Netscape's Internet Software Contains Flaw That Jeopardizes Security of Data By JARED SANDBERG Staff Reporter of The Wall Street Journal A serious security flaw has been found in Netscape Communications Corp.'s Internet software, jeopardizing sensitive financial data such as credit-card numbers that users pass over the global computer network. The company acknowledged the flaw and said it's issuing a software fix. But as is often the case with Internet security, it may take time for users to adopt the fix, leaving them vulnerable meanwhile. "It's a very big trapdoor," said Dietrich Kappe, a partner with Red Planet L.L.C., an Chicago Internet consulting firm. "You can drive a truck through it. Somebody goofed" at Netscape, he added. The breach presents a problem for Netscape, which produces the most popular software for browsing the World Wide Web, the multimedia portion of the Internet where businesses are setting up electronic storefronts to sell goods and services. Netscape has captured roughly 75% of the "browser" market, reaching roughly eight million people, who use the Netscape product to browse the Web and make credit-card purchases. The breach also underscores the persistent security problems that have plagued the Internet and forestalled electronic commerce. Netscape uses so-called symmetric key cryptography to scramble sensitive data so that they are unreadable by hackers snooping on the network. That key is essentially a mathematical formula so long that it makes it impractical for hackers to crack, even with powerful computers. The formula is generated by a random number that may be determined by the number of electronic-mail messages, for example. Netscape's software chooses a number between one and two-to-the-30th-power -- or roughly one billion. But on Sunday night, two graduate students at the University of California at Berkeley posted a message to the Internet's "Cypherpunks" mailing list, a group of mathematicians and programmers who discuss the science of cryptography. In the electronic missive, they said that the random number that generates the mathematical key was "fairly trivial to guess" and that the key "usually takes less than one minute to find." Rather than try to break the encryption "key," the two graduate students examined the so-called "random number generator" and discovered that the number isn't so random, allowing them to guess the encryption key. It took the two students, Ian Goldberg and David Wagner, two days to identify the vulnerability and write a software program that could guess the encryption key in less than one minute. Netscape's software, said Mr. Goldberg, 22 years old, "is not as good as people thought, which is probably worse than no security" since people have a false sense of security as they enter payment details. "The information we were using to create the key is now a known set of information," said Jeffrey Treuhaft, security product manager for Netscape. "We feel it's important to let our consumers know," he said, adding that the company will post a warning on its own Web site. "It's a serious hole, but it can easily be corrected," said James Bidzos, president of RSA Data Security Inc., which licenses security technology that Netscape incorporates in its system. Netscape said it plans to have a software fix to resolve the problem available for downloading over the Internet by the end of this week. RSA's Mr. Bidzos said his company offered to review Netscape's security when it first introduced its browser, but Netscape declined. "They're asking us to review it this time," he said. A month ago, a student at France's Ecole Polytechnique cracked the same weaker encryption system that U.S. government policy forces Netscape to use in a foreign version of its Navigator software. To break the code, the student used 120 computer workstations and two supercomputers working for eight days to break the so-called 40-bit encryption system, a number that refers to length of the encoding "key," which is used to scramble data. Netscape sells a far stronger version of its software that includes 128-bit key length, but is prevented by the government from distributing it on the Internet. The government fears that such strong encryption could fall into the hands of terrorists who might use it to communicate without fear of being tapped by U.S. security agencies. Security experts, however, noted that the same problem exists with the stronger software.