Security Hole In Netscape's Web Server?

Richard Rinehart rinehart at uclink2.berkeley.edu
Tue Sep 19 20:57:35 EDT 1995


>
>My understanding is that it's only the SSL secure transaction module that
>got cracked.  Netscape is understandably not sharing any more details
>about the problem than they have to, but they do have some news up at
>http://www.netscape.com/newsref/std/random_seed_security.html

This was my understanding of the security breach too: That someone had
hacked through the secure client transaction mode (the one that secures
forms-posted information given to the server, ie. credit card numbers in
online order forms).
This is not the same as someone being able to hack through the Server
software and get at the files ON your WWW server machine (the two are
related, but they said the latter was almost certainly not compromised).

I think it's also the case that secure software they sell to people outside
the US is not quite as secure as that sold in the US, because of American
export law which views hard encryption software as a form of "munitions"
(see the controversy over PGP). Whether the software is just less secure,
or they use different methods of securing foreign software, I'm not sure.

Still, unless I'm entirely incorrect about which story you read, the only
reason to shut down your server is if most of your server functions are for
forms-posted sensitive info gathering. (If it's not all your server does,
you could just disable those particular pages temporarily)

I do not believe folks can just hack into your Server's Hard Drive because
of this, and even if they could - do you have sensitive info on your public
server....? Not a judgement, just a consideration. If you can store as much
sensitive info OFF your public server for as much of the time as possible,
you'll rest easier. Dedicated public and private servers are a good start
toward secure enterprise computing, if it's possible for you.

Hope this helps, but indeed if we are off base, and you have read another
story, please give us a fill cite of it, as it would be most important.
Thanks!




Richard Rinehart              | University Art Museum / Pacific Film Archive
Systems Manager & Education   | University of California at Berkeley
Technology Specialist         | 2625 Durant, Berkeley, CA 94720-2250
rinehart at uclink2.berkeley.edu | http://www.uampfa.berkeley.edu/




More information about the Web4lib mailing list