Security Flaws Discovered in Netscape’s Browser Software

Netscape Communications Inc., the Internet start-up whose initial public offering was the talk of Wall Street this summer, said Monday that a serious security flaw has been identified in its main software product, a development that could slow the growth of commerce in cyberspace.

The software, a so-called browser for the graphical portion of the Internet known as the World Wide Web, is rapidly becoming a standard, and its ability to encrypt credit card numbers and other information is considered important to the success of on-line shopping and other transaction services.

But Netscape marketing vice president Mike Homer acknowledged Monday that an individual with enough information about the computer where the transaction originated from could crack Netscape’s security coding system in a matter of minutes. He said Netscape engineers had already come up with a way to fix the hole in the program. The company plans to make the fix available to customers at no charge within the week.

In the meantime, consumers may want to think twice before using the software--and companies that were considering offering their wares on the Internet might now choose to wait.

Netscape first became aware of the problem Sunday night, when company executives who monitor the Internet news groups that focus on security issues read a posting on a mailing list that detailed how to decipher the Netscape code.

Homer said the posting, from a computer science student, listed several of the variables Netscape uses to generate a random number, which in turn is used to generate the session “key,” the code that ensures a secure transaction.

Some of those variables are specific to the computer that the information--credit card numbers, confidential documents, etc.--is being sent from.

To strengthen the code, Netscape plans to lengthen the random number that is generated, from 30 bits of information to 300 bits, Homer said.