From: jsw@neon.netscape.com (Jeff Weinstein)
To: cypherpunks@toad.com
Message Hash: 9c8d2699b1dab26dbcf470d5580bda68a820f1a4ee21dac15b285839a279e051
Message ID: <43ork2$70f@tera.mcom.com>
Reply To: <43kki8$os7@charm.magnus.acs.ohio-state.edu>
UTC Datetime: 1995-09-20 10:50:32 UTC
Raw Date: Wed, 20 Sep 95 03:50:32 PDT
From: jsw@neon.netscape.com (Jeff Weinstein)
Date: Wed, 20 Sep 95 03:50:32 PDT
To: cypherpunks@toad.com
Subject: Re: SSL implementation problem at Netscape
In-Reply-To: <43kki8$os7@charm.magnus.acs.ohio-state.edu>
Message-ID: <43ork2$70f@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain
In article <43o47v$fsd@cnn.Princeton.EDU>, dawagner@flagstaff.princeton.edu (David A. Wagner) writes:
> In article <david-1909951219130001@192.0.2.1> from sci.crypt,
> David Sternlight <david@sternlight.com> wrote:
> > If the above is, in fact, accurate it appears to apply to previous
> > versions of Netscape, not the 2.0 versions for which the public beta goes
> > out next week.
>
> We haven't tried it on v2.0, as we only have a copy of v1.1 right now.
> But the front-page New York Times article today said that the next version
> also has the same flaw, and that it'll be fixed before release.
First off, Sternlight is not an agent working for netscape. :-)
The same fix that will be going out to patch old versions will be applied
to 2.0 before we do a public beta. As with any code it will be refined
as necessary before the final release of 2.0.
[ stuff deleted ]
> While we don't yet know exactly how long it would take to break Netscape's
> PRNG in this threat model, I think it's clear that Netscape's current
> implementation is insufficient and insecure.
Agreed. See other messages of mine for a more detailed response.
> We don't know about e.g. PC's yet -- this is another area we were still
> working on. I will note that Netscape didn't try to claim that any version
> was safe from this flaw, for what that's worth...
Again, see my other messages on this and related topics for more details
of what the code was doing on PC and Mac.
> Hopefully this will be quickly fixed by Netscape, and then we can all stop
> worrying about it! :-)
Yup. Then I can get back to working only 16 hours a day. :-)
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
Return to September 1995
Return to “jsw@neon.netscape.com (Jeff Weinstein)”
Unknown thread root