Netscape security flaw revealed

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: "John Q. Public" <tpublic () dimensional com>

http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html

By Sharon Cleary, WSJ Interactive Edition
December 15, 1999 5:50 AM PT

A software-security firm warned that its researchers have found a
potentially serious security flaw in the e-mail system used by Netscape's
Web browser.

Reliable Software Technologies, a Sterling, Va., software-security
company, said Tuesday that two RST engineers needed just eight hours to
duplicate the mathematical algorithm Netscape Mail uses to scramble users'
passwords.  The company said the problem affects all current versions of
Netscape.

Gary McGraw, vice president for corporate technology at RST, said the
Netscape algorithm was "not an obvious sitting duck -- [the password]
appears to be scrambled up in a good way, but it's not cryptographically
strong."  That would allow a determined hacker to reverse-engineer the
algorithm and figure out the password.

[...]

Officials of Netscape, now a division of Dulles, Va.-based America Online
Inc. (NYSE: AOL, were concerned by the news but said the unit has no plans
to change its algorithm. [sic, bad parens]

Chris Saito, the senior director for product management at Netscape, said
that the option to save a password locally was included for convenience.
Saito added that Netscape didn't use a stronger encryption algorithm to
protect passwords so that "computer experts could still access the
information, in case someone forgot their password."

[snip]

ISN is sponsored by Security-Focus.COM