Bugtraq mailing list archives
Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords")
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Thu, 16 Dec 1999 20:01:53 -0800
On Thu, Dec 16, 1999 at 01:33:10PM -0500, Tim Hollebeek wrote:
In addition, the consequences of this flaw in a Windows environment are substantially different, due to the lack of access controls. As we discussed in the technical summary, while there is no perfect solution to this problem, it would take very little work for Netscape to make future exploits of this type much more difficult. The current position of Netscape, that these sorts of vulnerabilities need not be fixed, is in my opinion rather irresponsible. Software companies have a responsibility to make exploiting their software as difficult as possible, _especially_ in cases like this where the cost to do so is similar to, or less than, the cost of using absurdly weak proprietary cryptography. It is Netscape's responsibility to put the bar at as high a level as is feasible and economical. As Avi Rubin, security expert at ATT Labs, pointed out, in this case Netscape needs to run out and get a bar so they can raise it.
This is a red herring. Local secure storage of secrets in PCs without another secret is not possible. We've had this discussion before on the list in reference with many client applications (including Netscape). If you are using a known key a better encryption algorithm is useless. Regardless of the algorithm its nothing more than obfuscation. For encryption to be of any use you need to encrypt the information you want to maintain secret with yet another secret, but the user does not want to be bothered with remembering another password. That is the reason they ask the client application to remember their password in the first place. Local secure storage of secrets is a service that needs to be provided by the operating system. In the case of Windows NT you can store them (with some limitations) using the Local System Authority (LSA) API. Under Windows 95/98 there is an API to store secrets using the users logon password (stores the secrets in .PWL files) but to my knowledge it is not documented by Microsoft (although they allude to it in some early Windows 95 presentation slides). Maybe someone with more knowledge of Microsoft operating systems can confirm? So given these constrains the best thing Netscape can do is not use any obfuscation at all and store the passwords in plain text. At least this does not give the user any false sense of security. On a side note, I am surprised this made it into CNN. A dozen more serious vulnerabilities have been found in Netscape and Internet Explorer and they don't even notice, yet they pick up on this rather minor issue. Go figure.
Tim Hollebeek Reliable Software Technologies
-- Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- ssh-1.2.27 exploit, (continued)
- ssh-1.2.27 exploit Jarek Kutylowski (Dec 13)
- Re: ssh-1.2.27 exploit Iván Arce (Dec 13)
- Re: ssh-1.2.27 exploit Beto (Dec 15)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
- ssh/rsaref bo exploit code Iván Arce (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Rob Jones (Dec 16)
- More on Red Hat 6.1 sysklogd David F. Skoll (Dec 19)
- Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) suid (Dec 19)
- Netscape password scrambling Gary McGraw (Dec 20)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Holger van Lengerich (Dec 20)
- Microsoft Security Bulletin (MS99-059) Microsoft Product Security (Dec 20)
- (Possible) Linuxconf Remote Buffer Overflow Vulnerability Elias Levy (Dec 21)
- Infoseek Ultraseek Remote Buffer Overflow luciano (Dec 16)
- Re: Infoseek Ultraseek Remote Buffer Overflow Marc (Dec 16)