Impact of Netscape kernel hole (fwd)

Paul Bradley paul at fatmans.demon.co.uk
Sat Jun 14 09:46:53 PDT 1997




>It'd be nice to have more specifics about the whole situation, but
>regardless - any preliminary threat assessments?  Exactly how widely
>exploited do you think this has been?
>
>Tim's post (although refuted by Marc) raises some serious issues since I
>suspect that Joe Public has his secret key sitting in c:\pgp\secring.pgp
>
>Some coherent input on the possible impact of this would be appreciated.

Basically the threat model is very simple:

Joe "slightly crypto-savvy pgp user" sixpack keeps his pgp keyring in 
c:\pgp on a dos/w95 box. The average user of any of the unices keeps his 
keyring in /usr/pgp or /usr/local/pgp it does not take a lot of attempts 
to go through most of the common places.

The very same guy probably has a password that is:

A. FRED (notice how close the letters are, this is a real dumb-ass 
password of the century)

B. His wifes name

C. Her birthday

D. The name of his favourite film or some character from it...


Can you say "dictionary attack"???. 

I must admit I personally, against all the rules, keep my pgp secret key 
on this box. This doesn`t worry be greatly because:

1. I have a strong passphrase.
2. This box is only on dialup, so is not connected for long, and I VERY 
rarely use the web anyway, Its too slow, so I prefer ftpmail and ftp for 
getting files. This corresondingly reduces the risk of me having used a 
site that exploited this hole.
3. If I ever have anything to recieve that needs to be really secure I 
use a one time key pair, so even the RSA key is one time. Most PGP mail I 
send or recieve is fairly innocuous and the use of encryption is just 
precautionary, ie. to stop nosy sysadmins.

What it basically comes down to is that Joe Sixpack, the guy most likely 
to have his key compromised by this attack, is:

1. Not likely to be sending valuable enough mail to expend time mounting 
even a simple dictionary attack on his key.

2. The least likely to know about, understand or respond to this flaw.


So basically the threat is the usual one: The stupid will get caught. If 
you are sending highly criminal mail your key shouldn`t be on any machine 
not 12 feet underground in a concrete bunker with 24 hour fully trusted 
security guards, CCTV etc. etc. anyway.

        Datacomms Technologies data security
       Paul Bradley, Paul at fatmans.demon.co.uk
  Paul at crypto.uk.eu.org, Paul at cryptography.uk.eu.org    
       Http://www.cryptography.home.ml.org/
      Email for PGP public key, ID: FC76DA85
     "Don`t forget to mount a scratch monkey"







More information about the cypherpunks-legacy mailing list