In article <199509190355.XAA01329@frankenstein.piermont.com>, perry@piermont.com (Perry E. Metzger) writes:
Markoff's article in the Times says:
Netscape officials said today that they would strengthen the system, by making it significantly harder to determine the random number at the heart of their coding system. They said they would no longer disclose what data would be used to generate the random numbers.
Not, of course, that they disclosed it before -- it was found by reverse engineering the distributed executable. Not, of course, that they have a choice in the matter of whether to disclose it -- they will be "disclosing" how its done as soon as they release the code. Not, of course, that security through obscurity does any good -- it just magnifies the pain.
Regardless of what Markoff implies, we do not intend to depend on security through obscurity.
I suspect that there are far more flaws in Netscape. String buffer overflows are another good guess here -- they are probably rampant through the code both for the browser and the commerce server they sell. I can't prove it myself, of course, given that I don't have the time to rip the thing apart, but the same folks never seemed to learn their lesson in release after release when they worked at NCSA, and the only thing thats probably keeping their dignity here is the lack of distributed source code.
Sigh. For your information the security code for 1.x versions of netscape was not even written by someone from NCSA. The current security team (which does not include the person who did the 1.x version) also does not include anyone from NCSA. While I can't guarantee that such buffer overflow error don't exist in our current products since I have not personally examined every line of code, your generalization from experience with mosaic is bogus. In the places in the code that I have seen where it looked like such errors could have crept in, I have found that the correct checks for buffer overflow have been in place. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.