On 2016-12-22 08:58, [email protected] wrote:
Hi all,

I already have reported the following issue in the bug tracking system and now 
have been told that the bug has been closed and that I should put it for 
discussion here.

Please note that I am no way a security expert, so please don't blame me if the 
following is wrong. But I am sort of a technical person and eventually have 
understood the key points when it comes to SSL / TLS. So here we go:

I have read several articles and white papers about what SSL / TLS ciphers are 
considered secure by cryptography experts. A short summary:

1) To enable forward secrecy, the key exchange should be done via "ephemeral" methods 
(those with "E" at the end of their names, e.g. DHE or ECDHE).

2) AES in GCM mode should be used as payload encryption method.

3) Elliptic curves should NOT be used, at least not the curves from NIST, 
because they are suspected (some even say: known) to be poisoned intentionally 
by several sorts of mechanisms. This means that that all ECDHE... ciphers are 
out of the game.

The elliptic curves can be used for both the authentication and the key exchange. For the authentication it would be the difference between RSA and ECDSA.

For the key exchange there are options like X25519 and X448. As far as I know, there is nothing suspicious about them. Firefox offers X25519 as the first curve.

For the authentication there will be Ed25519 and Ed448 in the future.

Disabling ECDSA support is something you might want to do, but you would then be unable to talk to people using only an ECDSA certificate.

4) SHA256 or higher is considered safe enough to be used as hashing / digest 
method.

The are different hashes being used, and depending on the use it might have different requirements. SHA1 might be safe to use for some of them.

Anyway, for TLS 1.3 firefox currently offers the following ciphers in the following order:
- AES_128_GCM_SHA256
- CHACHA20_POLY1305
- AES_256_GCM_SHA384

Some of the other properties are not part of the cipher anymore, but I believe it's possible to have everything you want.

For the TLS 1.2 ciphers it offers, it has them in this order:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[...]

It does offer ciphers that support all your requirements by default. It will just depend on the server if it's going to use X25519 or not. And server support for that will currently be very low.


> There should at least be one cipher in the list which fulfills the criteria mentioned above, i.e. something like that:
>
> security.ssl3.dhe_rsa_aes_256_gcm_sha384

That, or you need to disable the ECDSA and nist curves for the key exchange instead.


Kurt

_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to