Markoff's article in the Times says:
Netscape officials said today that they would strengthen the system, by making it significantly harder to determine the random number at the heart of their coding system. They said they would no longer disclose what data would be used to generate the random numbers.
Not, of course, that they disclosed it before -- it was found by reverse engineering the distributed executable. Not, of course, that they have a choice in the matter of whether to disclose it -- they will be "disclosing" how its done as soon as they release the code. Not, of course, that security through obscurity does any good -- it just magnifies the pain. I suspect that there are far more flaws in Netscape. String buffer overflows are another good guess here -- they are probably rampant through the code both for the browser and the commerce server they sell. I can't prove it myself, of course, given that I don't have the time to rip the thing apart, but the same folks never seemed to learn their lesson in release after release when they worked at NCSA, and the only thing thats probably keeping their dignity here is the lack of distributed source code. I'll pay for the "I broke Netscape's Security" T-Shirt for the enterprising person that takes the time to find them in the object code. (See Sameer's page on the shirts he's developing as prizes for the Netscape flaw finders.) Two "I broke Netscape's Security" T-Shirts to that daring soul at Netscape who finds the next flaw and has the balls to mention it in public instead of sweeping it under the carpet -- even if the person is Marc Andreessen. Perry