overseas PGPfone and Netscape
I've seen some threads about (1) the new PGPfone, (2) the new US-version of Netscape and leakage. So my question: [Important] Do you know some non-US URL with the latest version of PGPfone for Win? (I monitored the usual European repositories quasi day to day, but it was always the old version) [Less important] Ibid. for the new US-Netscape (with full 128-SSL) (I suppose there is a copyright problem for such a -hum- mirroring) Best regards, Jean-Paul ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Jean-Paul et Micheline Kroepfli (our son: Nicolas and daughter: Celine) eMail: JeanPaul.Kroepfli@utopia.fnet.fr Also Compuserve and MSNetwork Phone: +33 81 55 52 59 (F) PostMail: F-25640 Breconchaux (France) or: +41 21 843 27 36 (CH) or: CP 138, CH-1337 Vallorbe Fax: +33 81 55 52 62 (Switzerland) Zephyr(r) : InterNet Communication and Commerce, Security and Cryptography consulting PGP Fingerprint : 19 FB 67 EA 20 70 53 89 AF B2 5C 7F 02 1F CA 8F "The InterNet is the most open standard since air for breathing"
-----BEGIN PGP SIGNED MESSAGE----- In article <01BB74A5.CDC6BC00@JPKroepfli.S-IP.EUnet.fr>, Jean-Paul Kroepfli <JeanPaul.Kroepfli@ns.fnet.fr> wrote:
I've seen some threads about (1) the new PGPfone, (2) the new US-version of Netscape and leakage. So my question: [Important] Do you know some non-US URL with the latest version of PGPfone for Win? (I monitored the usual European repositories quasi day to day, but it was always the old version) [Less important] Ibid. for the new US-Netscape (with full 128-SSL) (I suppose there is a copyright problem for such a -hum- mirroring) Best regards, Jean-Paul
I haven't tried to download it myself, yet (I'm on the wrong side of a slow link <plug>(though it's faster since I got my new ZyXEL yesterday)</plug>), so maybe this is explained for me, but does netscape publish checksums for their US binaries? This isn't just an issue of making sure your copy wasn't munged in transit; without checksums, what's stopping netscape from embedding the info you provide in the binary before shipping it to you, so that if it shows up on hacktic, they know who did it? Could various people with various architectures post MD5 or SHA1 hashes of the files they downloaded? - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMe5elUZRiTErSPb1AQF1DQP/b8o5CZvG49kXY+N9SCNEN+72oX/l6NrC 9WX6UqoY2Qr+OdWLTcYVwUjVqFwMnSFaY9bcTpf8/6zkeDznk2RfDPI1Idw/W80N OxqSZv0Kp3Ng8ibpRvOXkEKLvu/WXlnUMldLv4VQginYvNPEvKkLOiRNpMnArNwj +aohOGJ03/8= =Xni4 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, iang@cs.berkeley.edu writes: <paranoia>
This isn't just an issue of making sure your copy wasn't munged in transit; without checksums, what's stopping netscape from embedding the info you provide in the binary before shipping it to you, so that if it shows up on hacktic, they know who did it?
</paranoia> <img src="SarcasticGrin.jpg"> I trust Netscape, but I also cut the cards... [18:02] 1 [d:\tmp]:sendai# md5sum -b ns_inst.exe 0f4de3e744ec4e356ba9f8feb3ded7ec *ns_inst.exe [18:03] 1 [d:\tmp]:sendai# dir ns_inst.exe Volume in drive D is unlabeled Serial number is 4362:1EF5 Directory of d:\tmp\ns_inst.exe ns_inst.exe 3008531 7-16-96 20:24 3,008,531 bytes in 1 file(s) 3,010,560 bytes allocated 10,551,296 bytes free Their file delivery CGI could use some work... no reason I can see to offer the filename 'pick.cgi' for everything. Anyone sniffing the link knows the filename from previous forms submissions, anyway. OBRealCrypto: What's the best method for authenticating successive interactions with a CGI? Currently, the password is being passed clear as a hidden input field, but I have to believe there's a better way than that. One point is that the user will not be explicitly ending his session, but just wandering off to other pages. - -- Roy M. Silvernail [ ] roy@scytale.com PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey@scytale.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMe7F1hvikii9febJAQErowP+Kk+3RTSSeovzP6NcJquaM3DDwcVt4j1G KkXlKAAkQ2wTtueMeGsq4XNHf7bzwVOe2oMlqYTYzT2MIHgEvqbizrm3usCXeWK6 5iX1uIXnI3DDBuvCIZGkJs10wFJ6BvhHu3OxAsTadx5CwIMG1wDsLyIqoOs2wyV3 A4Ze99/SmpQ= =tjRf -----END PGP SIGNATURE-----
Roy M. Silvernail wrote:
Their file delivery CGI could use some work... no reason I can see to offer the filename 'pick.cgi' for everything.
We will be fixing this problem soon.
Anyone sniffing the link knows the filename from previous forms submissions, anyway.
You can't sniff the link, since the form submission and the file download are via SSL. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
what's stopping netscape from embedding the info you provide in the binary before shipping it to you, so that if it shows up on hacktic, they know who did it?
Nothing, but we're not doing that, and nobody has asked us to. If we did something like that, I imagine you'd know up front.
Their file delivery CGI could use some work...
No doubt.
no reason I can see to offer the filename 'pick.cgi' for everything.
We've been busy getting the damn process to work and get approved. It's simple this way. There's one CGI and when you run it, it produces output and ergo that's the "filename" you see. With some time, we could get clever and synthesize the name you want. It's not the highest of priorities in this process right now. -- Tom Paquin Netscape Communications Corp about:paquin
-----BEGIN PGP SIGNED MESSAGE----- In article <31EF632D.2B88@netscape.com>, Jeff Weinstein <jsw@netscape.com> wrote:
Roy M. Silvernail wrote:
Anyone sniffing the link knows the filename from previous forms submissions, anyway.
You can't sniff the link, since the form submission and the file download are via SSL.
But assumedly if they're downloading the 128-bit netscape, then they're only using the 40-bit version to do it... :-) - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMfFUFkZRiTErSPb1AQGp+gQAsZAqh46sZSZGqEHXP54CyMvyEwTtYW1S cbaEiY4YH8lae7QoJ17nL1CX1YpqbCWLvw6z6ghDHZTuU8jwJIMxT9u+OliJFVRc +bQ9pDULtXX4frdP/xTVWM9WIGLeK6ylv89YxBhWALPaZl5q6qYfjtlK6JXl9LG7 CIWLzA9UO6M= =TFS4 -----END PGP SIGNATURE-----
Ian Goldberg wrote:
-----BEGIN PGP SIGNED MESSAGE-----
In article <31EF632D.2B88@netscape.com>, Jeff Weinstein <jsw@netscape.com> wrote:
Roy M. Silvernail wrote:
Anyone sniffing the link knows the filename from previous forms submissions, anyway.
You can't sniff the link, since the form submission and the file download are via SSL.
But assumedly if they're downloading the 128-bit netscape, then they're only using the 40-bit version to do it... :-)
Well yes, the first time they do it. But the many times they download new versions, from now until the end of time, they can use 128-bit SSL. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
"Jeff" == Jeff Weinstein <jsw@netscape.com> writes:
Jeff> Well yes, the first time they do it. But the many times they Jeff> download new versions, from now until the end of time, they can ^^^^^^^^^^^^^^^ Jeff> use 128-bit SSL. The world is ending September 17, 1996 I presume? ;-) -- steve@miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November.
On 21 Jul 1996 12:05:34 -0700, Steven L Baur <steve@miranova.com> wrote:
"Jeff" == Jeff Weinstein <jsw@netscape.com> writes:
Jeff> Well yes, the first time they do it. But the many times they Jeff> download new versions, from now until the end of time, they can ^^^^^^^^^^^^^^^ Jeff> use 128-bit SSL.
The world is ending September 17, 1996 I presume? ;-)
Traditionally you can use an expired beta to connect to Netscape and download a new version. I would test this, but it wouldn't work because the clock on the downloading machine has to be in sink with the server. Dan Weinstein djw@vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche
Steven L Baur wrote:
"Jeff" == Jeff Weinstein <jsw@netscape.com> writes:
Jeff> Well yes, the first time they do it. But the many times they Jeff> download new versions, from now until the end of time, they can ^^^^^^^^^^^^^^^ Jeff> use 128-bit SSL.
The world is ending September 17, 1996 I presume? ;-)
The final version of 3.0 will be available for download well before Sept 17. That version will not have a timebomb. Even the timebombed versions will let you connect to our site to download new versions. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Ian Goldberg wrote:
I haven't tried to download it myself, yet (I'm on the wrong side of a slow link <plug>(though it's faster since I got my new ZyXEL yesterday)</plug>), so maybe this is explained for me, but does netscape publish checksums for their US binaries?
This isn't just an issue of making sure your copy wasn't munged in transit; without checksums, what's stopping netscape from embedding the info you provide in the binary before shipping it to you, so that if it shows up on hacktic, they know who did it?
Could various people with various architectures post MD5 or SHA1 hashes of the files they downloaded?
I'm sorry, but I don't have time to run the checksums right now. Feel free to compare checksums of downloaded files. You won't find any secret tagging. Note also that the download is via SSL. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
participants (7)
-
dan@vplus.com -
iang@cs.berkeley.edu -
Jean-Paul Kroepfli -
Jeff Weinstein -
roy@sendai.scytale.com -
Steven L Baur -
Tom Paquin