Netscape is to be commended for even *putting* crypto into their product!

I'm impressed with the way Netscape has responded to recent events. It's refreshing to see a company say "yes, we made a mistake in our security software" rather than pretend there's no problem. Word Perfect encryption, anyone?

Cygnus' Kerberos faced the same random-seed problems and punted in similar ways.

Last time I looked, the MIT-MAGIC-COOKIE-1 scheme used in X11R4 had the same problem: the random seed was based on the current time to the microsecond, modulo the granularity of the system clock. I think I figured that on my hardware, if I could figure out which minute the X server started (easy with finger), I'd only have to try a few thousand keys or so. Caveat: I never actually proved the idea.