John Young wrote:
Still, it would be good to know if a Netscape snooper could snarf a key while it is being used by PGP to decrypt, that is, whether the hole allows snooping on dynamic ops or just on stored info.
Does anyone know if the the hole finders are discussing this on the Net, and if so, where? What are the folks at Netscape saying? Tom, Jeff?
We aren't talking about it much. We've released some information to the press and posted a release on our web site. This attack can be used to grab any file from the user's hard drive, provided you know the file name and path. It exploits a bug in the way forms are handled. You can guard against this attack by turning on the warning dialog for submitting a form over an insecure connection. We have a fix which we are testing now, and we'll have it out early next week for 4.0. A fix for 3.x will follow once we have 4.0 fixed. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |