--- begin forwarded text From: Pablo Calamera <pablo@microsoft.com> To: "'dstoler@globalpac.com'" <dstoler@globalpac.com>, rah@shipwright.com, mac-crypto@vmeng.com Cc: jimg@mentat.com Subject: RE: FYI: More on WebTV security Date: Thu, 15 Oct 1998 17:19:11 -0700 comments inserted, extraneous text deleted.
-----Original Message----- From: dstoler@globalpac.com [mailto:dstoler@globalpac.com] Sent: Tuesday, October 13, 1998 5:39 AM To: Pablo Calamera; rah@shipwright.com; mac-crypto@vmeng.com Cc: jimg@mentat.com Subject: Re: FYI: More on WebTV security
[stuff deleted] The press release implies that there is secure end-to-end email between two WebTV customers.
The wording is somewhat ambiguous though it does have more of a bent on the security of the transport layer. Perhaps it could have been clearer and specifically said that messages where encrypted during transport using 128 bit encryption.
Perhaps I am overly cynical, but I am guessing that they are using SSL (TLS) from a web based email application on the client to WebTV's servers. I presume email data is decrypted at the servers, then re-encrypted to the recipient when she uses the WebTV client to read email.
Close. We could not even export SSL (TLS) with 128 encryption in this scenario. We have a proprietary transport protocol that we use that employs 128 bit RC4.
This approach would allow access to private email at the servers by WebTV employees or law enforcement agencies.
Note the careful use of the phrases "unauthorized party" and "without posing undo risks to national security and law enforcement" in the press release.
I believe that WebTV's email security is directly coupled to their ability to establish and enforce good security policy within their operation and the trustworthiness of the employees who have access to sensitive data.
Partially true. We believe a major component of our security is indeed in the encrypted transport of your email from the service through the internet, through a leased POP to your box. Our Privacy Policy and Terms of Service are available for your viewing. http://webtv.net/home/privacy_text.html http://webtv.net/home/tos_text2.html This level of protection goes beyond email to registration, preferences/setup, "favorites" etc... Virtually all communications with the WebTV service.
I am concerned that carefully constructed wording of Microsoft's press release implies stronger email security than really exists. I hope I am wrong.
We believe that with the level of encryption and the quality of our network operations that we have the best level of privacy protection for our users of any online service. I agree that the carefully worded press release may imply more than what we got. But we are very happy with this initial step. It has taken a very long time just to get export approval for this architecture and we look forward to further relaxation of export controls so we can compete on even footing with our foreign competitors. Pablo
David Stoler
Key paragraphs from Microsoft's press release:
WebTV Networks has been granted the first export license to use strong 128-bit encryption for any user and any application in Japan and the United Kingdom. So, for example, an e-mail message with personal information sent from a WebTV subscriber in Japan to a second WebTV subscriber in Japan will be sent securely because there is no known technology by which an unauthorized party could intercept and decipher it.
Therefore, as part of the WebTV Network, the WebTV-based Internet terminal (starting at under $100) is now the most secure communications device available from a U.S. company.
"WebTV Networks' export approval is a significant step for industry and reflects the U.S. government's commitment to promoting e-commerce abroad," said William Reinsch, U.S. undersecretary for export administration. "The WebTV Network provides secure communications for its customers and partners without posing undue risks to national security and law enforcement."
--- end forwarded text ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'