From: jcaldwel@iquest.net (James Caldwell)
Date: Sun, 17 Sep 95 22:42:15 PDT
To: cypherpunks@toad.com
Subject: Re: Netscape SSL implementation cracked!
In-Reply-To: <305d030d0527002@noc.cis.umn.edu>
Message-ID: <m0suYvx-00063jC@dorite1.iquest.net>
MIME-Version: 1.0
Content-Type: text


Kevin L Prigge wrote:
 
 A little birdie told me that Ian Goldberg said:

 > What we discovered is that, at least on the systems we checked (Solaris
 > and HP-UX), the seed value for the RNG was fairly trivial to guess by
 > someone with an account on the machine running netscape (so much so
 > that in this situation, it usually takes less than 1 minute to find
 > the key), and not too hard for people without accounts, either.
 
/ Makes one wonder what the seed is on a Windows implementation...
/ If it's only the time, you can probably approximate what the
/ clock is set to within a couple of minutes (if the timezone of the
/ client is known). 
 
Hah! Like a Cmos clock can *ever* keep a consistant time for more than
two minutes...