Skip to main content

Is SecureAuth IdP Impacted by the ROBOT Attack Vulnerability?

Vulnerability Description

In December 2017, Hanno Böck, Juraj Somorovsky, and Craig Young wrote a research paper titled “Return of Bleichenbacher’s Oracle Threat (ROBOT)” that explains how an HTTPS hosts can still be vulnerable to the original 1998 Bleichenbacher attack. The ROBOT Attack targets a weakness in the PKCS #1 v1.5 RSA encryption standard that lets an attacker obtain a secured website’s private key within a brief timespan.

Applies to

SecureAuth IdP Version

OS Version


  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012 R2

Exposure and Impact to SecureAuth IdP Customers

ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic-curve Diffie-Hellman key exchange and only require RSA for signatures. SecureAuth IdP Appliances already prioritize modern cryptography ciphers in the product which mitigates the attack. This assurance has been confirmed by using scanning tools provided by researchers at The ROBOT Attack.


While SecureAuth IdP Appliances prioritize modern cryptography, connections from RSA ciphers are still allowed for compatibility with legacy software solutions.

SecureAuth recommends disabling RSA encryption entirely (ciphers starting with TLS_RSA) to ensure full resolution of the vulnerability. Internet-wide metrics show this setup should have minimal impact on browser compatibility.

In addition, SecureAuth strongly recommends auditing your network for compatibility before implementing the suggested configuration changes.