

RSA Signature Forgery in NSS - volent
https://blog.mozilla.org/security/2014/09/24/rsa-signature-forgery-in-nss/

======
tptacek
For those of you playing the home version, this is in Set 6 of our crypto
challenges:

[http://cryptopals.com/sets/6/challenges/42/](http://cryptopals.com/sets/6/challenges/42/)

Ironically, Firefox is the only browser that had this flaw when Bleichenbacher
originally described it almost 10 years ago.

I'm particularly fond of this bug; it's what started me off down the path of
learning about serious crypto attacks.

------
diafygi
Right now, the most popular phone for Firefox OS is the Intex Cloud FX (the
$33 phone), which was released last month and runs 1.3[1]. However, Mozilla
has said that they are only applying updates to 2.x[2].

This means that their flagship phone that was released only a month ago has a
critical security vulnerability and there are no plans to fix it. Great work,
Mozilla!

[1] -
[http://www.intexmobile.in/product_detail.aspx?PID=191&PCatID...](http://www.intexmobile.in/product_detail.aspx?PID=191&PCatID=3)

[2] -
[https://www.reddit.com/r/FireFoxOS/comments/2hf13o/security_...](https://www.reddit.com/r/FireFoxOS/comments/2hf13o/security_update_for_all_mozilla_products_released/cks1ivg)

~~~
bkerensa
This is far from the truth.

~~~
bmm6o
If you know they have plans to fix it, it would be helpful if you would say
so.

