You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-72

Mozilla Foundation Security Advisory 2010-72

Title: Insecure Diffie-Hellman key exchange
Impact: Low
Announced: October 19, 2010
Reporter: Nelson Bolyard
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.11
  Firefox 3.5.14
  Thunderbird 3.1.5
  Thunderbird 3.0.9
  SeaMonkey 2.0.9


Mozilla cryptographer Nelson Bolyard reported that the SSL implementation was permitting servers to use Diffie-Hellman Ephemeral mode (DHE) with too short of a minimum key length. DHE keys of such lengths are trivially breakable on modern hardware so SSL servers operating in this mode were providing very little effective security for their clients.