Bugtraq mailing list archives

Re: Possible Netscape Crypto Security Flaw

From: pkrawczy () UIUC EDU (Pete Krawczyk)
Date: Tue, 16 Feb 1999 11:07:05 -0600


At 09:13 PM 2/14/99 -0600, Haze wrote:

Well
then the cracker could perform a brute force crack on the encryption and
attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail
account...


To get to the POP3 account, you'd only need to put the password in a
registry key of your own, then check the mail.  I would imagine that the
key to encrypt is the same across all copies of Netscape.

Along those lines, if you had a sniffer next to the computer you put the
encrypted password on, you could sniff the real password in transit and
thus not have to brute force attack the password, since POP3 is cleartext
traffic.

-Pete K
--
Pete Krawczyk                          http://www.uiuc.edu/ph/www/pkrawczy/
 pkrawczy at uiuc dot edu         Finger the 2nd address for PGP Public Key
 petek at bsod dot net     "No spammies, no spammies, no spammies... stop!"

Current thread:

Re: [proftpd-l] root compromise ? (fwd) Rodrigo Campos (Feb 09)
- Re: [proftpd-l] root compromise ? (fwd) Joe Schmo (Feb 12)
  - Re: [proftpd-l] root compromise ? (fwd) monk (Feb 13)
  - Re: [proftpd-l] root compromise ? (fwd) Dirk Moerenhout (Feb 13)
    - Possible Netscape Crypto Security Flaw Haze (Feb 14)
    - Re: Possible Netscape Crypto Security Flaw Pete Krawczyk (Feb 16)
    - snap utility for AIX. Larry W. Cashdollar (Feb 17)
    - Re: snap utility for AIX. Brian Hauber (Feb 18)
    - mSQL vulnerability. Christofer C. Bell (Feb 17)
    - OT: Copyright on Security advisories Aviram Jenik (Feb 18)
    - Re: OT: Copyright on Security advisories Doug Granzow (Feb 19)
    - Re: mSQL vulnerability. John W. Temples (Feb 18)
    - Debian GNU/Linux 2.0r5 released (fwd) Jamie Fifield (Feb 17)
    - Regarding passwords in registry keys. Ash (Feb 19)
    - Re: [proftpd-l] root compromise ? (fwd) Nic Bellamy (Feb 14)
  - ICQ99 crash loser (Feb 14)

(Thread continues...)