[Previous] [Next] [Index]
[Thread]
Re: What's the netscape problem
> On Wed, 20 Sep 1995 19:01:39 +0900 Kazuma Andoh <andoh@nikkeibp.co.jp> wrote:
> >NY Times reports that the Netscape navigator have security problems,
> >and two students posted that to some newsgroup
> >(http://nytsyn.com/cgi-bin/times/lead/go).
> >
> >Could someone tell me what's the problem and how can I access the newsgroup
> >article which reports the Netscape's problem.
> >
> Netscape confirms problem and gives better details at the following URL:
>
> http://home.netscape.com/newsref/std/random_seed_security.htm
The interesting part of this article is the discussion of random seed
weaknesses on the *server* side. If true, this means anybody could use
the random-seed hole to reverse engineer the process by which the
server's private key information was generated and break that keypair
with much, much much less effort than would normally be needed to factor
a 512-bit RSA key.
(Note that I'm not entirely sure Netscape's server uses 512 bit RSA keys,
since the documentation, technical data sheets, and generation process
don't give any clue about what key size is being used. Guess they don't
want customers worrying their pretty little heads about it.)
This would mean merely getting a fixed server would be insufficient; every
Netscape server user would need to generate a new keypair, get a new Verisign
certificate, and revoke the old one.
(Oops, wait, there's no way to revoke the old one. I guess you just have to
hope nobody does this before all those certificates expire.)
- Marc
Follow-Ups:
References: