[Previous] [Next] [Index]
[Thread]
Re: Netscape's purported RNG
As I know from being on the sidelines during X.400 conformance testings,
*any* test will only catch the errors the tester has thought of.
Security bugs like this one CANNOT be discovered by a "black box" test;
it would be impossible for a reasonable (?) standardized test to reverse-
engineer the random-number generation mechanism of Netscape.
OTOH, the NCSA HTTPD server might have been caught by a standard test
- IF there was a maximum valid URL length defined (someone mentioned today
on http-wg sending 30K of data in a GET URL......), AND the tester was using
a large enough data item, AND interpreted the resulting crash as something
other than a valid rejection notice. (Lots of IFs there....)
Tests might just contribute to false security.
Harald A
References: