Security Hole In Netscape's Web Server?

Martin Hamilton martin at mrrl.lut.ac.uk
Wed Sep 20 04:17:55 EDT 1995 

Richard Rinehart writes:

| I think it's also the case that secure software they sell to people outside
| the US is not quite as secure as that sold in the US, because of American
| export law which views hard encryption software as a form of "munitions"
| (see the controversy over PGP). Whether the software is just less secure,
| or they use different methods of securing foreign software, I'm not sure.

There's some info at ... <URL:http://www.c2.org/hacknetscape/>

Normally the approach taken is to weaken the security of the 
cryptographic algorithm by limiting the key length - the key is the 
secret number the person who receives the encrypted message needs to 
know in order to decrypt it.  The "export" version of Netscape uses 
40 bit keys, which are small enough numbers that all the possible 
keys can be tried out by a single individual without access to any 
special computing power - a lab/office full of PCs will do fine, for 
instance!  (75Mhz Pentium -> over 10,000 keys/second)

With each extra bit of key length, the number of possible keys 
doubles, so 128 bit keys (the US version of Netscape) are 
significantly stronger than 40 bit keys.  Having said that, they're 
still within easy reach of an organization with a _lot_ of computer 
power at its disposal - e.g. the National Security Agency.  Good 
thing they're on our side, right ? :-)

A more realistic key length would be 1024 bits, or 2048 bits if you 
can get it - e.g. as found in PGP.  The longer the better!!

In Netscape's case, this business about key length is a bit academic 
- the coding bug in their random number generator makes the key 
length issue pale into insignificance.  25 seconds to crack your 
message!

| Still, unless I'm entirely incorrect about which story you read, the only
| reason to shut down your server is if most of your server functions are for
| forms-posted sensitive info gathering. (If it's not all your server does,
| you could just disable those particular pages temporarily)

Depends what sort of information you're exchanging in those "secure" 
transactions!  e.g. credit card numbers vs. user names and passwords 
... :-((

| I do not believe folks can just hack into your Server's Hard Drive because
| of this, and even if they could - do you have sensitive info on your public
| server....? Not a judgement, just a consideration. If you can store as much
| sensitive info OFF your public server for as much of the time as possible,
| you'll rest easier. Dedicated public and private servers are a good start
| toward secure enterprise computing, if it's possible for you.

And remember to always run Word with macros disabled!

Cheerio,

Martin

More information about the Web4lib mailing list