From: John Young <jya@pipeline.com>
To: cypherpunks@toad.com
Message Hash: b35a86a8ebf31bc3bfc4f78697cfc45147205939b9d8537c521f49f5128214ed
Message ID: <199509190300.XAA05027@pipe4.nyc.pipeline.com>
Reply To: N/A
UTC Datetime: 1995-09-19 03:35:19 UTC
Raw Date: Mon, 18 Sep 95 20:35:19 PDT
From: John Young <jya@pipeline.com>
Date: Mon, 18 Sep 95 20:35:19 PDT
To: cypherpunks@toad.com
Subject: NYT on Netscape Crack
Message-ID: <199509190300.XAA05027@pipe4.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain
The New York Times, September 19, 1995, pp. A1, D21.
Security Flaw Is Discovered In Software Used in Shopping
By John Markoff
San Francisco, Sept. 18 -- A serious security flaw has been
discovered in Netscape, the most popular software used for
computer transactions over the Internet's World Wide Web,
threatening to cast a chill over the emerging market for
electronic commerce.
The flaw, which could enable a knowledgeable criminal to
use a computer to break Netscape's security coding system
in less than a minute, means that no one using the software
can be certain of protecting credit card information, bank
account numbers or other types of information that Netscape
is supposed to keep private during on-line transactions.
The weakness was identified by two first-year graduate
students in computer science at the University of
California at Berkeley, who published their findings on an
Internet mailing list Sunday evening.
Although the Netscape Communications Corporation, which
produces the software, said today that the flaw could be
fixed and that new copies of the software would be
distributed as early as next week, Internet experts said
the discovery underscored the danger of assuming that any
computer security system was safe.
"There needs to be much more public auditability in the way
these financial security systems are designed and
implemented," said Eric Hughes, president of Open Financial
Networks, a company in Berkeley that is developing Internet
commerce systems.
The Netscape software is already used by an estimated eight
million people for navigating the World Wide Web portion of
the Internet. On the Web, thousands of companies offer
text, images, video and audio information, much of it as a
way of advertising or directly selling goods and services.
Because the Netscape software is not only easy to use but
has also been promoted as a secure way of dealing with
personal and financial information, it has been seen as the
emerging de facto standard for on-line commerce.
Already, a diverse group of companies -- including Wells
Fargo Bank, MCI Communications, Internet Shopping Network
and Virtual Vineyards -- have adopted Netscape as the
vehicle for checking bank balances, catalogue shopping or
buying wine on line.
Although Internet experts agreed with the company's
assessment that the flaw could be fixed and that it posed
no risk to people who use the World Wide Web only to
retrieve nonsensitive data, the security problem's
disclosure may represent a public relations setback for
Netscape Communications and an inconvenience to millions of
people who may feel a need to replace the version of
Netscape installed on their computers. Last month the
company's shares began public trading and had one of the
most successful first days in Wall Street's history,
largely on the resounding popularity of the Netscape
software.
Today, as word of the security flaw circulated only within
fairly small circles of Internet users, Netscape's stock
closed with a slight loss, down 75 cents, to $52.50, in low
Nasdaq trading volume.
The company said it would release a repaired version of the
software within a week. Users will be able to download it
free over the Internet, through the Netscape site on the
World Wide Web (http://home.netscape.com).
The company had previously announced a next-generation
version of Netscape that it said would be more secure than
the original, and it said today that it would release this
updated version within the next few weeks. But first it
will remove the newly disclosed flaw, which is currently in
the new version.
"The good news and the bad news of the Internet is that
when you put something up there, many more people can test
it," said Mike Homer, the vice president of marketing at
Netscape. "You also give yourself the opportunity of having
people point things out which you can fix quickly."
The company so far has distributed most copies of its
program free over the Internet, under a strategy of making
its money from commercial customers who use Netscape to
provide services or for other business applications over
the World Wide Web. So replacing the copies will not be an
expensive undertaking.
Instead, for Netscape Communications and for other
companies betting their futures on the Internet, the real
cost of this disclosure may be in the public's shaken
confidence in the ability of computer companies to insure
privacy and security for on-line commerce.
The weakness in Netscape's security was discovered by Ian
Goldberg, 22, and David Wagner, 21, two computer science
students who share an office at the university and who also
share an interest in the arcane science of cryptography,
which is becoming increasingly important for business as
companies begin to explore electronic commerce.
The two students said they had decided to put the software
to a test in an effort to raise public concern about
placing too much trust in unproved electronic security
systems.
Netscape's security is based on a type of coding technology
known generically as public key cryptography in which users
exchange mathematically generated numbers -- or keys -- to
encode or decode information. In such systems, a new key is
created for each information exchange, based on a
mathematical formula that is combined with numbers
supposedly known only to the sender or recipient.
The students found that by determining how Netscape's
formula generated the number used as a starting point for
creating a key, they were able to greatly reduce the
potential combinations that would unlock the code. The
starting-point number turned out to be based on the time
and date of the transaction, combined with several other
unique bits of information taken from a user's computer
system -- bits of information that an electronic intruder
could determine, if he were intent on intercepting a
Netscape user's transactions.
Knowing how the starting-point number was created greatly
reduced the other possible components of the formula -- and
the students found they were able to break the code in a
matter of seconds using a standard computer work station.
Netscape officials said today that they would strengthen
the system, by making it significantly harder to determine
the random number at the heart of their coding system. They
said they would no longer disclose what data would be used
to generate the random numbers.
The announcement of the flaw was posted Sunday night on a
computer network mailing list maintained by an informal
group known as Cypherpunks. The group, which is made up of
mathematicians, computer experts and privacy advocates, has
been campaigning for more effective electronic security
systems.
The discovery is the second reported security weakness in
the Netscape program to be posted on the Cypherpunks list
in the last month. In August, Damien Doligez, a student at
the Ecole Polytechnique in Paris, used a network of 120
computers, running for eight days, to generate a Netscape
secret key. But his was a "brute force" attack, requiring
the computers to sample a vast range of numbers before
coming up with a key that would break the code.
The Berkeley students, in contrast, by identifying a basic
flaw in the way Netscape set up its security system, were
able to narrowly focus their attack to quickly break the
code, with far less computer power.
[End]
Return to September 1995
Return to “Thomas Grant Edwards <tedwards@Glue.umd.edu>”