FORTIFY ELECTRIC UPGRADE For Mac

Fortify FAQ
17 May 2000

Electric Upgrade Cost
Fortify Electric Upgrade For Mac Osx
Fortify Electric Upgrade For Mac Mojave
Fortify Electric Upgrade For Macbook Air

Fortify is a locally installed application that listens on a known TCP port. Web applications use the Fortify WebCrypto polyfill to communicate with this application which enables the web application to use smart cards, security tokens and locally installed certificates. Notice: You need to migrate your account before you can continue You are currently using a Software Passport type account to access Marketplace. Starting February 22, 2019, Software Passport accounts are no longer supported by Micro Focus. You will need to create a new Access Manager account or migrate your Software Passport account to an Access Manager type account.

Apple helps you keep your Mac secure with software updates. The best way to keep your Mac secure is to run the latest software. When new updates are available, macOS sends you a notification — or you can opt in to have updates installed automatically when your Mac is not in use. MacOS checks for new updates every day and starts applying them in the background, so it’s easier and faster.
Apple Magic Keyboard, Magic Mouse 2, Magic Trackpad 2. Redesigned to be fully rechargeable and even more of a joy to use.

This is Fortify, a program that provides world-wide, unconditional, full strength 128-bit cryptography to users of Netscape Navigator (v3 and v4) and Communicator (v4).

Capabilities and Versions

Why do I need Fortify?

What features does Fortify provide?

What advantages does it have over alternative solutions?

But aren't the 128-bit versions of Communicator available outside the U.S.?

What versions of Netscape does it support?

What about the v4.73 (or later) versions?

Are the beta and preview editions supported?

Are the international (non-English) editions supported?

Is Fortify itself available in non-English translations?

Is Fortify Year 2000 ready?

Does it work with a server that uses a Verisign Global Server ID?

Installation

Where can I get the most recent version?

I'm impatient. How do I run it?

What else do I need to do?

What exactly does Fortify do?

What safeguards does Fortify use? Can I uninstall it?

What does Fortify not do?

What will Fortify do to a U.S.-Domestic grade (128-bit) browser?

What does the message '{my browser} is ... not recognisable' mean?

After Installation

How do I check the encryption strength of my copy of Netscape?

How do I encrypt and/or sign my email messages?

I have been using Fortify. How do I upgrade to a later version of Communicator ?

Related Issues

What are the terms of use governing Fortify for Netscape?

What's all this about RSA/RC4/40-bits/512-bits/symmetric keys? I'm confused.

How strong is a 40 bit secret key anyway?

Has anyone ever 'broken' one of these keys?

Why should I bother with Fortify? Who cares!

Is this legal?

Other Resources

Where do I send feedback or questions?

Miscellaneous

Acknowledgements - Software

Acknowledgements - MacOS

Acknowledgements - Non-English Translations

Capabilities and Versions

Why do I need Fortify?

The answer to this question can easily be illustrated:

The export-grade browser - on the left - can only communicate securely with a certain specific set of web servers. The fortified browser - on the right - can communicate securely with any full strength web server anywhere on the Internet.

A more detailed explanation of this comparison, along with some examples of each type of server, can be found on the Fortify web site, here.

What features does Fortify provide?

What advantages does it have over alternative solutions?

But aren't the 128-bit versions of Communicator available outside the U.S.?

The full details and effects of this change are explained further here.

What versions of Netscape does it support?

Navigator Standard verns 2.02, 3.01, 3.02, 3.03, 3.04

Navigator Gold verns 3.01, 3.02, 3.03, 3.04

Navigator Lite (stand-alone) verns 4.02 to 4.08, 4.05-JDK1.1, 4.5, 4.51, 4.6, 4.61, 4.7, 4.72

Communicator verns 4.01 to 4.08, 4.05-JDK1.1, 4.5, 4.51, 4.6, 4.61, 4.7, 4.72

that were released for the following platforms:-

DEC-OSF + Dec UNIX (Alpha systems)

HP-UX 10.x (HPPA systems) (Note C)

IBM AIX 4.x (RS6000 systems) (Note C)

SGI Irix 5.x and 6.x (Mips systems)

Sun Solaris 2.4 and 2.5.1 (Sparc systems)

Sun Solaris 2.4 and 2.5.1 (Intel x86 systems)

Sun SunOS 4.1.3_U1 (Sparc systems)

BSD, FreeBSD, BSDI (Intel x86 systems) (Note A)

Linux-Elf and Linux-glibc2 (Intel x86 systems)

MKLinux and LinuxPPC (PowerPC systems)

Microsoft Windows 95/98 and Windows NT (Intel x86 systems)

IBM OS/2 (Intel x86 systems) (Note B)

Apple Mac OS (PowerPC systems) (Note D)

Note A: BSD versions v3.01, v3.03-gold, v3.04, and v4.04 onwards only.
Note B: OS/2 version v2.02 (svc lvl 4,7,8), 4.04 (svc lvl 5,6,fixpack1), and 4.61
Note C: On these operating systems, version v4.06 onwards only.
Note D: MacOS PowerPC versions only, version v4.06 onwards only.

What about the v4.73 (or later) versions?

Please refer to this update statement.

Are the beta and preview editions supported?

If you would like to see a particular preview release supported, feel free to say so, and keep an eye out for future announcements (or subscribe to the Fortify mailing list).

Are the international (non-English) editions supported?

Is Fortify itself available in non-English translations?

Is Fortify Year 2000 ready?

Does it work with a server that uses a Verisign Global Server ID?

Installation

Where can I download the most recent version?

The Fortify home page is on the net, currently at https://www.fortify.net/ Please refer to that site for download details, and all the latest news about Fortify.

I'm impatient. How do I run it?

Notes for OS/2 users:

In the past, some users have reported problems when attempting to de-compress their 4.04 netscape.exe files using repack.exe. The problem arises from the netscape.exe being locked by a running process. Details about the problem scenario, and a suggested workaround can be found here.

Unix installation instructions:-

Ensure that you are not running Netscape at the moment.
In the following example, you should substitute the name of your particular distribution for unix-TYPE:
gzip -dc Fortify-1.4.6-unix-TYPE.tar.gz | tar -xf - cd Fortify-1.4.6-unix-TYPE ./Fortify.sh [your-Netscape-filename ...]
The script will prompt you for any additional information or confirmations as it proceeds.
Once Fortify is installed, you can remove the Fortify-1.4.6-unix-TYPE folder if you wish. If you think you might wish to uninstall Fortify some time later, you should retain a copy of the Fortify distribution archive. This is your choice.

Following these steps will cause a precompiled copy of Fortify to be executed during the upgrade. If you are not happy with the thought of running a precompiled program that you have downloaded from the net, then feel free to rebuild it for yourself. The source code can be found in the 'src' directory, along with a src/README file that contains some lab and build notes.

What else do I need to do?

What exactly does Fortify do?

What safeguards does Fortify use? Can I uninstall it?

What does Fortify not do?

cook your breakfast.

What will Fortify do to a U.S.-Domestic grade (128-bit) browser?

What does the message '{my browser} is ... not recognisable' mean?

Your platform or operating system is not supported.
Please check the list of supported operating systems in the above table.
Your browser is too new for your copy of Fortify for Netscape.
Each time a new Netscape browser is released, a matching release of Fortify for Netscape must be made. This is inherent in its nature. So if you download a shiny new Netscape browser, you will normally find that your old copy of Fortify does not recognise it. You will also need to download a shiny new release of Fortify.
Your browser is too old.
Fortify for Netscape only supports browsers commencing from version 3.01 onwards on Unix and Windows, or from version 4.06 on MacOS, or from 2.02 on OS/2 (the 2.02 OS/2 browser is substantially the same as v3.x on Unix and Windows),
Your Netscape browser is produced by a third party vendor.
The editions of Navigator and Communicator produced or rebadged by third-party organisations are not, as a rule, supported. There are simply too many of them. Typically these browsers are bundled with a machine, or with a larger body of system software. Some past examples under this heading have been: SGI, BSDI, Calderra, AT&T, and Corel.
You have an unsupported beta or preview release browser.
Please refer to the above note.
You have a U.S. domestic (128-bit) browser.
Please refer to the above question.
You have a copy of Communicator-for-France.
Until recently, French national law outlawed the possession and use of strong cryptography. For this reason, the Communicator-for-France browsers have not historically been supported by Fortify. With the liberalization of French national crypto laws, it is now recommended that French citizens obtain and then fortify a copy of the vanilla, export-grade Netscape browser.
You browser has been modified in some way.
Applying third-party patches or modifications to your browser can sometimes render your browser unrecognisable to Fortify. To avoid this problem, simply fortify your browser before making any modifications or patches. Note, however, that you will not be able to de-fortify your browser later, so make sure that you keep a back-up copy of your original browser within arms reach.

After Installation

How do I check the encryption strength of my copy of Netscape?

You have a few alternatives.

The simplest method is to restart Netscape, or call up the 'About...' page from the Help menu. On this page you will see a section describing the program's cryptographic features.
The Unix export versions of Netscape describe themselves as
'This version supports International security .........'
Fortified versions (and presumably U.S. domestic versions) describe themselves as
'This version supports U.S. security ...........'
Under Windows 95/98/NT and Unix, the most direct evidence of your browser's cryptographic capabilities is in the SSL and S/MIME cipher preferences dialog boxes, in the security manager.
Export versions of Navigator (v3) offer 40-bit RC2 and RC4 ciphers (example), whereas the Fortified version offers 128-bit RC4 (example).
Export versions of Communicator (v4) offer 40-bit RC4 for web connections, or 128-bit RC4 and 168-bit triple-DES when a 'blessed' web server is involved (example). Fortified versions, however, offer 128-bit RC4 and 168-bit triple-DES without restriction (example). For sending and receiving e-mail, Communicator (v4) offers 40-bit RC2 only (example), whereas Fortified versions carry an additional four strong e-mail ciphers (example).
Alternatively, you can connect to any public full strength web server, for example https://www.fortify.net/ or https://www.c2.net/, and download a page. You can see the encryption strength of the connection in two places:-
a) In Navigator v3, the small key icon in the bottom left hand corner of the browser indicates the encryption status.
A broken key symbol indicates no encryption
A solid key with a single tooth signifies an export grade cipher (40-bits)
A solid key with two teeth signifies a full strength cipher is in operation.
b) The 'Document Information' screen reports the cipher and key length that was used when the document was fetched. Strong ciphers are described as 'a high-grade encryption key ....', while weak ciphers are described as 'a medium-grade encryption key ....'.
If you are the skeptical type, find yourself a trustworthy web server that tells you about the strength of each incoming SSL connection - such as this one: https://www.fortify.net/sslcheck.html It you want independent verification, try searching through the Netcraft SSL Servers Survey at http://www.netcraft.co.uk/ssl/
Alternatively, find an Apache-SSL web server that has the 'printenv' cgi-bin script installed ('printenv' prints all the environment variables passed to itself; it is included in the vanilla Apache distribution). Open an SSL connection to this script, e.g. https://some.server.name/cgi-bin/printenv.
Export versions of Netscape will see a HTML page returned by printenv that includes these lines:-
Fortified versions (and presumably U.S. domestic versions) will see a HTML page returned that includes these lines:-
If you are the mis-trusting type, find yourself (or build) a trustworthy web server that only accepts U.S. domestic strength SSL connections. Export version of Netscape will fail to connect to such a server, but Fortify'd Netscape will succeed.
You can also perform the reverse test, i.e. using only high grade ciphers connect to a server that only accepts export strength SSL connections. Amazingly, the server at Verisign (www.verisign.com) is an example in this category!!
If you are the deeply suspicious type, you are going to need some tools of your own. You can either
a) build a test bed server that dumps out SSL conversations (ApacheSSL + SSLeay makes a fine starting point for this),
b) snoop the https packets that pass between the browser and web server across a network link.

How do I encrypt and/or sign my email messages?

Personal certificates are available from most Certificate Authorities around the world. Thawte Inc. and GlobalSign both offer personal certificate products, in a variety of trust levels and prices, including a no-cost option. When applying for a personal certificate, always ensure that the certificate key size is at least 1024-bits.

Note that if you had a personal certificate prior to upgrading your browser with Fortify, this certificate will almost certainly be based upon a weak, 512-bit key pair. You should immediately revoke this certificate, and obtain a new 1024-bit certificate using your fortified browser.

I have been using Fortify. How do I upgrade to a later version of Communicator ?

Related Issues

What are the terms of use governing Fortify ?

Fortify is free for all forms of non-commercial use, including individual, educational, research, or charitable use.

Commercial use, or commercial re-distribution, of Fortify is controlled under the terms of the software Copyright, and requires a formal licence. However, the terms are deliberately simple, and, more often than not, they are purely a formality.

What's all this about RSA/RC4/40-bits/512-bits/symmetric keys? I'm confused.

How strong is a 40 bit secret key anyway?

In a recent article 'Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security', several of the world's leading cryptographers 'strongly recommend a minimum key-length of 90 bits for symmetric cryptosystems (unquote)'. [Ref: here ]. 90-bit keys would appear to be acceptably strong in 1997. 128-bit keys are therefore what the world should be using.

Has anyone ever 'broken' one of these keys?

Yes. Several times. One of the first public attacks on a 40-bit key was carried out in August 1995, as part of Hal's Challenge. The challenge was ultimately solved independently by two parties. The first party to find the key was David Byers and Eric Young, using approx 50 PCs, 15 workstations and a MasPar MP-1 for the search. The second person to find the key was Damien Doliegez (France), who used approx 20 workstations and two supercomputers for 8 days to conduct the search.

A group known as the Cypherpunks have banded together to co-operatively conduct exhaustive key searches in record times using run-of-the-mill computing resources. Their fastest time for a 40-bit key search currently stands at 31 hours 47 minutes, which was the time taken to break Hal's Second Challenge, also in Aug 1995.

In January and February of 1997, two more cryptography challenges were broken. The first was a 40-bit cipher key that was broken in a mere 3.5 hours by Mr. Ian Goldberg at the University of California, Berkeley, using a network of approx 250 PCs and workstations. The second was a 48-bit cipher key that was broken in approx 13 days by a collaborative group of approx 5000 computers operating across the Internet.

56-bit DES has also been 'broken', on at least four separate occasions. The Deschall group, headed by Mr. Rocke Verser, announced the winning key to the RSA's first DES challenge in June 1997. Deschall was, once again, an Internet-based collaborative effort. The group used the spare CPU cycles from 'tens of thousands' of standard computers, over a period of roughly four months, to perform the key search.

The second DES challenge was completed in February 1998, by a collaborative group known as distributed.net in 39 days - one third of the time taken to solve the first DES challenge.

The Electronic Frontier Foundation has accomplished at least two separate 56-bit DES 'cracks' in June and July, 1998. The most widely publicized result was a solution to the RSA DES II challenge. The solution was achieved in 56 hours - substantially faster than the previous record. These results once again demonstrate the fact that export grade ciphers, including DES, are largely ineffective, and their usefulness degrades rapidly over time.

These and other challenges were published by RSA Inc. on Jan 28th, 1997 as part of a research exercise into the security of export grade ciphers. The exercise is on-going