lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat Oct 15 05:05:28 2005
From: markus.jansson at gmail.com (Markus Jansson)
Subject: Mozilla Thunderbird SMTP down-negotiation weakness

Madison, Marc wrote:
 >When will Mozilla get it right?  There products
 >seems to be riddle with encryption problems?
 >My suggestion; hire someone that knows how to
 >implement encryption CORRECTLY.

I have to agree. Lets not forget that STILL all Mozilla products fail to 
show RSA/asymmetric keysize in any sensible format. Users of Mozilla 
products have no idea about safety of SSL/TLS connections, since the 
information about asymmetric keysize is not shown properly (= read: Its 
not shown at all unless you want to start calculating it from the raw 
form of the asymmetric key).

You can easily check the symmetric (RC4/AES) keysize (40/56/64/128/256 
bits) when selecting "Page info" - "Security", but nothing shows you how 
large the asymmetric keysize is (512/1024/2048/4096 bits)! This is very, 
very stupid.

Firefox, for example tells you that you have "high grade encryption" 
when you have AES-256-CBC with 512bit RSA! Since 512bit RSA only gives a 
work factor of about 2^60 and AES-256-CBC about 2^120 (if you think the 
most advanced attacks that only work in very, very theoretical form 
could be implemented against it)...well, who would even dream on 
cracking AES-256 when all they have to do is to crack 512bit RSA to get 
even better solution!

It cant be THAT HARD to implement a feature onto Mozilla products that 
would show asymmetric keysize. Opera does it. IE does it. Why cant the 
geeks at Mozilla do it too? Because the seem to lack even basic 
knowledge of crypto...   :(


-- 
???My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ