Home Page

All the Graphics



Post Database

Fortified Netscape
By Thiravudh Khoman

As internet-based commerce and banking gather more converts, it is important to insure that the tools we use are sufficiently "secure". Most browsers and servers are capable of using something called "Secure Sockets Layer" (SSL) to encrypt information that is sent back and forth between a server and a browser client. This only works, however, if both server and client agree on encryption ground rules.

Fortunately, the most popular servers (Apache, Netscape, Microsoft IIS) and clients (Netscape Navigator/Communicator and Microsoft Internet Explorer) do support encryption. What is less apparent is the strength of that encryption. This depends on the type of encryption used (most use RSA Public Key encryption, perhaps the best method) and the length of the key used in the encryption process (40 bits and 128 bits being the most popular offerings).

Due to past U.S. laws preventing the export of products containing strong encryption routines, only 40-bit or "export grade" encryption can be incorporated into software sold internationally. Likewise, any server or browser downloaded from the internet will only support 40-bit encryption. For example, any attempt to download a 128-bit encryption product from Netscape's web site will be effectively blocked if the originating domain is not U.S. based.

(Note: A U.S. appeals court recently struck down the U.S Government's ban on the export of strong encryption products. How, when and whether this will change things remains to be seen.)

Nonetheless, it is neither impossible nor even difficult to circumvent these restrictions. One way is to buy or download the software when you're in the U.S. Another way, which doesn't involve being present on U.S. soil or fudging Netscape's licensing terms, is to apply a patch to your browser which increases the encryption level to 128 bits. This is now possible because of Netscape's decision to make the source code of its browsers publicly available.

An Australian company took advantage of this and created a product called "Fortify" which applies patches to Netscape Standard, Gold, Navigator and Communicator on a variety of platforms (Windows, OS/2, Mac PowerPC, Linux, Unix, etc.). Whenever a new version of Navigator or Communicator is released, a new patch is usually available in a matter of days or at worse, weeks. (Note: Patches are not available for Netscape's servers or for any other non-Netscape browser.) Fortify is available for download from https://www.fortify.net and can be used free of charge for non-commercial purposes (commercial usage has either very minor or no fees, depending on how it is licensed).

Installation and patching are very simple, but of course you need to have a Netscape browser already installed before the patch can be applied. Afterwards, Fortify can be removed if you wish to recover disk space. To check the encryption level of your browser after patching, select the "Help" menu item and "About Navigator". Scroll down a page and you'll see the following text: "This version supports U.S. security with RSA Public Key cryptography." Another way to check your browser's encryption level (before or after patching, for Netscape or any other browser), is to access the following page on Fortify's website: https://www.fortify.net/sslcheck.htm (figure 1).

There's a lot to like about Fortify. To quote Fortify's readme:

"It is more secure. A fortified browser performs strong encryption internally. When connecting to a full strength web server, you have a true, end-to-end, strongly encrypted channel."

"It is faster. When using a fortified browser, the data in the communications channel is not re-encrypted as it travels between the browser and the web server. It also has fewer network "hops" to traverse. And unlike some alternative solutions, no supplementary Java applets are involved. All these factors result in better network performance and less load on your pc or workstation."

The only downside I can see is that even after applying the patch, you still won't be guaranteed 128-bit encryption all the time. But this is due to the server side now, not your browser. If you are communicating with a server that supports no encryption whatsoever, then your link will be bare naked. If your server supports only 40-bit encryption, you will only get 40-bit encryption. Only if both the server and the client support 128-bit encryption will you be afforded this top level of security.

Still, based on the premise that there is no such thing as too much security, I can't see any reason not to use the Fortify patch, especially given its zero cost. If you engage or plan to engage in e-commerce on the web, you're bound to get better security. And for people interested in internet banking, chances are you will be required to use a browser with 128-bit encryption capabilities by your bank. Fortunately, obtaining such a web browser is now easier than it used to be.

Copyright © 1998-2000, Thiravudh Khoman