RSA keysize cannot be retrieved

VERIFIED DUPLICATE of bug 78837

Status

Core Graveyard
Security: UI
--
major
VERIFIED DUPLICATE of bug 78837
15 years ago
a year ago

People

(Reporter: Markus Jansson, Assigned: Stephane Saux)

Tracking

Other Branch

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01
Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

In Mozilla, Netscape, Konqueror and likely in other similiar browsers, it is
IMPOSSIBLE to see RSA keysize at all. You can see the RC4/DES/3DES keysize
(symmetric cipher) from the page security info, but there is absolutely no way
to check RSA keysize.

Let me make this clear. This is very serious security issue. It is vital to see
RSA keysize, there is no point of checking symmetric cipher size since it does
NOT tell you anything about the encryption level. The symmetric ciphers key is
in SSL/TLS encrypted using RSA and if RSA keysize is small (lets say 512bit),
there is no point of using 128bit RC4 or 168bit 3DES,  because 512bit RSA only
gives about "50bit security".

So the problem is, that when you go to SSL/TLS protected site, you cant know if
the encryption gives good protection (128bit RC4 or 168bit 3DES with 2048bit
RSA), or does it give you very poor protection (128bit RC4 or 168bit 3DES with
512bit RSA). (Ofcourse you can see that protection is poor if site supports
40bit RC4/DES) with xxxxbit RSA, but the point is you can not know it the
security is poor due to small keysize of RSA). This is, as I must point out
again, very serious security issue and should be quickly fixed!

Reproducible: Always

Steps to Reproduce:
1. Go to any https website
2. Try to findout RSA keysize (You cant).

Actual Results:  
Symmetric cipher size (40, 56, 128 or 168bit) could be viewed, but no RSA keysize.

Expected Results:  
When checking the page encryption level, Mozilla should warn about insecure RSA
keysize (512bit) and when page security information is viewed, RSA keysize
should be visible.
-> PSM
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: carosendahl → bmartin
Version: Trunk → unspecified

Comment 2

15 years ago

*** This bug has been marked as a duplicate of 78837 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE

Comment 3

15 years ago
Verified dupe.
Status: RESOLVED → VERIFIED

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.