Bugtraq mailing list archives
Re: Netscape 4.5 vulnerability
From: juolja () UTU FI (Juha Jäykkä)
Date: Fri, 16 Apr 1999 09:04:31 +0300
Not like a DES , this encryption can be decrypted. As a result of many experiments i wrote this program. It gives me almost all passwords in my system, because all people use Netscape.
Blast it. It does not matter even if you used TwoFish, BlowFish or IDEA! The passwords saved in the preferences file would still be easily decrypted. People seem to be forgetting a very important point here: the encryption password must be internally stored somewhere because the user never gets asked for it. Thus it is not never necessary to "crack" the passwords because we can always use the original password. I see this same line of thought here every now and then: people report "bugs" like this while they are indeed vulnerable by design. There is no secure way of storing a password and recalling it without asking the user for some kind of passphrase. Please someone correct me, if I'm wrong at this. I know of no such cryptosystem. The method of saving only a hash won't work here since the actual password is needed in order to access the pop server. While I'm at it, has Netscape corrected the imap password saving behaviour yet? Up to, and including, communicator 4.5 the imap passwords got stored to the preferences file regardless of the setting "Remember my password". I have disallowed write access to my prefs.js file to prevent the imap password from being stored but it's quite frustrating to change the permissions every time I need to turn Javascript on to view some darn page that doesn't work without. -- Juha Jäykkä, juhaj () iki fi PS See http://www.dcs.ex.ac.uk/~aba/rsa/ for latest version of RSA in perl. Here goes the RSA code in two lines: print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Current thread:
- Re: Netscape 4.5 vulnerability Jon Schlegel (Apr 08)
- <Possible follow-ups>
- Re: Netscape 4.5 vulnerability Wojtek Kaniewski (Apr 08)
- Re: Netscape 4.5 vulnerability Dima Volodin (Apr 09)
- Re: Netscape 4.5 vulnerability Juha Jäykkä (Apr 15)
- stored credentials was: Netscape 4.5 vulnerability Russell Fulton (Apr 18)
- Re: stored credentials was: Netscape 4.5 vulnerability Bernd Eckenfels (Apr 20)
- Bug in WinNT 4.0 SP4 Alvaro Gilabert (Apr 19)
- Re: Bug in WinNT 4.0 SP4 David LeBlanc (Apr 20)
- Security Bulletins Digest aleph1 () UNDERGROUND ORG (Apr 20)
- stored credentials was: Netscape 4.5 vulnerability Russell Fulton (Apr 18)