Re: Netscape SSL implementation cracked!

["Perry E. Metzger" <perry@piermont.com>]

Ian Goldberg writes:
> What we discovered is that, at least on the systems we checked (Solaris
> and HP-UX), the seed value for the RNG was fairly trivial to guess by
> someone with an account on the machine running netscape (so much so
> that in this situation, it usually takes less than 1 minute to find
> the key), and not too hard for people without accounts, either.
> See below for details.

Why is this completely unsuprising?

I've said it before and I'll say it again -- Netscape's programmers
(with a few notable exceptions -- you know who you are) tend to be
sloppy about security critical details.  Experience with most of the
same people from back when they built Mosaic shows that they just
don't get the details right. (I wonder how many buffer overflow
security bugs lurk in Netscape waiting to be found. I wonder how many
such bugs lurk in their web servers, too...)

Anyway, congratulations to you and Dave on an excellent piece of
work. I say a bunch of us should buy you "I broke Netscape's security
and all I got was this lousy T-Shirt" shirts, if only someone would
design them!

(Two of those should be given to our friends in the U.K. and at INRIA
who brute forced Netscape before. A dozen more of the shirts should be
held for future breaks -- which are a "when", not an "if".)

> I've included the header to a program we wrote to do this key-cracking
> below.  I would like to get some information, though:
> 
> o Where should I put the full source (1 file, ~12k) so that ITAR lovers
>   don't get mad at me?

Give it to the folks at ftp.csua.berkeley.edu, I say.

> o Where can I find a version of netscape that does RC4-128?  It is
>   likely that it suffers from the same problem, and even a brute-force
>   search of the entire seed space is _much_ less than 128 bits.

They sell it in stores.

Perry