Re: Netscape SSL-cracker...may be old news...

• To: tcg@us.net (Daniel A. Turner)
• Subject: Re: Netscape SSL-cracker...may be old news...
• From: James Fidell <james@oit.co.uk>
• Date: Wed, 20 Sep 1995 15:22:53 +0100 (BST)
• Cc: www-security@ns2.rutgers.edu
• In-Reply-To: <199509200500.BAA13682@us.net> from "Daniel A. Turner" at Sep 20, 95 01:05:05 am

> Netscape's security seems to have a flaw. Folks on this list are much more
> qualified to judge the accuracy of this SSL-breaker than I, so here's the
> source code. The idea is that Netscape's security, possibly including the
> 128-bit version, is crackable if you have an account on (or just access to)
> the client(?) machine. This is bad, I think.
> 
> If everyone in the world but me already knows about this, just tell me it's
> a dead horse and I'll relax. ;)

It's pretty much a dead horse, but completely true.

Basically Netscape doesn't pick a sufficiently random enough seed for it's
RNG which makes the keys very easy to guess.

Two CS undergrads wrote the program you posted by reverse engineering
the Netscape RNG code.  They have, I believe, demonstrated that it's
possible to crack the encryption on UNIX variants of the browser in
around 25 seconds when you have access to the same machine.

Netscape has already placed information on this on their WWW site.

James.
-- 
 "Yield to temptation --             | Work:  james@OiT.co.uk
  it may not pass your way again"    | Play:  james@hermione.demon.co.uk
                                     | http://www.OiT.co.uk/~james/
        - Lazarus Long               |              James Fidell

• Netscape SSL-cracker...may be old news...
• From: "Daniel A. Turner" <tcg@us.net>

• Previous: Re: What's the netscape problem
• Next: Re: What's the netscape problem
• Index(es):
  • Index
  • Thread