Full Disclosure mailing list archives

Re: Mozilla Thunderbird SMTP down-negotiation weakness

From: Tim <tim-security () sentinelchicken org>
Date: Sat, 15 Oct 2005 01:43:06 -0400

I have to agree. Lets not forget that STILL all Mozilla products fail to 
show RSA/asymmetric keysize in any sensible format. Users of Mozilla 
products have no idea about safety of SSL/TLS connections, since the 
information about asymmetric keysize is not shown properly (= read: Its 
not shown at all unless you want to start calculating it from the raw 
form of the asymmetric key).

You can easily check the symmetric (RC4/AES) keysize (40/56/64/128/256 
bits) when selecting "Page info" - "Security", but nothing shows you how 
large the asymmetric keysize is (512/1024/2048/4096 bits)! This is very, 
very stupid.

Firefox, for example tells you that you have "high grade encryption" 
when you have AES-256-CBC with 512bit RSA! Since 512bit RSA only gives a 
work factor of about 2^60 and AES-256-CBC about 2^120 (if you think the 
most advanced attacks that only work in very, very theoretical form 
could be implemented against it)...well, who would even dream on 
cracking AES-256 when all they have to do is to crack 512bit RSA to get 
even better solution!


I agree that this is less than optimal.  Could you point me to the bug
report you filed in bugzilla that requests these changes?

It cant be THAT HARD to implement a feature onto Mozilla products that 
would show asymmetric keysize. Opera does it. IE does it. Why cant the 
geeks at Mozilla do it too? Because the seem to lack even basic 
knowledge of crypto...   :(


It probably isn't that hard.  Why don't you write a patch?  Welcome to
open source.  You can easily make a community contribution and make the
world better for every Mozilla user.  Probably even get your name in the
credits!


Honestly though, this stuff is such a miniscule portion of overall
security...  How many users actually care when websites don't even have
valid certificates?  Heck, most browsers don't even check for CRLs by
default, including IE.

There are many many more, much easier ways to steal someone's sensitive
info without attacking the crypto.

tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Mozilla Thunderbird SMTP down-negotiation weakness Thomas Henlich (Oct 14)
- Security Scanners Adriel Desautels (Oct 15)
- <Possible follow-ups>
- Mozilla Thunderbird SMTP down-negotiation weakness Markus Jansson (Oct 14)
  - Re: Mozilla Thunderbird SMTP down-negotiation weakness Steve Friedl (Oct 14)
  - Re: Mozilla Thunderbird SMTP down-negotiation weakness Tim (Oct 14)
    - Re: Mozilla Thunderbird SMTP down-negotiation weakness Markus Jansson (Oct 15)
    - Re: Mozilla Thunderbird SMTP down-negotiation weakness Tim (Oct 16)