[netscape broken logo] Netscape (in)Security (problems)
. . .

Although Netscape Communications has advertised a lot about the great security their browser provides, recent independent investigations have proven the contrary (see the notes to learn how the situation shall or has improved):

Brute force attacks

Brute force attacks of the export 40 bits key: see Damien Doligez' page (There are a lot of pointers to related subjects, like security, ITAR, privacy, crypto,...there. Have a look!) or Cypherpunks brute cracking page

Note 1: This weakness (very short key length) which allowed those particular attacks are imposed to Netscape by the stupid US ITAR regulation. So the situation could improved if strong crypto (good software, large keys, no escrows) finally become legal... It's up to YOU !

``Smart'' force attacks

Recently (Sun, 17 Sep 1995 21:41 PDT), Ian Goldberg <iang@cs.berkeley.edu> and David Wagner <daw@cs.berkeley.edu> pointed out a big weakness in Netscape 1.1 random number generation code that allows to crack keys withing seconds ! (Note that the fact that source code is kept secret didn't improve security. On the contrary: there is no security through obscurity!). See also the Randomness Recommendations for Security (rfc1750, 72 kbytes text file).

Note 2 This weakness was due to bad programming (and IMO bad policy by trying to achieve security through obscurity), but is somehow only a ``bug'' and Netscape promised to fix it and to have the code examined by experts. So maybe we will have a good common use crypto software some day... Let's note that free implementations, with source available (aka PGP or free SSL from Leay,...) are probably even better and safer.

More bugs...

Ray Cromwell <rjc@clark.net> found out that netscape 1.1 was not liking at all long host names in url, if you have netscape : Click Here to Crash your copy immediatly (you've been warned) (I've determined that the limit is 356 bytes long on hpux, slightly more on SunOs and Windows)

Or, funnier, follow there to see my Animated Crash ! (client pulled).
(This does not `work' if you use a proxy/cache configuration (check the preferences/proxies in option menu) or newest Netscape)

This problem is potentially very dangerous, because you might be able to make netscape execute anything by appropriatly trashing its stack (instead of making the simple crash you can experience above). A demonstration is being worked upon...
Note that a lot of other browsers share this bug (Lynx, Arena, Mosaic,...) and that you might crash your proxy server too, following those url !

New York Times article or Wall Street Journal's about that new bug.

New (false) alert !

It seemed from a (bad) interpretation of Netscape's head talk that Netscape might support compulsary key escrowing, that is, in short, they might help governements to spy on all your private communications.

Learn more here!

Netscape finally released a statement that looks good: Netscape official position. Congrats!


JavaScript attacks


You can use other browsers, or...

For the first problem, see ITAR pages for fixes (that is lobbying to allow through privacy)...

Netscape fixed the last two bugs, so If you have a netscape copy older than Sept 95 (ie 0.9, 1.0, 1.1 for all platforms or 1.2beta for Windows) then Get the latest here ! (slow netscape pages) or directly FTP on Swedish (ftp.sunet.se:/pub/www/Netscape/netscape) mirror (If you are in Europe)

You might want to have a look at http://http.cs.berkeley.edu/~gauthier/endpoint-security.html for a discussion on other kind of attacks...

Maintained/© by dl, Last change Jul 22th 1996.

[up] [top]