Mozilla Foundation Security Advisory 2006-60

RSA Signature Forgery

September 14, 2006
Philip Mackenzie, Marius Schilder
Firefox, NSS, SeaMonkey, Thunderbird
Fixed in
  • Firefox
  • NSS 3.11.3
  • SeaMonkey 1.0.5
  • Thunderbird


Philip Mackenzie and Marius Schilder of Google informed us of Daniel Bleichenbacher's recent presentation of a common implementation error in RSA signature verification, a failure to account for extra data in the signature. For signatures with a small exponent such as 3 it is possible for an attacker to calculate a value for this extra data to make an altered message appear to be correctly signed, allowing the signature to be forged. Mozilla's Network Security Services (NSS) library was vulnerable to this flaw.

Because the set of root Certificate Authorities that ship with Mozilla clients contain some with an exponent of 3 it was possible to make up certificates, such as SSL/TLS and email certificates, that were not detected as invalid. This raised the possibility of the sort of Man-in-the-Middle attacks SSL/TLS was invented to prevent.

We thank Philip Mackenzie and Marius Schilder for bringing this result to our attention and working with us to ensure the NSS library was safe from variations on this basic attack.


None, upgrade to a fixed version.