Re: Netscape Crack

[Bill Stewart <stewarts@ix.netcom.com>]

At 04:30 PM 10/10/95 -0700, benny@SIRIUS.COM (Thomas Gorman) wrote:
>I'm a bit new to the Crypto Field but I know enough.  I heard that the
>Cypherpunks ran a brute force attack on Netscape's 40-Bit code but I still
>don't know how those two guys in Berkeley broke the 40-bit in just a few
>minutes.  Can someone on this list explain it to me?  Thanks.

Netscape uses a random session key, which feeds that 40-bit encryption.
How does it get a random session key without bothering the user to type
in random numbers?  By using the sources of randomness available to it,
like the system clock and process id.  Well, since you know when a message was
sent, you know what time it was (to the second), and there aren't very many
possible values of microseconds available.  There also aren't a lot of possible
processids, especially when you can run a process on the machine or convince
sendmail into telling you.  So instead of having 2^40 numbers to brute-force,
there were fewer than 2^30, often more like 2^20.  That's pretty fast.

The third crack was to notice that Netscape isn't very careful with array bounds
(in true C fashion), allowing you to push stuff on the stack by handing it a URL
with a very long name.  If you're careful, you can put interesting stuff on the
stack, so it does more than just crash in an ugly fashion.

However, three's a charm, and it's now time to Hack Microsoft, especially since
Microsoft has been saying bad things about Netscape, when almost every
encryption
product in a Microsoft tool is wimpy beyond repair, and when their newest and
niftiest stuff also has 40-bit keys for export versions, with out even as
much salt
as Netscape used.
#---
#                                       Thanks;  Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---