Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
I present a proposal to remove some vulnerable/deprecated/legacy TLS ciphersuits from Firefox. I am not proposing addition of any new ciphersuits, changing of priority order, protocol removal, or any other changes in functionality. I have read these proposed IETF drafts and am using them as guidance along with my experience: https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01 https://tools.ietf.org/html/draft-sheffer-tls-bcp-01 These are the default available ciphersuits in Firefox Aurora 28.0a2 on a Windows system: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA 0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 0005 TLS_RSA_WITH_RC4_128_SHA 0004 TLS_RSA_WITH_RC4_128_MD5 Now follows reasoning for removing some of the ciphersuits. Apache/nginx (and possibly many other) configurations that establish Perfect Forward Secrecy (PFS) ciphersuits will always have available a PFS ciphersuit that contains AES. This means that the following ciphersuits can be safely removed, also given their non-usage in real client-server connections: C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA 0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Removing the above ciphersuits also helps avoiding some usage of 3DES (due to its low performance) and RC4 (due to its vulnerability). DSS is obsolete and is not used for real client-server connections, hence the following ciphersuits can be removed: 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA Camellia ciphersuits are little supported, never negotiated cipher, and not as well-tested reviewed as AES ciphersuits. The following ciphersuits can be removed: 0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA The last remaining 3DES ciphersuit should be removed for performance considerations and its legacy status: 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA The last remaining RC4 ciphersuits should be removed due to their vulnerability: 0005 TLS_RSA_WITH_RC4_128_SHA 0004 TLS_RSA_WITH_RC4_128_MD5 RC4 ciphersuits will likely soon be prohibited anyway if the proposal is accepted https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01 Overall, this means that the following ciphersuits should be removed from the TLS handshake: C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 0005 TLS_RSA_WITH_RC4_128_SHA 0004 TLS_RSA_WITH_RC4_128_MD5 This would bring the ciphersuit list down to: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA The positives of removing the listed ciphersuits: 1) It makes the TLS handshake smaller thus preventing some issues related to long handshake. 2) It protects users from misconfigured server ciphersuit preference order - and thus no vulnerable RC4 ciphersuits will be used. 3) It protects servers from misconfigured server ciphersuit preference order - and thus no performance hit will be incurred due to use of 3DES. 4) It prevents the use of little-reviewed Camellia ciphersuits. 5) It prevents the use of retired DSS. The possible negatives of the removal: 1) Some client-server connections might fail. Suggested mitigation of negatives: If the initial handshake fails, make it a silent failure and retry with a handshake that contains a larger set of ciphersuits. This could also be accompanied with some non-blocking failure similar to how mixed-content
Re: Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
On Fri, Dec 13, 2013 at 10:48 PM, marlene.pr...@hushmail.com wrote: I present a proposal to remove some vulnerable/deprecated/legacy TLS ciphersuits from Firefox. I am not proposing addition of any new ciphersuits, changing of priority order, protocol removal, or any other changes in functionality. Hi, Thank you for suggesting these changes, and thank you for posting your message on the public mailing list. (I also appreciate the private email you sent me on the subject.) I will comment on your proposal again later. However, I want to share with you some usage data from Firefox 28 Beta, that I think we will find helpful in understanding what servers do. These numbers represent the cipher suite chosen by the server for 4,011,451 real-life full handshakes in Firefox 28 beta. First, here are the figures, sorted according to the order we offer the cipher suite in the ClientHello: Cipher Suite Count % -- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 567,486 14.15% TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 332,786 8.30% TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 10,952 0.27% TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0 0.00% TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 19,472 0.49% TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0 0.00% TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0 0.00% TLS_ECDHE_RSA_WITH_RC4_128_SHA 19,117 0.48% TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 4,601 0.11% TLS_DHE_RSA_WITH_AES_128_CBC_SHA226,177 5.64% TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA44 0.00% TLS_DHE_RSA_WITH_AES_256_CBC_SHA 23,319 0.58% TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 1,088 0.03% TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 557 0.01% TLS_DHE_DSS_WITH_AES_128_CBC_SHA 9 0.00% TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0 0.00% TLS_RSA_WITH_AES_128_CBC_SHA 1,053,521 26.26% TLS_RSA_WITH_CAMELLIA_128_CBC_SHA18 0.00% TLS_RSA_WITH_AES_256_CBC_SHA 36,203 0.90% TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0 0.00% TLS_RSA_WITH_3DES_EDE_CBC_SHA 7,065 0.18% TLS_RSA_WITH_RC4_128_SHA 1,507,191 37.57% TLS_RSA_WITH_RC4_128_MD5201,845 5.03% Below are the same figures, sorted by frequency (most popular first). The final column is an indication, of the cipher suites you suggest to remove, whether I think this data offers strong evidence for the removal; Remove- means the data seems to contradict your recommendation, Remove? means more study is needed, and Remove+ means that the data supports your conclusion. Cipher Suite Count % -- TLS_RSA_WITH_RC4_128_SHA 1,507,191 37.57% Remove- TLS_RSA_WITH_AES_128_CBC_SHA 1,053,521 26.26% Remove- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 567,486 14.15% TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256332,786 8.30% TLS_DHE_RSA_WITH_AES_128_CBC_SHA 226,177 5.64% TLS_RSA_WITH_RC4_128_MD5 201,845 5.03% TLS_RSA_WITH_AES_256_CBC_SHA36,203 0.90% TLS_DHE_RSA_WITH_AES_256_CBC_SHA23,319 0.58% TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 19,472 0.49% TLS_ECDHE_RSA_WITH_RC4_128_SHA 19,117 0.48% Remove? TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 10,952 0.27% TLS_RSA_WITH_3DES_EDE_CBC_SHA7,065 0.18% Remove- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 4,601 0.11% Remove? TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA1,088 0.03% Remove? TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 557 0.01% Remove? TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 44 0.00% Remove? TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 18 0.00% Remove? TLS_DHE_DSS_WITH_AES_128_CBC_SHA 9 0.00% Remove? TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0 0.00% TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0 0.00% TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0 0.00% Remove+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0 0.00% Remove+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA0 0.00% Remove+ Your idea of offering a subset of cipher suites during the initial handshake, and then falling back to another handshake later, requires more discussion and more measurements to be done. I would like to do something similar to what you suggest. Note that my Remove+/?/- comments should not be taken as an acceptance or rejection of your suggestions. I just want you to know my initial impression, based on a quick look of the data. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto