Help me identify the meaning and origins of this old Netscape t-shirt!
November 24, 2013 8:24 PM Subscribe
I'm on a major closet-purge (selling off all my old geek t-shirts from the 90's & 2000's), and I uncovered this old "Cypherpunk Policy" Netscape t-shirt that I'm trying to identify the origins of.
Here are photos of the front and back of the shirt:
Front
Back
From the "Cypherpunk Policy" string and references to SSL, LKCS, DES, etc., that this has something to do with Netscape/Mozilla browser encryption parameters in the "about:config" settings page. But I can't seem to figure out what purpose or event this shirt was made for? Perhaps a security, crypto or hacker convention? Or could it be an inside joke shirt made for internal Netscape purposes?
The only thing I know about this shirt is that I acquired it either in the late '90s or early 2000's. I Googled for "Netscape" and "Cypherpunk Policy", and came up with only 3 hits that all pointed to a PDF of a Powerpoint presentation on "Session Level Security" by Don Kitchen, in which a slide containing a similar about:config page appears.
Does anyone know who, why or what this shirt was created for?
Here are photos of the front and back of the shirt:
Front
Back
From the "Cypherpunk Policy" string and references to SSL, LKCS, DES, etc., that this has something to do with Netscape/Mozilla browser encryption parameters in the "about:config" settings page. But I can't seem to figure out what purpose or event this shirt was made for? Perhaps a security, crypto or hacker convention? Or could it be an inside joke shirt made for internal Netscape purposes?
The only thing I know about this shirt is that I acquired it either in the late '90s or early 2000's. I Googled for "Netscape" and "Cypherpunk Policy", and came up with only 3 hits that all pointed to a PDF of a Powerpoint presentation on "Session Level Security" by Don Kitchen, in which a slide containing a similar about:config page appears.
Does anyone know who, why or what this shirt was created for?
Response by poster: Ideefix:
Yeah, I found that article too. I assume it has something to do with that, but I need to know if this was made for a specific event (hacker con, etc), or if it was an internal Netscape shirt or whatnot.
I'm selling this shirt on eBay, so the more specifics I can get, the better!
posted by melorama at 8:33 PM on November 24, 2013
Yeah, I found that article too. I assume it has something to do with that, but I need to know if this was made for a specific event (hacker con, etc), or if it was an internal Netscape shirt or whatnot.
I'm selling this shirt on eBay, so the more specifics I can get, the better!
posted by melorama at 8:33 PM on November 24, 2013
It looks like the cyphersuites that Netscape was configured to accept by default.
plz give us a link to the eBay page once it's listed
posted by Joe Chip at 8:52 PM on November 24, 2013 [1 favorite]
plz give us a link to the eBay page once it's listed
posted by Joe Chip at 8:52 PM on November 24, 2013 [1 favorite]
Joe Chip is right. (I work for Mozilla, but not on Firefox, which was developed from the Netscape code base.) Those are settings in about:config perhaps?
There are a few ex-Netscape staff who might know. I'll ping a few folks and point them here.
posted by gen at 5:55 AM on November 25, 2013 [1 favorite]
There are a few ex-Netscape staff who might know. I'll ping a few folks and point them here.
posted by gen at 5:55 AM on November 25, 2013 [1 favorite]
Best answer: As Joe Chip says, this is a policy file that configures which encryption algorithms the browser would use to communicate with secure (SSL) servers. This patent has some details about the format of this policy file.
The slides that you mentioned explain that this "Cypherpunk policy" was stronger than default "Export policy." At the time that Netscape was released, the US government banned the export of strong encryption software, so versions of Netscape available outside the US had deliberately weak cryptography. The Cypherpunks at the time were actively fighting against this law (including civil disobedience against it), and this "Cypherpunk policy" was a "contraband" patch to Netscape that would allow it to use strong encryption. You can find some contemporary discussion of these issues from the cypherpunks mailing list archive and the Fortify web site (which I'm amazed is still online).
By the way, similar issues are still relevant more than a decade later. Mozilla's security team recently published their latest proposed changes to browser ciphersuite policies, and around the same time it was revealed that the US government is still working to weaken cryptographic algorithms.
posted by mbrubeck at 8:57 AM on November 25, 2013 [2 favorites]
The slides that you mentioned explain that this "Cypherpunk policy" was stronger than default "Export policy." At the time that Netscape was released, the US government banned the export of strong encryption software, so versions of Netscape available outside the US had deliberately weak cryptography. The Cypherpunks at the time were actively fighting against this law (including civil disobedience against it), and this "Cypherpunk policy" was a "contraband" patch to Netscape that would allow it to use strong encryption. You can find some contemporary discussion of these issues from the cypherpunks mailing list archive and the Fortify web site (which I'm amazed is still online).
By the way, similar issues are still relevant more than a decade later. Mozilla's security team recently published their latest proposed changes to browser ciphersuite policies, and around the same time it was revealed that the US government is still working to weaken cryptographic algorithms.
posted by mbrubeck at 8:57 AM on November 25, 2013 [2 favorites]
(D'oh, I got caught up in the background info and forgot to mention that I also work at Mozilla and will see if anyone internal has more specifics on your shirt.)
posted by mbrubeck at 9:03 AM on November 25, 2013
posted by mbrubeck at 9:03 AM on November 25, 2013
Best answer: This message from R. A. Hettinga says that the shirts were made at the Financial Cryptography 97 (FC97) conference. Possibly related: This workshop at FC97 led by cypherpunk Ian Goldberg who discovered an important vulnerability in Netscape's SSL code.
posted by mbrubeck at 11:02 AM on November 25, 2013
posted by mbrubeck at 11:02 AM on November 25, 2013
...and this Risks Digest message from Ian Goldberg has details on how he and Fortify both hacked the ciphersuite policy in the "export" version of Netscape to enable strong crypto. So Goldberg was definitely one of the people involved in this hack and might know more about the shirt's creation.
Wired had coverage of FC97, though it didn't mention Goldberg's workshop or the Netscape shirts.
posted by mbrubeck at 11:14 AM on November 25, 2013
Wired had coverage of FC97, though it didn't mention Goldberg's workshop or the Netscape shirts.
posted by mbrubeck at 11:14 AM on November 25, 2013
This thread is closed to new comments.
posted by wnissen at 8:27 PM on November 24, 2013 [1 favorite]