Important Information for users of Netscape

The CERT Advisory Group has made the general public aware of a flaw in the way Netscape handles the passing of information using the Secure Socket Layer (SSL) protocol. As you know, North Dallas Bank & Trust uses SSL for the encryption of information passed between our users and our web sites (http://www.ndbt.com & ReadyNet Online Banking).

The CERT Advisory states:

Our team has discovered a flaw in Netscape Navigator that allows bypassing of warning about an invalid SSL certificate. SSL protection is used in most major Internet-based financial services (e-banking, e-commerce). The flaw we have found effectively disables one of the two basic SSL functionalities: to assure users that they are really communicating with the intended web server - and not with a fake one. Using this flaw, the attacker can make users send secret information (like credit card data and passwords) to his web server rather than the real one - EVEN IF THE COMMUNICATION IS PROTECTED BY SSL PROTOCOL.

To solve this problem users should do one of three things:

Netscape has  provided a Navigator Add-on called Personal Security Manager (PSM), freely downloadable at:

http://www.iplanet.com/downloads/download/detail_128_316.html

Installation of PSM, as far as we have tested it, corrects the identified flaw.

Netscape Communicator (v4.73) currently includes the fix for this vulnerability. It is available for download at: http://home.netscape.com/download/

WORKAROUND

Navigator/Communicator users who can't or don't want to install PSM can use a "manual" method to make sure they are not under attack:

When visiting an SSL-protected site, double click on the lock icon (bottom left corner) or the key icon (in older browsers) and see whether the certificate used for the connection is really issued for the correct hostname. E.g. If you visit https://www.verisign.com, make sure the certificate used is issued for www.verisign.com and not for some other hostname.