Netscape Communications Corporation Information for VU#997481
Cryptographic libraries and applications do not adequately defend against timing attacks
- Vendor Information Help Date Notified: 11 Feb 2003
- Statement Date:
- Date Updated: 11 Apr 2003
The CERT Coordination Center has recently released Vulnerability Note VU#997481, which indicates that some cryptographic libraries and applications do not provide adequate defense against timing attacks on RSA private keys. The Netscape cryptographic libraries and the application products (both client and server software) based on them are not susceptible to this vulnerability. In particular, the Netscape libraries and applications use RSA blinding, which the CERT Note describes as the preferred defense against this vulnerability.
Netscape takes all security and privacy matters very seriously and has been using RSA blinding in its cryptographic libraries since 1997 to prevent timing vulnerabilities against private keys.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.