On Wed, Dec 21, 2016 at 11:58 PM, <[email protected]> wrote: > Hi all, > > I already have reported the following issue in the bug tracking system and > now have been told that the bug has been closed and that I should put it > for discussion here. > > Please note that I am no way a security expert, so please don't blame me > if the following is wrong. But I am sort of a technical person and > eventually have understood the key points when it comes to SSL / TLS. So > here we go: > > I have read several articles and white papers about what SSL / TLS ciphers > are considered secure by cryptography experts. A short summary: > > 1) To enable forward secrecy, the key exchange should be done via > "ephemeral" methods (those with "E" at the end of their names, e.g. DHE or > ECDHE). > > 2) AES in GCM mode should be used as payload encryption method. > > 3) Elliptic curves should NOT be used, at least not the curves from NIST, > because they are suspected (some even say: known) to be poisoned > intentionally by several sorts of mechanisms. This means that that all > ECDHE... ciphers are out of the game. >
I don't believe that this claim reflects the consensus of the security community. In any case, as Kurt Roeckx observes, Firefox currently supports the new non-NIST CFRG curves. -Ekr 4) SHA256 or higher is considered safe enough to be used as hashing / > digest method. > > Firefox does not offer a single cipher which fulfills all of these > criteria. > > Steps to reproduce: > > In Firefox, open "about:config". Type "SSL3" into the search box to view > the list of available SSL / TLS ciphers. > > Actual result: > > There is no cipher which fulfills all of the criteria mentioned above. > Notably, all ciphers which use AES-GCM also use the contaminated ECDHE for > key exchange; there is no cipher which offers AES-GCM and the secure DHE > key exchange. > > Expected / desired result: > > There should at least be one cipher in the list which fulfills the > criteria mentioned above, i.e. something like that: > > security.ssl3.dhe_rsa_aes_256_gcm_sha384 > > (note the dhe ... instead of ecdhe ...). > > Personally, I am considering that as a very serious security problem. The > fact that other browsers might have the same problem does not change > anything about that. > > I hereby propose that Mozilla enables at least one cipher like > dhe_rsa_aes_256_gcm_sha384 as fast as possible. > > Regards, > > Binarus > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

