On 08/09/2013 04:30 AM, Brian Smith wrote:
Please see https://briansmith.org/browser-ciphersuites-01.html
First, this is a proposal to change the set of sequence of ciphersuites
that Firefox offers.
So I think there are a whole bunch of things where we have 2 options,
and it's not always clear which is more important. We have:
- PFS or not
- ECC or not
- RSA or DSA
- GCM or CBC
- keysize (128 vs 256)
- cipher itself
- The used MAC
As far as I understand things, most of those don't have a big impact on
security, but do on the speed.
I think it makes sense to have PFS when the other side supports it, so
that part of the order looks good to me. We clearly want (EC)DHE when
possible. DH should probably be avoided.
I understand that ECC might be more secure and is faster, so you want to
prefer ECC. But currently there aren't many servers that have ECDHE
yet, so we should be careful what the order is in case it's not
available and try to use DHE in that case. The current list didn't do
that but this one does.
I'm not sure which of RSA and DSA is better, but clearly people use RSA
more.
I understand that GCM is faster, but the implementations might have side
channel attacks. So I'm not sure if GCM or CBC is better, but
we should probably prefer GCM or CBC.
I understand that for a 2048 bit public key a 128 bit symmetric key
should be good enough, but for a 4096 you should have a larger key. I
see that about 2% is using keys of 4096 bit.
As far as I understand it, there is nothing wrong with 3DES other than
that it's slower. RC4 should clearly be deprecated, but is currently
popular because BEAST and that it's the only stream cipher we have.
Since we know we're not vulnerable to that, it make sense to order this
as late as possible.
It might not be obvious, but camellia is currently used a lot when
connecting to sites because it's the first non-ECDHE in the current
list. And the RSA key-exchange was even before the DHE version.
I understand that the MAC itself doesn't make much difference, but we
should probably avoid MD5. I see no SHA256 MACs except for GCM which
probably isn't a problem.
So I can mostly follow the reasoning behind the proposed order, but I'm
a little bit surprised that we used to have all the 256 bit before the
128 bit, and it's now the other way around. I don't really see this as
a problem except for people that want to use 4096 bit public keys. They
should probably disable 128 bit keys on their server.
I'm not sure why you keep
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
and drop
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
I'm concerned that DHE_RSA_WITH_3DES_EDE_CBC_SHA is dropped, since it's
the only one with PFS that some sites support. Can I suggest you add
that before the ECDHE_*_RC4 ciphers?
Kurt
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
