FYI: More on WebTV security
Robert Hettinga
rah at shipwright.com
Tue Oct 13 07:01:11 PDT 1998
--- begin forwarded text
X-Sender: dstoler at gptmail.globalpac.com
Mime-Version: 1.0
Date: Tue, 13 Oct 1998 05:38:59 -0700
To: Pablo Calamera <pablo at microsoft.com>, rah at shipwright.com,
mac-crypto at vmeng.com
From: dstoler at globalpac.com (dstoler)
Subject: Re: FYI: More on WebTV security
Cc: jimg at mentat.com
Dear all,
This message discusses Microsoft's recent press release where they announce
unlimited 128 bit RC4 export approval for WebTV users in Japan and the UK
with no key escrow. They announce secure email between WebTV users in
addition to security for financial services, web shopping, etc.
http://www.microsoft.com/presspass/press/1998/Oct98/EncryptionPR.htm (See
the end of this message for key paragraphs of the press release.)
I rarely post messages on the crypto mailing lists. I am sufficiently
disturbed by Microsoft's recent WebTV press release that I feel compelled
to comment.
The press release implies that there is secure end-to-end email between two
WebTV customers.
Perhaps I am overly cynical, but I am guessing that they are using SSL
(TLS) from a web based email application on the client to WebTV's servers.
I presume email data is decrypted at the servers, then re-encrypted to the
recipient when she uses the WebTV client to read email.
This approach would allow access to private email at the servers by WebTV
employees or law enforcement agencies.
Note the careful use of the phrases "unauthorized party" and "without
posing undo risks to national security and law enforcement" in the press
release.
I believe that WebTV's email security is directly coupled to their ability
to establish and enforce good security policy within their operation and
the trustworthiness of the employees who have access to sensitive data.
I am concerned that carefully constructed wording of Microsoft's press
release implies stronger email security than really exists. I hope I am
wrong.
David Stoler
Key paragraphs from Microsoft's press release:
WebTV Networks has been granted the first export license to use strong
128-bit encryption for any user and any application in Japan and the United
Kingdom. So, for example, an e-mail message with personal information sent
from a WebTV subscriber in Japan to a second WebTV subscriber in Japan will
be sent securely because there is no known technology by which an
unauthorized party could intercept and decipher it.
Therefore, as part of the WebTV Network, the WebTV-based Internet terminal
(starting at under $100) is now the most secure communications device
available from a U.S. company.
"WebTV Networks' export approval is a significant step for industry and
reflects the U.S. government's commitment to promoting e-commerce abroad,"
said William Reinsch, U.S. undersecretary for export administration. "The
WebTV Network provides secure communications for its customers and partners
without posing undue risks to national security and law enforcement."
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah at philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list