Bugtraq mailing list archives
Re: Netscape password scrambling
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Mon, 20 Dec 1999 12:13:17 -0500
More importantly, some people have claimed that the entire password saving issue is a red herring since there is no way to protect a secret on the host.
I don't think I've said so, but I agree with those "some people".
This criticism is worth thinking about more carefully. We suggest that Netscape "raise the bar" by using triple-DES and hiding key material for the cipher throughout the code. But can't you just apply some clever SoftICE to find the key? Of course you can! Doing so requires much more sophistication than simply cracking a "magic decoder ring" scrambler, however.
Yeah...but it doesn't need to be done but once. Once someone does it and the key is known, decrypting a crypted password is a total no-brainer. (Exploiting some of the subtler security holes requires a degree of sophistication, too - but once exploit code is written, *using* it is typically well within the reach of even the point-and-drool crowd.) The only way this would be of any use is if a new random[%] key is generated for each install. Never having installed Netscape, I don't know whether their install procedure is such that this is feasible. But it does seem to me to be the only way to actually do anything of the sort - then the attacker needs to steal the relevant key material from wherever the install procedure stashed it (inside the executable, perhaps?) as well as stealing the file with the encrypted password. [%] And it needs to be at least semi-decently random, too - a trivial massaging of something the attacker can trivially discover Just Won't Do. der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: Netscape password scrambling Kenn Humborg (Dec 20)
- <Possible follow-ups>
- Re: Netscape password scrambling der Mouse (Dec 20)