Irregular RSA Exponents
229 views
Skip to first unread message
Wayne
Mar 16, 2026, 5:40:37 PMMar 16
to dev-secur...@mozilla.org
This is just an irregularity I noticed when investigating censys: there are 897.9 million RSA certificates that are valid and chain to the Mozilla root store at the time of writing. Of those 897.9 million there are twenty (20) where the exponent isn't the standard 65537.
Baseline Requirements only care that it's greater than 3 and not odd, and all of these are above 65537 but I think it's worth documenting the outliers given they are few and far between.
So in increasing order of exponent:
65541:
60879c596929cf95839401d0a4f317ac502e28f469185e74d824cc4a90fb4255 [Go Daddy]
61f5ddd00d51fd2140fbf7f6c6038d26fc29a4e881d738da4b2148fc66ee39ab [GlobalSign]
a6d591fd761f27edf00ac4ae4c8d300633aa77389e60c96310f3f66aa31e57e3 [Go Daddy]
c2584bf11b4b0fd388c43b42c6f70a8c4e5bd9dce278a352204584e872c3f402 [GlobalSign]
cf03a551bed54947058e303737f28db3ca69c808460d34164c7b88d63c01fd27 [GlobalSign]
65567:
8156694b84bcc61224dbf474d02f75108fdb5b2a903f934537d222fbe7eb10ea [Entrust] (Chaining to Sectigo)
65577:
48fc4d840c3ae97604662fe25007fd26d266a2dc21ff1a05ee9517ea99032ec7 [GlobalSign]
77eb5bc9fb32d3003d83de60d422fc3dcd237280a90cd98d1f7843dd00ba1390 [GlobalSign]
909c52586a38171def0bb73afc74f893e5b1d9911784bfcc5a995b5c0481f2b8 [GlobalSign]
d35cbf6be776c79fe5132b38d849fecdf93a5c7cb57fabbbe349af1e68d0b2df [GlobalSign]
ffd25743609cc72fdcbc2e57a5d6a8c3f6049fa09e839420d65b88d6f87bc370 [GlobalSign]
90649:
f91606d1bc52c610136caa856ab500c48c3b993bac4808cd82bc4b78abf24156 [NetLock] - Intermediate
91983:
7ecaca4a3585a3b40e25574415512d56b57999b753017856f2ab15fa1f21f6d0 [NetLock] - Intermediate
129515:
047795785cdcff9e6e0ae122492e5b7bf08a9e5c49762e2bcb52747c69031561 [NetLock] - Intermediate
133257:
46a094e6b5b2698efd86a4862fc1425dbf5694c5fe5cc6d63c783d1afff34846 [Go Daddy]
4e02a4a9e78eea53a70a59b580f06c170ccd3fc96615da11cbb88caf203fc7ae [Go Daddy]
262147:
3af4339d08ec8ef90d9d57b2b68f53bc78108f45c2791548d83d6810a699d22b [ZeroSSL]
92d01842fb6275890ef74aad742990efd76aba0604203b327f3270e805b6f356 [ZeroSSL]
b2fd1f34d6d5f3b0f3d8caab7fc4ac43cd1543b6a03d7cb4b22c41053d4773c8 [ZeroSSL]
1073741953:
69491b6c5039feb54ba8722e6b4502bb8ace12a11aa236fa622a75427eecf06d [Deutsche Telekom]
Censys Query: (cert.labels="trusted" and cert.validation.nss.has_trusted_path="true" and not cert.labels="revoked" and cert.parsed.extensions.extended_key_usage.server_auth="true") and not cert.parsed.subject_key_info.rsa.exponent="65537" and cert.parsed.subject_key_info.key_algorithm.name="RSA"
For those wondering outside of the Mozilla ecosystem the worst is a Cisco Intermediate with an exponent of 3: c74d4b4a14519dd065191d96845e8d4ec851436bc559c4a45e24ca5c7c01fcd3
Then it's a jump to 36131/39639 for some Kazakhstan banks that Visa gave certs to this February but that are only valid in the Microsoft chain.
- Wayne
Baseline Requirements only care that it's greater than 3 and not odd, and all of these are above 65537 but I think it's worth documenting the outliers given they are few and far between.
So in increasing order of exponent:
65541:
60879c596929cf95839401d0a4f317ac502e28f469185e74d824cc4a90fb4255 [Go Daddy]
61f5ddd00d51fd2140fbf7f6c6038d26fc29a4e881d738da4b2148fc66ee39ab [GlobalSign]
a6d591fd761f27edf00ac4ae4c8d300633aa77389e60c96310f3f66aa31e57e3 [Go Daddy]
c2584bf11b4b0fd388c43b42c6f70a8c4e5bd9dce278a352204584e872c3f402 [GlobalSign]
cf03a551bed54947058e303737f28db3ca69c808460d34164c7b88d63c01fd27 [GlobalSign]
65567:
8156694b84bcc61224dbf474d02f75108fdb5b2a903f934537d222fbe7eb10ea [Entrust] (Chaining to Sectigo)
65577:
48fc4d840c3ae97604662fe25007fd26d266a2dc21ff1a05ee9517ea99032ec7 [GlobalSign]
77eb5bc9fb32d3003d83de60d422fc3dcd237280a90cd98d1f7843dd00ba1390 [GlobalSign]
909c52586a38171def0bb73afc74f893e5b1d9911784bfcc5a995b5c0481f2b8 [GlobalSign]
d35cbf6be776c79fe5132b38d849fecdf93a5c7cb57fabbbe349af1e68d0b2df [GlobalSign]
ffd25743609cc72fdcbc2e57a5d6a8c3f6049fa09e839420d65b88d6f87bc370 [GlobalSign]
90649:
f91606d1bc52c610136caa856ab500c48c3b993bac4808cd82bc4b78abf24156 [NetLock] - Intermediate
91983:
7ecaca4a3585a3b40e25574415512d56b57999b753017856f2ab15fa1f21f6d0 [NetLock] - Intermediate
129515:
047795785cdcff9e6e0ae122492e5b7bf08a9e5c49762e2bcb52747c69031561 [NetLock] - Intermediate
133257:
46a094e6b5b2698efd86a4862fc1425dbf5694c5fe5cc6d63c783d1afff34846 [Go Daddy]
4e02a4a9e78eea53a70a59b580f06c170ccd3fc96615da11cbb88caf203fc7ae [Go Daddy]
262147:
3af4339d08ec8ef90d9d57b2b68f53bc78108f45c2791548d83d6810a699d22b [ZeroSSL]
92d01842fb6275890ef74aad742990efd76aba0604203b327f3270e805b6f356 [ZeroSSL]
b2fd1f34d6d5f3b0f3d8caab7fc4ac43cd1543b6a03d7cb4b22c41053d4773c8 [ZeroSSL]
1073741953:
69491b6c5039feb54ba8722e6b4502bb8ace12a11aa236fa622a75427eecf06d [Deutsche Telekom]
Censys Query: (cert.labels="trusted" and cert.validation.nss.has_trusted_path="true" and not cert.labels="revoked" and cert.parsed.extensions.extended_key_usage.server_auth="true") and not cert.parsed.subject_key_info.rsa.exponent="65537" and cert.parsed.subject_key_info.key_algorithm.name="RSA"
For those wondering outside of the Mozilla ecosystem the worst is a Cisco Intermediate with an exponent of 3: c74d4b4a14519dd065191d96845e8d4ec851436bc559c4a45e24ca5c7c01fcd3
Then it's a jump to 36131/39639 for some Kazakhstan banks that Visa gave certs to this February but that are only valid in the Microsoft chain.
- Wayne
Hanno Böck
Mar 17, 2026, 2:28:16 AMMar 17
to dev-secur...@mozilla.org
Hi,
Thanks for that information.
On Mon, 16 Mar 2026 14:40:37 -0700 (PDT)
Wayne <rdau...@gmail.com> wrote:
> Baseline Requirements only care that it's greater than 3 and not odd,
> and all of these are above 65537 but I think it's worth documenting
> the outliers given they are few and far between.
For what it's worth: I think that should be changed and e=65537
should be enforced. (I actually think it was a mistake to begin with
to make RSA over-configurable, and the exponent should just be a fixed
value and not part of the key.)
There are a number of potential RSA weaknesses both with very small RSA
exponents (Coppersmith/Håstad attack, Bleichenbacher's Signature
Forgery Attack, BERserk) and with small private exponents (Wiener's
attack) - which automatically leads to a large public exponent.
Having a standard e value of 65537 avoids all of those.
Given that non-standard e values are so rare, it may be time to just
remove them from the WebPKI ecosystem.
--
Hanno Böck
https://hboeck.de/
Thanks for that information.
On Mon, 16 Mar 2026 14:40:37 -0700 (PDT)
Wayne <rdau...@gmail.com> wrote:
> Baseline Requirements only care that it's greater than 3 and not odd,
> and all of these are above 65537 but I think it's worth documenting
> the outliers given they are few and far between.
should be enforced. (I actually think it was a mistake to begin with
to make RSA over-configurable, and the exponent should just be a fixed
value and not part of the key.)
There are a number of potential RSA weaknesses both with very small RSA
exponents (Coppersmith/Håstad attack, Bleichenbacher's Signature
Forgery Attack, BERserk) and with small private exponents (Wiener's
attack) - which automatically leads to a large public exponent.
Having a standard e value of 65537 avoids all of those.
Given that non-standard e values are so rare, it may be time to just
remove them from the WebPKI ecosystem.
--
Hanno Böck
https://hboeck.de/
David Adrian
Mar 17, 2026, 11:16:20 AMMar 17
to Hanno Böck, dev-secur...@mozilla.org
Given the PQ transition, this seems like a particularly low value use of time, to fix something that doesn’t appear to be a problem.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20260317072808.7c8286ea%40hboeck.de.
Bas Westerbaan
Mar 17, 2026, 11:20:34 AMMar 17
to David Adrian, Hanno Böck, dev-secur...@mozilla.org
Agreed.
(Although I don't think that it should weigh heavily if at all, I do want to note that there are use cases for other exponents outside of WebPKI, eg. https://datatracker.ietf.org/doc/draft-irtf-cfrg-partially-blind-rsa/02/ )
Reply all
Reply to author
Forward
0 new messages