New York Times, Tues., 19 Sept., 1995, pp A1,C10

Security Flaw Is Discovered In Software Used in Shopping

by John Markoff

SAN FRANCISCO, Sept. 19 - A serious security flaw has been discovered in Netscape, the most popular software used for computer transactions over the Internet's World Wide Web, threatening to cast a chill over the emerging market for electronic commerce.

The flaw, which could enable a knowledgeable criminal to use a computer to break Netscape's security coding system in less than a minute, means that no one using the software can be certain of protecting credit card information, bank account numbers or other types of information that Netscape is supposed to keep private during on-line transactions.

The weakness was identified by two first-year graduate students in computer science.at the University of California at Berkeley, who published their findings on an Internet mailing list Sunday evening.

Although the Netscape Communications Corporation, which produces the software, said today that the flaw could be fixed and that new copies of the software would be distributed as early as next week, Internet experts said the discovery underscored the danger of assuming that any computer security system was safe.

"There needs to be much more public allditability in the way these financial security systems are designed and implemented," said Eric Hughes, president of Open Financial Networks, a company in Berkeley that is developing Internet commerce systems.

The Netscape software is already used by an estimated eight million people for navigating the World Wide Web portion of the Internet. On the Web, thousands of companies offer text, images, video and audio information, much of it as a way of advertising or directly selling goods and services. Because the Netscape software is not only easy to use but has also been promoted as a secure way of dealing, with personal and financial information, it has been seen as the emerging de facto standard for on-line commerce.

Already, a diverse group of companies - including Wells Fargo Bank, MCI Communications, Internet Shopping Network and Virtual Vineyards - have adopted Netscape as the vehicle for checking 'bank balances, catalogue shopping or buying wine on line.

Although Internet experts agreed with the company's assessment that the flaw could be fixed and that it posed no risk to people who use the World Wide Web only to retrieve nonsensitive data, the security problem's disclosure may represent a public relations setback for Netscape Communications and an inconvenience to millions of people who may feel a need to replace the version of Netscape installed on their computers. Last month the company's shares began public trading and had one of the most successful first days in Wall Street's history, largely on the resounding popularity of the Netscape software.

Today, as word of the security flaw circulated only within fairly small circles of Internet users, Netscape's stock closed with a slight loss, down 75 cents, to $52.50, in low Nasdaq trading volume.

The company said it would release a repaired version of the software within a week. Users will be able to download it free over the Internet, through the Netscape site on the World Wide Web (http://home.netscape.com).

The company had previously announced a next generation version of Netscape that it said would be more secure than the original, and it said today that it would release this updated version within the next few weeks. But first it will remove the newly disclosed flaw, which is currently in the new version.

"The good news and the bad news Of the Internet is that when you put something up there, many more people can test it," said Mike Homer, the vice president of marketing at Netscape, "You also give yourself the opportunity of having people point things out which you can fix quickly."

The company so far has distributed most copies of its program free over the Internet, under a strategy of making its money from commercial customers who use Netscape to provide services or for other business applications over the World Wide Web. So replacing the copies will not be an expensive undertaking.

Instead, for Netscape Communications and for other companies betting their futures on the Internet, the real cost of this disclosure may be in the public's shaken confidence in the ability of computer companies to insure privacy and security for online commerce.

The weakness in Netscape's security was discovered by Ian Goldberg, 22, and David Wagner, 21, two computer science students who share an office at the university and who also share an interest in the arcane science of cryptography, which is becoming increasingly important for t business as companies begin to explore electronic commerce.

The two students said they had decided to put the software to a test in an effort to raise public concern about placing too much trust in unproved electronic security systems.

"I'm definitely concerned about people trusting insecure systems that promote the use of cryptography but don't give you real security," Mr. Goldberg said. "They are worse than if you don't have any security at all."

The two students began their investigation after Mr. Wagner, studying reference documents that Netscape Communications provides to outside software developers, noticed what seemed to be a potential weakness in the security system.

Netscape's security is based on a type of coding technology known generically as public key cryptography in which users exchange mathematically generated numbers - or keys - to encode or decode information. In such systems, a new key is created for each information exchange, based on a mathematical formula that is combined with numbers supposedly known only to the sender or recipient.

The students found that by determining how Netscape's formula generated the number used as a starting; point for creating a key, they were able to greatly reduce the potential combinations that would unlock the code. The starting-point number turned out to be based on the time and date of the transaction, combined with several other unique bits of information taken from a user's computer system - bits of information that an electronic intruder could determine, if he were intent on intercepting a Netscape user's transactions.

Knowing how the starting-point number was created greatly reduced the other possible components of the formula - and the students found they were able to break the code in a matter of seconds using a standard computer work station.