Re: Netscape's purported RNG

• To: efrank@ncsa.uiuc.edu (Beth Frank)
• Subject: Re: Netscape's purported RNG
• From: Harald.T.Alvestrand@uninett.no
• Date: Fri, 22 Sep 1995 09:35:20 +0200
• cc: www-security@ns2.rutgers.edu
• In-reply-to: Your message of "Thu, 21 Sep 1995 09:26:18 CDT." <9509211426.AA29930@void.ncsa.uiuc.edu>

As I know from being on the sidelines during X.400 conformance testings,
*any* test will only catch the errors the tester has thought of.

Security bugs like this one CANNOT be discovered by a "black box" test;
it would be impossible for a reasonable (?) standardized test to reverse-
engineer the random-number generation mechanism of Netscape.

OTOH, the NCSA HTTPD server might have been caught by a standard test
- IF there was a maximum valid URL length defined (someone mentioned today
on http-wg sending 30K of data in a GET URL......), AND the tester was using
a large enough data item, AND interpreted the resulting crash as something
other than a valid rejection notice. (Lots of IFs there....)

Tests might just contribute to false security.

       Harald A

• Re: Netscape's purported RNG
• From: efrank@ncsa.uiuc.edu (Beth Frank)

• Previous: Re: Java
• Next: Re: What's the netscape problem
• Index(es):
  • Index
  • Thread