Information Security News mailing list archives
Netscape security flaw revealed
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Mon, 20 Dec 1999 02:19:14 -0700
Forwarded From: "John Q. Public" <tpublic () dimensional com> http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html By Sharon Cleary, WSJ Interactive Edition December 15, 1999 5:50 AM PT A software-security firm warned that its researchers have found a potentially serious security flaw in the e-mail system used by Netscape's Web browser. Reliable Software Technologies, a Sterling, Va., software-security company, said Tuesday that two RST engineers needed just eight hours to duplicate the mathematical algorithm Netscape Mail uses to scramble users' passwords. The company said the problem affects all current versions of Netscape. Gary McGraw, vice president for corporate technology at RST, said the Netscape algorithm was "not an obvious sitting duck -- [the password] appears to be scrambled up in a good way, but it's not cryptographically strong." That would allow a determined hacker to reverse-engineer the algorithm and figure out the password. [...] Officials of Netscape, now a division of Dulles, Va.-based America Online Inc. (NYSE: AOL, were concerned by the news but said the unit has no plans to change its algorithm. [sic, bad parens] Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that "computer experts could still access the information, in case someone forgot their password." [snip] ISN is sponsored by Security-Focus.COM
Current thread:
- Netscape security flaw revealed mea culpa (Dec 20)