Re: Impact of Netscape kernel hole
Huge Cajones wrote:
Tim's post (although refuted by Marc) raises some serious issues since I suspect that Joe Public has his secret key sitting in c:\pgp\secring.pgp
Isn't it widely known that the secret key is not to be stored in the box, as the PGP manual and security pubs emphasize? Still, it would be good to know if a Netscape snooper could snarf a key while it is being used by PGP to decrypt, that is, whether the hole allows snooping on dynamic ops or just on stored info. Does anyone know if the the hole finders are discussing this on the Net, and if so, where? What are the folks at Netscape saying? Tom, Jeff?
John Young wrote:
Still, it would be good to know if a Netscape snooper could snarf a key while it is being used by PGP to decrypt, that is, whether the hole allows snooping on dynamic ops or just on stored info.
Does anyone know if the the hole finders are discussing this on the Net, and if so, where? What are the folks at Netscape saying? Tom, Jeff?
We aren't talking about it much. We've released some information to the press and posted a release on our web site. This attack can be used to grab any file from the user's hard drive, provided you know the file name and path. It exploits a bug in the way forms are handled. You can guard against this attack by turning on the warning dialog for submitting a form over an insecure connection. We have a fix which we are testing now, and we'll have it out early next week for 4.0. A fix for 3.x will follow once we have 4.0 fixed. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |
Tom Weinstein wrote:
John Young wrote:
Still, it would be good to know if a Netscape snooper could snarf a key while it is being used by PGP to decrypt, that is, whether the hole allows snooping on dynamic ops or just on stored info.
Does anyone know if the the hole finders are discussing this on the Net, and if so, where? What are the folks at Netscape saying? Tom, Jeff?
We aren't talking about it much. We've released some information to the press and posted a release on our web site.
This attack can be used to grab any file from the user's hard drive, provided you know the file name and path. It exploits a bug in the way forms are handled. You can guard against this attack by turning on the warning dialog for submitting a form over an insecure connection.
We have a fix which we are testing now, and we'll have it out early next week for 4.0. A fix for 3.x will follow once we have 4.0 fixed.
Tom, are you going to release the linux version of netscape, and when. Thank you very much. - Igor.
Igor Chudov @ home wrote:
Tom, are you going to release the linux version of netscape, and when.
I believe we still intend to release a linux version, although it obviously has a lower priority than Solaris or the Mac. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |
On Sat, 14 Jun 1997, Tom Weinstein wrote:
Igor Chudov @ home wrote:
Tom, are you going to release the linux version of netscape, and when.
I believe we still intend to release a linux version, although it obviously has a lower priority than Solaris or the Mac.
Ok, I'll byte. Why is it obvious? Signed, a 50-license site that uses Linux but not Solaris nor Mac. --- John Adams -=- Computer Specialist & Network Guru O- NADEP Cherry Point Pensacola Florida +1.904.452.8551 DSN:922-8551 jadams@seahawk.navy.mil PGP ID 0x84E18C41 via key server - opinions expressed are entirely my own
| >Tim's post (although refuted by Marc) raises some serious issues since I | >suspect that Joe Public has his secret key sitting in c:\pgp\secring.pgp Are FAT file lists stored as files? On a Unix box, /. refers to the file containing directory entries, the list of files in the directory. If there is an analogous file on a dos box, you can explore. (Does the bug work on Unix? I've heard it only works if java or livescript are turned on, so it hasn't worried me enough to investigate.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (5)
-
Adam Shostack -
ichudov@Algebra.COM -
John Adams -
John Young -
Tom Weinstein