e=3 is evil

RSA with an exponent of 3 (e=3) is a bad choice. If you want some background info read the FAQ. Check your keys.

Check your website's certificate (input domain name):

Check your e value (decimal integer):

Limitations

• Will probably fail for large e values that don't fit into 64 bit

Background info

RSA keys with very small exponents like e=3 are a risky choice. Recommendations and best practises to avoid very small exponents have been there for years. In 2014 six certificate authority included in mainstream browsers use e=3.

If everyone had migrated to safer values like e=65537 the recent BERserk vulnerability in Firefox and Chrome would have been a pretty boring bug. It's only a serious vulnerability with e=3.

• NIST SP 800-78-3 (2010) says e must be between 65537 and 2^256-1
• FIPS 186-3 (Digital Signature Standard) (2009) says e shall be odd and between 65537 and 2^256-1
• CA/Browser Forum Baseline Requirements 1.1.3 and later (2013) e shall be between 65537 and 2^256-1

This site is run by Hanno Böck.