I plan on releasing a press release regarding the misleading statements made by Netscape in their statement about the seed bug, announcing the web page describing my objections in detail. The document is http://www.c2.org/hacknetscape/critique.phtml detailing my objections to their statements.. I would appreciate comments, corrections, and criticisms. Thanks. (The press release will not be written in the style of the web page. ;-) IN REPLY TO NETSCAPE Netscape announced that they are going to "fix" the problem. In traditional Internet style, I will respond to their post. With this knowledge, an experienced computer programmer could decrypt messages sent by Netscape Navigator to other computers in a few hours of computation time. "a few hours"? Ian and David's program generates keys in 25 seconds. The random information is found through a variety of functions that look into a user's machine for information about how many processes are running, process ID numbers, the current time in microseconds, etc. Specifically, the Parent Process ID, the Process ID, and the time in microseconds. See the exploit code for more details. The current vulnerability exists because the size of random input is less than the size of the subsequent keys. The vulnerability exists because the random input isn't random. Since when is the time "random"? I'm sure a few physicists would love to see your theories on that one. (Berkeley Standard Time notwithstanding) Once this improvement is made, protection of the random information will be as strong as the rest of the security built into Netscape Navigator. That's not saying much, considering that the security community has not had a chance to independently verify the security in Netscape Navigator. Netscape has also begun to engage an external group of world-class security experts who will review our solution to this problem before it is sent to customers. So after someone violates Netscape Navigator's security do they decide to have an external group verify their code. (Note that they still don't plan on making it available for the security community at large to review). According to RSADSI's Jim Bidzos, his company offered to review Netscape's security when it was first introduced, but Netscape declined. "They're asking us to review it this time," he said. This discovery does not affect the strength or security of SSL (Secure Sockets Layer), RC4, or any other portions of our security implementations. True, but this implies that SSL is a secure protocol, which has been shown to be false. At the beginning of their release: Netscape secure software has been in use for almost a year on the Internet by millions of customers and no thefts of actual customer information protected by our security have been reported - this posting on the Internet reported a potential vulnerability, not the actual theft of customer information. Yes, Netscape is very lucky that Ian and David are students, and not criminals. I sincerely hope that the next time someone finds a hole in Netscape that it's someone who would rather win a free T-shirt than steal lots of money. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org