[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Mozilla Thunderbird SMTP down-negotiation weakness

Madison, Marc wrote:
>When will Mozilla get it right?  There products
>seems to be riddle with encryption problems?
>My suggestion; hire someone that knows how to
>implement encryption CORRECTLY.

I have to agree. Lets not forget that STILL all Mozilla products fail to show RSA/asymmetric keysize in any sensible format. Users of Mozilla products have no idea about safety of SSL/TLS connections, since the information about asymmetric keysize is not shown properly (= read: Its not shown at all unless you want to start calculating it from the raw form of the asymmetric key).

You can easily check the symmetric (RC4/AES) keysize (40/56/64/128/256 bits) when selecting "Page info" - "Security", but nothing shows you how large the asymmetric keysize is (512/1024/2048/4096 bits)! This is very, very stupid.

Firefox, for example tells you that you have "high grade encryption" when you have AES-256-CBC with 512bit RSA! Since 512bit RSA only gives a work factor of about 2^60 and AES-256-CBC about 2^120 (if you think the most advanced attacks that only work in very, very theoretical form could be implemented against it)...well, who would even dream on cracking AES-256 when all they have to do is to crack 512bit RSA to get even better solution!

It cant be THAT HARD to implement a feature onto Mozilla products that would show asymmetric keysize. Opera does it. IE does it. Why cant the geeks at Mozilla do it too? Because the seem to lack even basic knowledge of crypto... :(


--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/