- The simplest method is to restart Netscape, or call up the "About..."
page from the Help menu. On this page you will see a section
describing the program's cryptographic features.
The Unix export versions of Netscape describe themselves as
"This version supports International security ........."
Fortified versions
(and presumably U.S. domestic versions)
describe themselves as
"This version supports U.S. security ..........."
- Under Windows 95/98/NT and Unix,
the most direct evidence of your browser's cryptographic capabilities
is in the SSL and S/MIME cipher preferences dialog boxes, in the
security manager.
Export versions of Navigator (v3) offer 40-bit RC2 and RC4 ciphers
(example),
whereas the Fortified version offers 128-bit RC4
(example).
Export versions of Communicator (v4) offer 40-bit RC4 for web connections,
or 128-bit RC4 and 168-bit triple-DES when a "blessed" web server is involved
(example).
Fortified versions, however, offer 128-bit RC4 and 168-bit triple-DES
without restriction
(example).
For sending and receiving e-mail, Communicator (v4) offers 40-bit RC2 only
(example),
whereas Fortified versions carry an additional four strong e-mail ciphers
(example).
- Alternatively, you can connect to any public full strength web server,
for example
https://www.fortify.net/
or
https://www.c2.net/,
and download a page. You can see the
encryption strength of the connection in two places:-
a) In Navigator v3, the small key icon in the bottom left hand corner
of the browser indicates the encryption status.
A broken key symbol indicates no encryption
A solid key with a single tooth signifies an export grade cipher (40-bits)
A solid key with two teeth signifies a full strength cipher is in operation.
b) The "Document Information" screen reports the cipher and key length
that was used when the document was fetched. Strong ciphers are
described as "a high-grade encryption key ....",
while weak ciphers
are described as "a medium-grade encryption key ....".
- If you are the skeptical type, find yourself a trustworthy web server
that tells you about the strength of each incoming SSL connection -
such as this one:
https://www.fortify.net/sslcheck.html
or this one:
https://ssl3.c2.net/
It you want independent verification, try searching through the
Netcraft SSL Servers Survey at
http://www.netcraft.co.uk/ssl/
Alternatively, find an Apache-SSL web server that has the "printenv"
cgi-bin script installed ("printenv" prints all the environment
variables passed to itself; it is included in the vanilla Apache
distribution). Open an SSL connection to this script, e.g.
https://some.server.name/cgi-bin/printenv.
Export versions of Netscape will see a HTML page returned by printenv
that includes these lines:-
HTTP_USER_AGENT = Mozilla/3.01 (X11; I; ...platform...)
HTTPS = on
HTTPS_CIPHER = EXP-RC4-MD5
HTTPS_KEYSIZE = 128
HTTPS_SECRETKEYSIZE = 40
Fortified versions (and presumably U.S. domestic versions) will see a
HTML page returned that includes these lines:-
HTTP_USER_AGENT = Mozilla/3.01 (X11; U; ...platform...)
HTTPS = on
HTTPS_CIPHER = RC4-MD5
HTTPS_KEYSIZE = 128
HTTPS_SECRETKEYSIZE = 128
- If you are the mis-trusting type, find yourself (or build) a
trustworthy web server that only accepts U.S. domestic strength SSL
connections. Export version of Netscape will fail to connect to such
a server, but Fortify'd Netscape will succeed.
You can also perform the reverse test, i.e. using only high grade
ciphers connect to a server that only accepts export strength SSL
connections. Amazingly, the server at Verisign
(www.verisign.com)
is an example in this category!!
- If you are the deeply suspicious type, you are going to need some
tools of your own. You can either
a) build a test bed server that dumps out SSL conversations
(ApacheSSL + SSLeay makes a fine starting point for this),
b) snoop the https packets that pass between the browser and
web server across a network link.
