[9634] in bugtraq
Re: Possible Netscape Crypto Security Flaw
daemon@ATHENA.MIT.EDU (Pete Krawczyk)
Thu Feb 18 15:39:51 1999
Date: Tue, 16 Feb 1999 11:07:05 -0600
Reply-To: Pete Krawczyk <pkrawczy@UIUC.EDU>
From: Pete Krawczyk <pkrawczy@UIUC.EDU>
X-To: Haze <Haze@BEER.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36C790EA.DE208E89@beer.com>
At 09:13 PM 2/14/99 -0600, Haze wrote:
>Well
>then the cracker could perform a brute force crack on the encryption and
>attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail
>account...
To get to the POP3 account, you'd only need to put the password in a
registry key of your own, then check the mail. I would imagine that the
key to encrypt is the same across all copies of Netscape.
Along those lines, if you had a sniffer next to the computer you put the
encrypted password on, you could sniff the real password in transit and
thus not have to brute force attack the password, since POP3 is cleartext
traffic.
-Pete K
--
Pete Krawczyk http://www.uiuc.edu/ph/www/pkrawczy/
pkrawczy at uiuc dot edu Finger the 2nd address for PGP Public Key
petek at bsod dot net "No spammies, no spammies, no spammies... stop!"
