[899] in WWW Security List Archive
Re: What's the netscape problem
daemon@ATHENA.MIT.EDU (Chuck Yerkes)
Thu Sep 21 22:11:11 1995
From: "Chuck Yerkes" <yerkes_chuck@jpmorgan.com>
Date: Thu, 21 Sep 1995 19:07:35 -0400
In-Reply-To: "Bob Denny" <rdenny@netcom.com>
"Re: What's the netscape problem" (Sep 20, 9:05am)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
First, I do not speak for my client. I am a consultant and write here
only as an individual...
The basic problem is ITAR.
We can do security. We can do it well. We need the US Gov't (and
France and such) to realize that they are limiting THEIR own countries
businesses by these laws.
How long before a company keeps developers in the Bahamas to write
secure code, integrate it with the rest of the application (written
domestically) and sell it as a US import?
Are companies getting anywhere with getting this repealed? It's got to
be limiting MicroSoft, and they've got thousands of idle lawyers (if
only it was a problem for Disney ;-)
chuck
----------------------------------------------------
Chuck Yerkes chuck@yerkes.com
Consultant cute sig here
On Sep 20, 9:05am, Bob Denny wrote:
> Subject: Re: What's the netscape problem
> On Sep 20, 7:51, Marc VanHeyningen wrote:
> > The interesting part of this article is the discussion of random seed
> > weaknesses on the *server* side. If true, this means anybody could use
> > the random-seed hole to reverse engineer the process by which the
> > server's private key information was generated and break that keypair
> > with much, much much less effort than would normally be needed to factor
> > a 512-bit RSA key.
>
> My God... They couldn't have been _that_ sloppy. I feel fairly certain
> that they used the RSA BSAFE library, and hopefully the RNG that comes
> with it, for the RSA keypair generation. But maybe they didn't seed it
> carefully either.
