Paper 2017/1189

Return Of Bleichenbacher's Oracle Threat (ROBOT)

Hanno Böck, Juraj Somorovsky, and Craig Young


Many web hosts are still vulnerable to one of the oldest attacks against RSA in TLS. We show that Bleichenbacher’s RSA vulnerability from 1998 is still very prevalent in the Internet and affects almost a third of the top 100 domains in the Alexa Top 1 Million list, among them Facebook and Paypal. We identified vulnerable products from at least eight different vendors and open source projects, among them F5, Citrix, Radware, Cisco, Erlang, Bouncy Castle, and WolfSSL. Further we have demonstrated practical exploitation by signing a message with the private key of’s HTTPS certificate. Finally, we discuss countermeasures against Bleichenbacher attacks in TLS and recommend to deprecate the RSA encryption key exchange in TLS and the PKCS #1 v1.5 standard.

Note: Hopefully really last update, add Citrix advisory to bibliography.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
RSATLSpublic-key cryptography
Contact author(s)
hanno @ hboeck de
2017-12-12: received
Short URL
Creative Commons Attribution


      author = {Hanno Böck and Juraj Somorovsky and Craig Young},
      title = {Return Of Bleichenbacher's Oracle Threat (ROBOT)},
      howpublished = {Cryptology ePrint Archive, Paper 2017/1189},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.