netscape bug
David_A Wagner
daw at CS.Berkeley.EDU
Mon Sep 25 12:58:06 PDT 1995
In article <199509201855.LAA17261 at netcom16.netcom.com> you write:
>
> none of the articles mention that the cracker must have login access
> to the computer that the random numbers are generated on. is this true?
> does the code require knowledge of the PID etc. that can only be obtained
> by a login to the system that the netscape session is running on?
>
No, the time, pid, and ppid often leak to a remote adversary too.
The attack probably requires a bit more sophistication when the
cracker doesn't have login access, but I believe it's still possible.
See my recent post to sci.crypt for some comments from Ian & I
about this.
More information about the cypherpunks-legacy
mailing list