mailing list archives
Mozilla Thunderbird SMTP down-negotiation weakness
From: Markus Jansson <markus.jansson () gmail com>
Date: Sat, 15 Oct 2005 06:10:35 +0300
Madison, Marc wrote:
>When will Mozilla get it right? There products
>seems to be riddle with encryption problems?
>My suggestion; hire someone that knows how to
>implement encryption CORRECTLY.
I have to agree. Lets not forget that STILL all Mozilla products fail to
show RSA/asymmetric keysize in any sensible format. Users of Mozilla
products have no idea about safety of SSL/TLS connections, since the
information about asymmetric keysize is not shown properly (= read: Its
not shown at all unless you want to start calculating it from the raw
form of the asymmetric key).
You can easily check the symmetric (RC4/AES) keysize (40/56/64/128/256
bits) when selecting "Page info" - "Security", but nothing shows you how
large the asymmetric keysize is (512/1024/2048/4096 bits)! This is very,
Firefox, for example tells you that you have "high grade encryption"
when you have AES-256-CBC with 512bit RSA! Since 512bit RSA only gives a
work factor of about 2^60 and AES-256-CBC about 2^120 (if you think the
most advanced attacks that only work in very, very theoretical form
could be implemented against it)...well, who would even dream on
cracking AES-256 when all they have to do is to crack 512bit RSA to get
even better solution!
It cant be THAT HARD to implement a feature onto Mozilla products that
would show asymmetric keysize. Opera does it. IE does it. Why cant the
geeks at Mozilla do it too? Because the seem to lack even basic
knowledge of crypto... :(
ï»¿My computer security & privacy related homepage
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/