NIU Math Alerts
Netscape SSL Vulnerability

Background

SSL, the "Secure Sockets Layer", is a protocol for encrypting information flowing between the Web browser and a server, and for verifying that the server is indeed what it claims to be by means of "security certificates".

A problem with SSL verification in all versions of Netscape prior to 4.73 has been found. To check which version of Netscape you are running, choose the "About Communicator" in the "Help" menu on the right. If the version is 4.72 or below, and you intend to transmit confidential information (bank accounts, passwords, credit cards) via the browser, please read on.

The problem makes it possible for an impostor to set up a server which will appear to be trusted but will in reality be under his control. Hence confidential data submitted to that server would fall into the wrong hands.

You are accessing a secure page when:
a) the URL starts with https not just http
b) you get a dialog window saying "you have requested a secure document" (but you may have disabled that)
c) the little padlock icon in Netscape's left bottom corner is "closed".

What this means to us

Netscape decided to discontinue the development of the SunOS version. Thus users of our older machines will have to keep this problem in mind and use the precautions described below until the older Suns all disappear.

The Solaris version has been updated, and the users of newer Suns will be able to forget about this problem, although in case of particularly important transactions it may be a good idea to apply the precautions anyway. Make sure that you are using the default "netscape" command, rather than an alias or a shortcut to an older version which may still be present on the system.

PC and Mac users are urged to upgrade to the newest version, and to apply the workaround described below until they do. To avoid long modem download times I can make the new software available on a CD or a ZIP disk.

Workaround for Netscape 4.72 and earlier

First make sure that the browser is set up to give you the warning in (b). You can test this by going to -- for example -- https://www.verisign.com. If the warning does not appear, click on the larger padlock icon in the main menu bar to open the security preferences settings panel. Now click on "Navigator" and make sure the box next to "warn before entering an encrypted site" is on. This will alert you whenever SSL is about to be used.

Every time you are about to type in and submit important data on a page that claims to be SSL-protected (i.e. the little padlock in the bottom corner is closed), check that the certificate indeed belongs to the Web site you are accessing. Click one of the padlock icons and then ask to "view the page's certificate". If the Internet name in the URL you are accessing doesn't match the name under which the certificate was issued, i.e. you are viewing a page claiming to be "https://big.bank.com" but the certificate says "notsobig.bank.com", the connection is probably being "hijacked". Please jot down the details, especially the incorrect certificate information, do NOT proceed with the transaction, and notify the system manager or network security personnel.

Back to the NIU Math Virus and Security Alert page