Implementation Flaws: A Litany of Bugs
Most web browsers implement a security policy that is designed to protect the user from both malicious eavesdropping and hostile web pages. Unfortunately, bugs in the browser can effectively subvert such a policy, leaving the user open to those attacks.
Throughout 1995, Netscape’s early browsers were subject to a high degree of scrutiny. Often, reports of these bugs appeared on the front pages of major daily newspapers, rather than the academic press. The public’s confidence in Netscape Navigator’s security was so shaken, in fact, that Netscape announced that it would pay users up to $1000 for each bug that was discovered. Netscape’s theory was that the increased scrutiny that its product received as a result of the bounty program would make the product more secure. Netscape has also made its source code available on some occasions to academics involved in security-related research.
Here are some of the more important bugs that were discovered in Netscape Navigator:
In September 1995, Ian Goldberg and David Wagner, two graduate students at the University of California at Berkeley working with professor Eric Brewer, discovered a flaw in the way that the UNIX version of the Netscape Navigator generated random numbers. Instead of seeding the random number generator with a number that was unpredictable, such as the user’s mouse motions, programmers at Netscape had decided to use the computer’s time-of-day clock, the Navigator’s process number, and ...
Get Web Security and Commerce now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
