[10243] in bugtraq
Re: Netscape 4.5 vulnerability
daemon@ATHENA.MIT.EDU (Juha =?iso-8859-1?Q?J=E4ykk=E4?=)
Fri Apr 16 15:17:16 1999
Date: Fri, 16 Apr 1999 09:04:31 +0300
Reply-To: Juha =?iso-8859-1?Q?J=E4ykk=E4?= <juolja@UTU.FI>
From: Juha =?iso-8859-1?Q?J=E4ykk=E4?= <juolja@UTU.FI>
X-To: paaa@UIC.NNOV.RU
To: BUGTRAQ@NETSPACE.ORG
> Not like a DES , this encryption can be decrypted. As a result of man=
y
> experiments i wrote this program. It gives me almost all passwords in=
my
> system, because all people use Netscape.
Blast it. It does not matter even if you used TwoFish, BlowFish or
IDEA! The passwords saved in the preferences file would still be easily
decrypted.
People seem to be forgetting a very important point here: the
encryption password must be internally stored somewhere because the use=
r
never gets asked for it. Thus it is not never necessary to "crack" the
passwords because we can always use the original password.
I see this same line of thought here every now and then: people repor=
t
"bugs" like this while they are indeed vulnerable by design. There is n=
o
secure way of storing a password and recalling it without asking the
user for some kind of passphrase. Please someone correct me, if I'm
wrong at this. I know of no such cryptosystem.
The method of saving only a hash won't work here since the actual
password is needed in order to access the pop server.
While I'm at it, has Netscape corrected the imap password saving
behaviour yet? Up to, and including, communicator 4.5 the imap password=
s
got stored to the preferences file regardless of the setting "Remember
my password". I have disallowed write access to my prefs.js file to
prevent the imap password from being stored but it's quite frustrating
to change the permissions every time I need to turn Javascript on to
view some darn page that doesn't work without.
--
Juha J=E4ykk=E4, juhaj@iki.fi
PS See http://www.dcs.ex.ac.uk/~aba/rsa/ for latest version of RSA in
perl.
Here goes the RSA code in two lines:
print pack"C*",split/\D+/,`echo
"16iII*o\U@{$/=3D$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|d=
c`
