Mozilla Foundation Security Advisory 2010-72

Insecure Diffie-Hellman key exchange

Announced
October 19, 2010
Reporter
Nelson Bolyard
Impact
Low
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.14
  • Firefox 3.6.11
  • SeaMonkey 2.0.9
  • Thunderbird 3.0.9
  • Thunderbird 3.1.5

Description

Mozilla cryptographer Nelson Bolyard reported that the SSL implementation was permitting servers to use Diffie-Hellman Ephemeral mode (DHE) with too short of a minimum key length. DHE keys of such lengths are trivially breakable on modern hardware so SSL servers operating in this mode were providing very little effective security for their clients.

References