Netscape etc

• To: www-security@ns2.rutgers.edu
• Subject: Netscape etc
• From: "John Hemming CEO MarketNet" <JohnHemming@mkn.co.uk>
• Date: Fri, 22 Sep 1995 21:58:29 PM PDT

>Netscape Commerce server certificates use RSA key pairs generated by the<BR>
>user, i.e. with "Netscape's shoddy random number genrator" (sic). All the<BR>
>server running in "secure" mode need new RSA keys and certificates as noted<BR>
>in the following excerpt from the official Netscape response. <BR>
<BR>
>"In addition, the current version of the Netscape Commerce Server has a<BR>
>similar vulnerability during it's initial key-pair generation. Therefore, a<BR>
>patch will be made available from Netscape and should be applied by Commerce<BR>
>Server customers to generate a new key pair and server certificate." <BR>
If that is really what Netscape have issued then it needs correcting unless
for some reason RSA's private key is stored in the Commerce Server.  I would
presume that a certificate request would be needed instead.

There is really quite a high noise to signal ratio in dealing with the
non randomness of the unix Navigator (which is what I understand 
the problem to be).

• Previous: Re: Netscape's purported RNG
• Next: Re: Netscape's purported RNG
• Index(es):
  • Index
  • Thread