13 14:01:11 UTC
Raw Date: Tue, 13 Oct 1998 22:01:11 +0800

Raw message

From: Robert Hettinga <rah@shipwright.com>
Date: Tue, 13 Oct 1998 22:01:11 +0800
To: cypherpunks@cyberpass.net
Subject: Re: FYI: More on WebTV security
Message-ID: <v04011722b24904a8f519@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


X-Sender: dstoler@gptmail.globalpac.com
Mime-Version: 1.0
Date: Tue, 13 Oct 1998 05:38:59 -0700
To: Pablo Calamera <pablo@microsoft.com>, rah@shipwright.com,
        mac-crypto@vmeng.com
From: dstoler@globalpac.com (dstoler)
Subject: Re: FYI: More on WebTV security
Cc: jimg@mentat.com

Dear all,

This message discusses Microsoft's recent press release where they announce
unlimited 128 bit RC4 export approval for WebTV users in Japan and the UK
with no key escrow. They announce secure email between WebTV users in
addition to security for financial services, web shopping, etc.

http://www.microsoft.com/presspass/press/1998/Oct98/EncryptionPR.htm (See
the end of this message for key paragraphs of the press release.)

I rarely post messages on the crypto mailing lists. I am sufficiently
disturbed by Microsoft's recent WebTV press release that I feel compelled
to comment.

The press release implies that there is secure end-to-end email between two
WebTV customers.

Perhaps I am overly cynical, but I am guessing that they are using SSL
(TLS) from a web based email application on the client to WebTV's servers.
I presume email data is decrypted at the servers, then re-encrypted to the
recipient when she uses the WebTV client to read email.

This approach would allow access to private email at the servers by WebTV
employees or law enforcement agencies.

Note the careful use of the phrases "unauthorized party" and "without
posing undo risks to national security and law enforcement" in the press
release.

I believe that WebTV's email security is directly coupled to their ability
to establish and enforce good security policy within their operation and
the trustworthiness of the employees who have access to sensitive data.

I am concerned that carefully constructed wording of Microsoft's press
release implies stronger email security than really exists. I hope I am
wrong.

David Stoler


Key paragraphs from Microsoft's press release:

WebTV Networks has been granted the first export license to use strong
128-bit encryption for any user and any application in Japan and the United
Kingdom. So, for example, an e-mail message with personal information sent
from a WebTV subscriber in Japan to a second WebTV subscriber in Japan will
be sent securely because there is no known technology by which an
unauthorized party could intercept and decipher it.

Therefore, as part of the WebTV Network, the WebTV-based Internet terminal
(starting at under $100) is now the most secure communications device
available from a U.S. company.

"WebTV Networks' export approval is a significant step for industry and
reflects the U.S. government's commitment to promoting e-commerce abroad,"
said William Reinsch, U.S. undersecretary for export administration. "The
WebTV Network provides secure communications for its customers and partners
without posing undue risks to national security and law enforcement."

--- end forwarded text


-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





Thread