Re: SSL implementation problem at Netscape

[jsw@neon.netscape.com (Jeff Weinstein)]

In article <43o47v$fsd@cnn.Princeton.EDU>, dawagner@flagstaff.princeton.edu (David A. Wagner) writes:
> In article <david-1909951219130001@192.0.2.1> from sci.crypt,
> David Sternlight <david@sternlight.com> wrote:
> > If the above is, in fact, accurate it appears to apply to previous
> > versions of Netscape, not the 2.0 versions for which the public beta goes
> > out next week.
> 
> We haven't tried it on v2.0, as we only have a copy of v1.1 right now.
> But the front-page New York Times article today said that the next version
> also has the same flaw, and that it'll be fixed before release.

  First off, Sternlight is not an agent working for netscape.  :-)

  The same fix that will be going out to patch old versions will be applied
to 2.0 before we do a public beta.  As with any code it will be refined
as necessary before the final release of 2.0.

[ stuff deleted ]

> While we don't yet know exactly how long it would take to break Netscape's
> PRNG in this threat model, I think it's clear that Netscape's current
> implementation is insufficient and insecure.

  Agreed.  See other messages of mine for a more detailed response.

> We don't know about e.g. PC's yet -- this is another area we were still
> working on.  I will note that Netscape didn't try to claim that any version
> was safe from this flaw, for what that's worth...

  Again, see my other messages on this and related topics for more details
of what the code was doing on PC and Mac.

> Hopefully this will be quickly fixed by Netscape, and then we can all stop
> worrying about it! :-)

  Yup.  Then I can get back to working only 16 hours a day.  :-)

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.