Security Hole In Netscape's Web Server?
Martin Hamilton
martin at mrrl.lut.ac.uk
Wed Sep 20 04:17:55 EDT 1995
Richard Rinehart writes:
| I think it's also the case that secure software they sell to people outside
| the US is not quite as secure as that sold in the US, because of American
| export law which views hard encryption software as a form of "munitions"
| (see the controversy over PGP). Whether the software is just less secure,
| or they use different methods of securing foreign software, I'm not sure.
There's some info at ... <URL:http://www.c2.org/hacknetscape/>
Normally the approach taken is to weaken the security of the
cryptographic algorithm by limiting the key length - the key is the
secret number the person who receives the encrypted message needs to
know in order to decrypt it. The "export" version of Netscape uses
40 bit keys, which are small enough numbers that all the possible
keys can be tried out by a single individual without access to any
special computing power - a lab/office full of PCs will do fine, for
instance! (75Mhz Pentium -> over 10,000 keys/second)
With each extra bit of key length, the number of possible keys
doubles, so 128 bit keys (the US version of Netscape) are
significantly stronger than 40 bit keys. Having said that, they're
still within easy reach of an organization with a _lot_ of computer
power at its disposal - e.g. the National Security Agency. Good
thing they're on our side, right ? :-)
A more realistic key length would be 1024 bits, or 2048 bits if you
can get it - e.g. as found in PGP. The longer the better!!
In Netscape's case, this business about key length is a bit academic
- the coding bug in their random number generator makes the key
length issue pale into insignificance. 25 seconds to crack your
message!
| Still, unless I'm entirely incorrect about which story you read, the only
| reason to shut down your server is if most of your server functions are for
| forms-posted sensitive info gathering. (If it's not all your server does,
| you could just disable those particular pages temporarily)
Depends what sort of information you're exchanging in those "secure"
transactions! e.g. credit card numbers vs. user names and passwords
... :-((
| I do not believe folks can just hack into your Server's Hard Drive because
| of this, and even if they could - do you have sensitive info on your public
| server....? Not a judgement, just a consideration. If you can store as much
| sensitive info OFF your public server for as much of the time as possible,
| you'll rest easier. Dedicated public and private servers are a good start
| toward secure enterprise computing, if it's possible for you.
And remember to always run Word with macros disabled!
Cheerio,
Martin
More information about the Web4lib
mailing list