On Wed, Dec 21, 2016 at 11:58 PM, <[email protected]> wrote:

> Hi all,
>
> I already have reported the following issue in the bug tracking system and
> now have been told that the bug has been closed and that I should put it
> for discussion here.
>
> Please note that I am no way a security expert, so please don't blame me
> if the following is wrong. But I am sort of a technical person and
> eventually have understood the key points when it comes to SSL / TLS. So
> here we go:
>
> I have read several articles and white papers about what SSL / TLS ciphers
> are considered secure by cryptography experts. A short summary:
>
> 1) To enable forward secrecy, the key exchange should be done via
> "ephemeral" methods (those with "E" at the end of their names, e.g. DHE or
> ECDHE).
>
> 2) AES in GCM mode should be used as payload encryption method.
>
> 3) Elliptic curves should NOT be used, at least not the curves from NIST,
> because they are suspected (some even say: known) to be poisoned
> intentionally by several sorts of mechanisms. This means that that all
> ECDHE... ciphers are out of the game.
>

I don't believe that this claim reflects the consensus of the security
community.

In any case, as Kurt Roeckx observes, Firefox currently supports the new
non-NIST CFRG curves.

-Ekr

4) SHA256 or higher is considered safe enough to be used as hashing /
> digest method.
>
> Firefox does not offer a single cipher which fulfills all of these
> criteria.
>
> Steps to reproduce:
>
> In Firefox, open "about:config". Type "SSL3" into the search box to view
> the list of available SSL / TLS ciphers.
>
> Actual result:
>
> There is no cipher which fulfills all of the criteria mentioned above.
> Notably, all ciphers which use AES-GCM also use the contaminated ECDHE for
> key exchange; there is no cipher which offers AES-GCM and the secure DHE
> key exchange.
>
> Expected / desired result:
>
> There should at least be one cipher in the list which fulfills the
> criteria mentioned above, i.e. something like that:
>
> security.ssl3.dhe_rsa_aes_256_gcm_sha384
>
> (note the dhe ... instead of ecdhe ...).
>
> Personally, I am considering that as a very serious security problem. The
> fact that other browsers might have the same problem does not change
> anything about that.
>
> I hereby propose that Mozilla enables at least one cipher like
> dhe_rsa_aes_256_gcm_sha384 as fast as possible.
>
> Regards,
>
> Binarus
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to