Lessons learned from security weaknesses in the Netscape World Wide Web browser

“The Net” is universally recognised as offering a revolution in communications way beyond the limited applications for which it is currently being used. The opportunities for business, commerce and finance are particularly exciting. The author discusses why the Internet is failing to live up to these expectations as a commercial medium. No private individual will trust their credit card numbers to an insecure network and big business has even more at stake. One of the first companies to try and address this problem seriously is Netscape Communications who attempted to build a “secure transactions protocol” into their Web browser. However, like many before them, they wrongly perceived the writing of a cryptographically secure system to be a straightforward task whereas in fact, it is a highly specialised one. As a direct result, their system was very publicly and embarrassingly “hacked”. We describe by way of a detailed example of what can go wrong, the weaknesses in the design of the cryptographic “security” built into the Netscape browser which led to the algorithm being broken. Some important lessons to be learned from their experience are summarised and some recommendations made (together with associated problems) for the design of genuinely secure systems which will allow the commercial potential of the Internet to be realised to the full