[902] in WWW Security List Archive
Re: Netscape's purported RNG
daemon@ATHENA.MIT.EDU (Harald.T.Alvestrand@uninett.no)
Fri Sep 22 06:46:35 1995
From: Harald.T.Alvestrand@uninett.no
To: efrank@ncsa.uiuc.edu (Beth Frank)
cc: www-security@ns2.rutgers.edu
In-reply-to: Your message of "Thu, 21 Sep 1995 09:26:18 CDT." <9509211426.AA29930@void.ncsa.uiuc.edu>
Date: Fri, 22 Sep 1995 09:35:20 +0200
Errors-To: owner-www-security@ns2.rutgers.edu
As I know from being on the sidelines during X.400 conformance testings,
*any* test will only catch the errors the tester has thought of.
Security bugs like this one CANNOT be discovered by a "black box" test;
it would be impossible for a reasonable (?) standardized test to reverse-
engineer the random-number generation mechanism of Netscape.
OTOH, the NCSA HTTPD server might have been caught by a standard test
- IF there was a maximum valid URL length defined (someone mentioned today
on http-wg sending 30K of data in a GET URL......), AND the tester was using
a large enough data item, AND interpreted the resulting crash as something
other than a valid rejection notice. (Lots of IFs there....)
Tests might just contribute to false security.
Harald A
