Torsten Gigler wrote: > Hi, > > I'd like to suggest to discuss about the policy of selecting the ciphers and > bringing them into a > proposed order, when discussing about a new cipher string. > This is about like Gunnar wrote today. The String building is a different > issue... > > Well, my favorite 2 cents about the policy could be found here: > https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration > E.g. I'd favor GCM over CBC regardless of the cipher size (of the same > algorithm).
It's actually not that easy. While some recent attacks against TLS work well for HTTP - most of them would not work well with other application layer protocols. For example: attacks that rely on JavaScript to send back data en mass. Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
