Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Netscape password scrambling
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Mon, 20 Dec 1999 12:13:17 -0500

More importantly, some people have claimed that the entire password
saving issue is a red herring since there is no way to protect a
secret on the host.

I don't think I've said so, but I agree with those "some people".

This criticism is worth thinking about more carefully.  We suggest
that Netscape "raise the bar" by using triple-DES and hiding key
material for the cipher throughout the code.  But can't you just
apply some clever SoftICE to find the key?  Of course you can!  Doing
so requires much more sophistication than simply cracking a "magic
decoder ring" scrambler, however.

Yeah...but it doesn't need to be done but once.  Once someone does it
and the key is known, decrypting a crypted password is a total
no-brainer.  (Exploiting some of the subtler security holes requires a
degree of sophistication, too - but once exploit code is written,
*using* it is typically well within the reach of even the
point-and-drool crowd.)

The only way this would be of any use is if a new random[%] key is
generated for each install.  Never having installed Netscape, I don't
know whether their install procedure is such that this is feasible.
But it does seem to me to be the only way to actually do anything of
the sort - then the attacker needs to steal the relevant key material
from wherever the install procedure stashed it (inside the executable,
perhaps?) as well as stealing the file with the encrypted password.

[%] And it needs to be at least semi-decently random, too - a trivial
    massaging of something the attacker can trivially discover Just
    Won't Do.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]