253999 - Bad SSL security: Not displaying asymmetric key sizes during SSL (eg. low RSA key sizes)

Status: RESOLVED DUPLICATE of bug 78837

(Core Graveyard :: Security: UI, enhancement)

Description

[ghost16825]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

When going to a https site Mozilla will display the symmetric key size, (usually
128bits) but will not display anywhere the asymmetric key size (usually RSA)
even if it is say less than 1024 bits (eg. 512bits) or some other  low number.

Mozilla should fully disclose this under Page Info > Security at least. A
similar fix should be done for Firefox.

All relevant information to SSL should be disclosed where possible. Having the
browser inform the user that a site uses "high security" even if low assymmetric
keys are used is very misleading and potentially dangerous.

Numerous security professionals, including a cryptoanalyst agree that assymetric
information should be disclosed.

This is issue is discussed in this thread:
http://www.security-forums.com/forum/viewtopic.php?t=17955&start=0&postdays=0&postorder=asc&highlight=

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1

[ghost16825]

I can almost fix this myself. It is a trivial to fix, but an important issue.

Comment 2

[Aaron]

Displaying "high-grade encryption" on a connection with a bitty little RSA key
is asking for it. This needs to be fixed before the next final builds.

Comment 3

[ghost16825]

*** This bug has been marked as a duplicate of 78837 ***

Comment 4

[Michael Lefevre]

removing blocker nominations from this dupe. maybe the original bug should be
nominated?

Comment 5

[ghost16825]

(In reply to comment #4)
> removing blocker nominations from this dupe. maybe the original bug should be
> nominated?
Yeah, definitely. Feel free to do so.