You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-72

Mozilla Foundation Security Advisory 2010-72

Title: Insecure Diffie-Hellman key exchange
Impact: Low
Announced: October 19, 2010
Reporter: Nelson Bolyard
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.11
  Firefox 3.5.14
  Thunderbird 3.1.5
  Thunderbird 3.0.9
  SeaMonkey 2.0.9

Description

Mozilla cryptographer Nelson Bolyard reported that the SSL implementation was permitting servers to use Diffie-Hellman Ephemeral mode (DHE) with too short of a minimum key length. DHE keys of such lengths are trivially breakable on modern hardware so SSL servers operating in this mode were providing very little effective security for their clients.

References