My colleague Julien Vehent and I are in the process of updating the
Mozilla Server Side TLS documentation:
https://wiki.mozilla.org/Security/Server_Side_TLS
One of the topics of conversation was whether or not the Modern TLS
configuration should prefer AES-256 over AES-128. Recently, there has
been some doubt cast over the security of AES-128, between posts by
security researchers like djb, as well as the recent decision by the
NSA to recommend AES-256 over AES-128, due to its increased resistance
against quantum cryptography:
http://blog.cr.yp.to/20151120-batchattacks.html
https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
The general consensus was to bring the conversation to the
dev.tech.crypto group prior to updating the standards either way.
There hasn't been any claim that AES-128 is actually broken, but the
idea behind the Modern guidelines is to stay ahead of the cryptographic
research curve. One thing to keep in mind is that the Modern
guidelines are intended for modern systems that don't require any kind
of backwards compatibility or necessarily need to be friendly towards
old, underpowered systems (such older smartphones).
For reference, this is the current state of preference order for the
four major browser manufacturers:
Firefox: AES-128-GCM > AES-256-CBC > AES-256-CBC (doesn't include
AES-256-GCM in list of cipher suites)
Chrome: AES-128-GCM > AES-256-CBC > AES-128-CBC (also does not request
AES-256-GCM)
Safari: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
Edge: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
Proposal for Modern:
AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
If the general agreement is to move Modern to AES-256, it may also be
worthwhile considering whether or when we move that recommendation down
to the Intermediate level, which is intended for general purpose
websites that don't have a need for backwards compatibility with very
old clients (such as IE6/Win XP SP2).
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto