Security Update news release
Here is the press release we put out this morning regarding the fix for RNG seed and stack overflow problems. --Jeff BETA VERSIONS OF NETSCAPE SECURITY UPDATE TO BE AVAILABLE WEDNESDAY FOR FREE DOWNLOADING Company Puts New Code on Net for Examination; Outside Security Experts Reviewing Software MOUNTAIN VIEW, Calif. (September 25, 1995) -- Netscape Communications Corporation (NASDAQ: NSCP) today announced that it has completed beta versions of the security update for its client and server software and will post the new software for free downloading from the Internet on Wednesday, September 27. The beta versions of the software updates, being posted following a review by internal and outside experts, are in response to the potential vulnerability in the company's security implementation discovered last weekend by two University of California at Berkeley students. In addition, Netscape is taking the opportunity to include other improvements with this update. Netscape addressed the potential vulnerability by increasing the amount of random information it uses to seed the random number generator in its security implementation. In Netscape's security approach, the random number generated is used in a mathematical formula to create a "session key" for encrypting information to be sent across the Internet. The new solution uses many times more random information than the previous version, ensuring much greater degrees of difficulty in identifying the key used to encrypt a particular session. The solution is also now assembled in a platform-dependent manner which, when combined with the increase in random information, makes Netscape's products substantially more secure than before the update. Netscape's source code that will be used to address the potential vulnerability has already been posted on the Internet so that it can be reviewed by anyone wishing to do so. This technique is often used in the development of security software to ensure the highest level of inspection possible before the final software is made available to customers. The code is also being reviewed by external security experts retained by Netscape and various Netscape platform partners with expertise in specific operating system environments to provide additional checks on the soundness of Netscape's approach. "We have always encouraged users to provide feedback on new versions of our software, and our posting of this security source code on the Internet is a natural extension of that approach," said Mike Homer, vice president of marketing at Netscape. "We plan to continue to use the Internet to test new software versions, as we will shortly with the beta version of our newly announced Netscape Navigator 2.0. We expect that this kind of open review will help us continue to create products of the highest quality." Netscape is using the opportunity of this week's beta releases to also update other portions of its software, addressing such issues as domain-name limitations in international versions of Netscape Navigator and potential stack overflow conditions. Netscape is also placing the beta versions of the security updates for its Netscape servers on the Internet for free download by customers. "We process hundreds of customer orders daily using Netscape software. Netscape's commitment to excellence as evidenced by the company's immediate action in response to reported vulnerabilities is one of the many reasons Internet Shopping Network has chosen Netscape products for conducting Internet commerce," said Randy Adams, president of Internet Shopping Network. "We have built a multi-million dollar business on the Internet using Netscape products and they are a major factor in our success." The beta versions of the updated software -- Netscape Navigator 1.2.1b for Windows, Netscape Navigator 1.1.1b for Macintosh and UNIX, Netscape Commerce Server 1.1.1b, and Netscape Proxy Server 1.1.1b -- will be available on Wednesday for downloading from Netscape's home page at http://home.netscape.com. All Netscape users are encouraged to download the new versions as soon as possible to ensure they are using the most up-to-date security software from Netscape. Final versions of the updates will be posted after all testing is complete. Netscape Communications Corporation is a premier provider of open software to enable people and companies to exchange information and conduct commerce over the Internet and other global networks. The company was founded in April 1994 by Dr. James H. Clark, founder of Silicon Graphics, Inc., a Fortune 500 computer systems company; and Marc Andreessen, creator of the NCSA Mosaic research prototype for the Internet. Traded on Nasdaq under the symbol "NSCP", Netscape Communications Corporation is based in Mountain View, California. ### Additional information on Netscape Communications Corporation is available on the Internet at http://home.netscape.com, by sending email to info@netscape.com or by calling 415-528-2555. Netscape Communications, the Netscape Communications logo, Netscape, Netscape Navigator, Netscape Commerce Server and Netscape Proxy Server are trademarks of Netscape Communications Corporation. All other product names are trademarks of their respective companies. -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. We issued the following news release this morning: ---------------------- FOR IMMEDIATE RELEASE BETA VERSIONS OF NETSCAPE SECURITY UPDATE TO BE AVAILABLE WEDNESDAY FOR FREE DOWNLOADING Company Puts New Code on Net for Examination; Outside Security Experts Reviewing Software MOUNTAIN VIEW, Calif. (September 25, 1995) -- Netscape Communications Corporation (NASDAQ: NSCP) today announced that it has completed beta versions of the security update for its client and server software and will post the new software for free downloading from the Internet on Wednesday, September 27. The beta versions of the software updates, being posted following a review by internal and outside experts, are in response to the potential vulnerability in the company's security implementation discovered last weekend by two University of California at Berkeley students. In addition, Netscape is taking the opportunity to include other improvements with this update. Netscape addressed the potential vulnerability by increasing the amount of random information it uses to seed the random number generator in its security implementation. In Netscape's security approach, the random number generated is used in a mathematical formula to create a "session key" for encrypting information to be sent across the Internet. The new solution uses many times more random information than the previous version, ensuring much greater degrees of difficulty in identifying the key used to encrypt a particular session. The solution is also now assembled in a platform-dependent manner which, when combined with the increase in random information, makes Netscape's products substantially more secure than before the update. Netscape's source code that will be used to address the potential vulnerability has already been posted on the Internet so that it can be reviewed by anyone wishing to do so. This technique is often used in the development of security software to ensure the highest level of inspection possible before the final software is made available to customers. The code is also being reviewed by external security experts retained by Netscape and various Netscape platform partners with expertise in specific operating system environments to provide additional checks on the soundness of Netscape's approach. "We have always encouraged users to provide feedback on new versions of our software, and our posting of this security source code on the Internet is a natural extension of that approach," said Mike Homer, vice president of marketing at Netscape. "We plan to continue to use the Internet to test new software versions, as we will shortly with the beta version of our newly announced Netscape Navigator 2.0. We expect that this kind of open review will help us continue to create products of the highest quality." Netscape is using the opportunity of this week's beta releases to also update other portions of its software, addressing such issues as domain-name limitations in international versions of Netscape Navigator and potential stack overflow conditions. Netscape is also placing the beta versions of the security updates for its Netscape servers on the Internet for free download by customers. "We process hundreds of customer orders daily using Netscape software. Netscape's commitment to excellence as evidenced by the company's immediate action in response to reported vulnerabilities is one of the many reasons Internet Shopping Network has chosen Netscape products for conducting Internet commerce," said Randy Adams, president of Internet Shopping Network. "We have built a multi-million dollar business on the Internet using Netscape products and they are a major factor in our success." The beta versions of the updated software -- Netscape Navigator 1.2.1b for Windows, Netscape Navigator 1.1.1b for Macintosh and UNIX, Netscape Commerce Server 1.1.1b, and Netscape Proxy Server 1.1.1b -- will be available on Wednesday for downloading from Netscape's home page at http://home.netscape.com. All Netscape users are encouraged to download the new versions as soon as possible to ensure they are using the most up-to-date security software from Netscape. Final versions of the updates will be posted after all testing is complete. Netscape Communications Corporation is a premier provider of open software to enable people and companies to exchange information and conduct commerce over the Internet and other global networks. The company was founded in April 1994 by Dr. James H. Clark, founder of Silicon Graphics, Inc., a Fortune 500 computer systems company; and Marc Andreessen, creator of the NCSA Mosaic research prototype for the Internet. Traded on Nasdaq under the symbol "NSCP", Netscape Communications Corporation is based in Mountain View, California. ### Additional information on Netscape Communications Corporation is available on the Internet at http://home.netscape.com, by sending email to info@netscape.com or by calling 415-528-2555. Netscape Communications, the Netscape Communications logo, Netscape, Netscape Navigator, Netscape Commerce Server and Netscape Proxy Server are trademarks of Netscape Communications Corporation. All other product names are trademarks of their respective companies. Rosanne M. Siino Director of Corporate Communications Netscape Communications Corp. 415-528-2619
Do the new versions use PGP's randseed.bin? If Netscape even only looks at data used to keep PGP secure, Netscape will be banned from my computer and every computer I am responsible for. -- For good.
Rather than get into a big fight about how safe it is for netscape to be reading PGPs randseed.bin file, I've changed our code to not do it. Instead of reading ~/.pgp/randseed.bin, we now get the name of a file from the environment variable NSRANDFILE, and pass that file's contents throught the RNG seed hash. If you decide that its safe, you can set the env variable to point to your randseed.bin file, or any other file of random bits you care to use. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
What happens if NSRANDFILE is set to /dev/random ? will netscape try to read an infinite number of random bytes ?
... do it. Instead of reading ~/.pgp/randseed.bin, we now get the name of a file from the environment variable NSRANDFILE, and pass that file's contents throught the RNG seed hash. If you decide that its safe, you can set the env variable to point to your randseed.bin file, or any other file of random bits you care to use. ... Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Frank
On Sep 27, 8:32am, Frank A Stevenson wrote:
Subject: netscape NSRANDFILE compatible with /dev/random ?
What happens if NSRANDFILE is set to /dev/random ? will netscape try to read an infinite number of random bytes ?
In the current patch it will read up to 1 megabyte before stopping. In 2.0 I will add a way to specify a size. As a temporary hack you could use 'dd' to get the number of bytes you want into a file, then remove the file once netscape had started up. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
participants (2)
-
Frank A Stevenson -
Jeff Weinstein