At 11:14 AM 12/11/95, hallam@w3.org wrote:
So, is this what happened at Crypto AG? Is this what happened at Netscape? We may never no for certain, but there is a final warning for the folks at Netscape that is buried the Sun's article about Crypto AG:
No it is nothing like what happened at Netscape which was a common or garden cock up. It was simply the result of miscommunication between two groups of people being the original and new security team. Taher et al thought that the random number seed was OK because they discovered a design document describing it. Unfortunately the code had not been written to implement that design.
Phill
Thanks for the deeper insight. Sure it was probably a mistake. But someone made the decision to write code that didn't conform to that design document. That person was probably saying, "Random number generator. Cool. I can use the standard C library." or whatever. But that person could have been saying, "Hey, if I slip this in then I'll be able to snag the session keys with impunity." We'll never know for sure. -Peter