Re: Netscape 4.5 vulnerability

[juolja () UTU FI (Juha Jäykkä)]

> Not like a DES , this encryption can be decrypted. As a result of many
> experiments i wrote this program. It gives me almost all passwords in my
>  system, because all people use Netscape.

  Blast it. It does not matter even if you used TwoFish, BlowFish or
IDEA! The passwords saved in the preferences file would still be easily
decrypted.
  People seem to be forgetting a very important point here: the
encryption password must be internally stored somewhere because the user
never gets asked for it. Thus it is not never necessary to "crack" the
passwords because we can always use the original password.
  I see this same line of thought here every now and then: people report
"bugs" like this while they are indeed vulnerable by design. There is no
secure way of storing a password and recalling it without asking the
user for some kind of passphrase. Please someone correct me, if I'm
wrong at this. I know of no such cryptosystem.
  The method of saving only a hash won't work here since the actual
password is needed in order to access the pop server.
  While I'm at it, has Netscape corrected the imap password saving
behaviour yet? Up to, and including, communicator 4.5 the imap passwords
got stored to the preferences file regardless of the setting "Remember
my password". I have disallowed write access to my prefs.js file to
prevent the imap password from being stored but it's quite frustrating
to change the permissions every time I need to turn Javascript on to
view some darn page that doesn't work without.

--
Juha Jäykkä, juhaj () iki fi
PS See http://www.dcs.ex.ac.uk/~aba/rsa/ for latest version of RSA in
perl.
Here goes the RSA code in two lines:
print pack"C*",split/\D+/,`echo
"16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`