paul@fatmans.demon.co.uk wrote:
I don`t know what PRNG netscape used in the broken version, can anyone tell me what they used, and whether it was the PRNG or the seed that was weak
The problem was with the seed; it was especially vulnerable to attacks from somebody running on the same machine. Sufficient entropy is now obtained during initialization and the PRNG is reseeded reasonably often during execution. For the Navigator, this is every time the user event loop cycles.
also I would be interested to know what they are using now in terms of the algorithm and seed...
A pointer to the fixed code was posted to cypherpunks last year. PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications Corporation Everything should be made as simple as possible, but not simpler. -- Albert Einstein