18925 2012-09-19 23:13:13 +0000 Highlight algorithm-specific security considerations 2014-09-26 23:39:47 +0000 1 1 1 Unclassified Web Cryptography Web Cryptography API Document unspecified PC Windows NT RESOLVED DUPLICATE 25607 P2 normal --- 1 sleevi ddahl watsonm oldest_to_newest 74102 0 sleevi 2012-09-19 23:13:13 +0000 ( Raised by Travis Mayberry at http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Sep/0016.html ) The 13 September 2012 draft ( http://www.w3.org/TR/2012/WD-WebCryptoAPI-20120913/ ) includes support for PKCS#1 v1.5 modes of encryption and signing (RSAES and RSASSA). These modes are frequently subject to implementation errors that permit padding oracle attacks. Travis suggests: "I would suggest then that a note be put in emphasizing it should be used carefully and that OAEP is the better choice if you are not forced to use PKCS#1. My main concern is that a developer, upon deciding to use this API but not being familiar with the issues we are discussing, will simply pick one of the two at random and potentially open himself up to an attack that could have easily been avoided. " 111936 1 watsonm 2014-09-22 17:34:31 +0000 I believe this is a subset / dup of 25607. Resolve dup ? 112330 2 watsonm 2014-09-26 23:39:47 +0000 *** This bug has been marked as a duplicate of bug 25607 ***