Eric Young writes:
Sigh. For your information the security code for 1.x versions of netscape was not even written by someone from NCSA. The current security team (which does not include the person who did the 1.x version) also does not include anyone from NCSA. While I can't
I will defend Netscapes code on the point about the RNG even though I have not seen any. I assume the Netscape code is quite large and each release would have to pass various fuctionality tests. How can you test that the RND seeding is wrong?
The seeding isn't "wrong"; it's a design flaw. (At least that's my understanding; maybe I missed something.)
You have to actually look at the code, the number coming out are still random.
Two words: "design review".
This sort of error can only be checked by reading the code and specifically looking at critical routines like this the RNG seeding routines.
Uhh... OK. Sounds like a plan to me. For critical pieces of code like that, having repeated exhaustive design/implementation reviews should be a matter of course. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~