A flaw discovered in the encryption system used by the Netscape Navigator browser to protect e-mail passwords could seriously impact businesses using older versions of the browser, which are vulnerable to remote password theft. The current 4.7 version of Navigator has plugged the security hole, but potential password decoders might still be able to read passwords if they have physical access to a machine.
Chris Saito, senior director for product management at Netscape, said the ability to save passwords on machines is offered as a convenience and users concerned about the strength of password encryption should physically secure their machines and enter their passwords each time they log on to their e-mail.
Saito acknowledged that older versions of the Netscape browser, 4.0 and 4.04, are vulnerable to an exploit using the JavaScript language, which allows an encrypted password to be retrieved remotely by a rogue Web site. He said that while patches exist to fend off the attack, Netscape advises users to upgrade to the new 4.7 version of the browser, which fixes the security hole and upgrades the base cryptography from 40- to 56-bit keys.
According to Gary McGraw, chief technology officer at Reliable Software Technologies, engineers at his company needed just eight hours to break the algorithm used to secure Netscape mail passwords. He said engineers were writing a tool to look for information on keys and other sensitive material on the hard drive and tested it on the Netscape Windows Registry file, which stores password and other user information.
"In order for a Netscape mail program to be decoded, a small program must run on the computer where the password is saved," RST said in a statement. "The lack of any real security in Windows 95/98 makes exploiting this particular flaw in Netscape particularly easy."
McGraw noted that if a malicious intruder accessed a Netscape mail password, they could reverse-engineer the algorithm, determine the password and maliciously spoof the individual's mail or gain access to other secured machines the individual accesses with the same password. "This could have a real impact on the manufacturers and the people deploying the software," McGraw said.
Saito said Netscape has no immediate plans to change the algorithm that protects the password and instead wants users to make sure they physically secure their machines. He said Netscape needs to do better education about its user interface. "The intention here is to prevent casual access to the password," said Saito of the algorithm. "It's not so much an issue about the algorithm, it's about physical security because someone has to get access to your machine."
Saito added that although the Netscape software allows users to save their passwords to the registry as a convenience, it isn't the default setting and users can disable the preference. He advised users to enter their password each time they access their e-mail account and store the password in their head, not on their hard drive. "There are big companies that store information in the registry in plain text -- including passwords for other applications, not just ours," said Saito. "If it's confidential information, don't save the passwords."
Saito said Netscape is interested in eventually changing the password-protection algorithms. "We would be very interested in improving security overall, and this is one way of improving security in future versions of the product," Saito said.