{"id":1819,"date":"2014-09-24T18:29:02","date_gmt":"2014-09-25T01:29:02","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1819"},"modified":"2016-09-30T02:51:37","modified_gmt":"2016-09-30T09:51:37","slug":"rsa-signature-forgery-in-nss","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/","title":{"rendered":"RSA Signature Forgery in NSS"},"content":{"rendered":"<h2>Issue<\/h2>\n<p>A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your safety on the internet.<\/p>\n<h2>Impact to Users<\/h2>\n<p>Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it\u2019s coming from a trusted site.<\/p>\n<h2>Status<\/h2>\n<p>The following updates have been released for Mozilla client products:<\/p>\n<p style=\"padding-left: 30px;\">Firefox 32.0.3<br \/>\nFirefox for Android 32.0.3<br \/>\nFirefox for Android 31.1.1<br \/>\nFirefox ESR 31.1.1<br \/>\nFirefox ESR 24.8.1<\/p>\n<p style=\"padding-left: 30px;\">Thunderbird 31.1.2<br \/>\nThunderbird 24.8.1<\/p>\n<p style=\"padding-left: 30px;\">SeaMonkey 2.29.1<\/p>\n<p>Updates are also available for Beta and other development versions of these products.<\/p>\n<p>Most users will receive these as automatic updates. In addition, they are available from our website for those who have disabled automatic updates (or from the Play store in the case of Firefox for Android).<\/p>\n<p>Other products which incorporate the NSS library should upgrade their copy of NSS to one of the following:<\/p>\n<p style=\"padding-left: 30px;\">NSS 3.16.2.1<br \/>\nNSS 3.16.5<br \/>\nNSS 3.17.1<\/p>\n<h2>Credit<\/h2>\n<p>We would like to thank the following researchers for reporting this issue:<\/p>\n<p>Antoine Delignat-Lavaud of Inria Paris in team Prosecco<br \/>\nThe Advanced Threat Research team at Intel Security<\/p>\n<p>Additional information can be found in our <a href=\"https:\/\/www.mozilla.org\/security\/announce\/2014\/mfsa2014-73.html\">advisory<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/\">Read more<\/a><\/p>\n","protected":false},"author":142,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47,30,69],"tags":[45499],"coauthors":[45545],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>RSA Signature Forgery in NSS - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniel Veditz\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/\",\"name\":\"RSA Signature Forgery in NSS - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2014-09-25T01:29:02+00:00\",\"dateModified\":\"2016-09-30T09:51:37+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"RSA Signature Forgery in NSS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088\",\"name\":\"Daniel Veditz\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/f91fc8d11d145a8be6d59ec3e71ac970\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g\",\"caption\":\"Daniel Veditz\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"RSA Signature Forgery in NSS - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/","twitter_misc":{"Written by":"Daniel Veditz","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/","url":"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/","name":"RSA Signature Forgery in NSS - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2014-09-25T01:29:02+00:00","dateModified":"2016-09-30T09:51:37+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2014\/09\/24\/rsa-signature-forgery-in-nss\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"RSA Signature Forgery in NSS"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088","name":"Daniel Veditz","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/f91fc8d11d145a8be6d59ec3e71ac970","url":"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g","caption":"Daniel Veditz"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1819"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/142"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1819"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1819\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1819"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}