On Fri, Dec 23, 2016 at 1:53 AM, <[email protected]> wrote:

> Eric,
>
> > I don't believe that this claim reflects the consensus of the security
> > community.
>
> As far as I have understood, the consensus is that there are bad
> (insecure) ECs (those from NIST which seem to be intentionally weakened /
> broken by various tricks) and  good (secure) ECs (e.g. Ed25519).
>

I don't think this really accurately reflects the consensus of the security
community, which is why all the major stacks continue to support the major
NIST prime curves (P-256 and P-384). I do think the consensus is that the
new curves are better (faster and easier to implement correctly) which is
why stacks have added them.


> In any case, as Kurt Roeckx observes, Firefox currently supports the new
> > non-NIST CFRG curves.
>
> Yes, and this is good news I didn't know about yet. I now only can hope
> that I will be able to configure my web server to offer ECDHE, but only the
> secure curves.
>
> The question remains why FF doesn't offer ciphers like
> dhe_rsa_aes_256_gcm_sha384. That would indeed allow administrators to turn
> off EC on their web servers completely. They then could easily configure a
> very secure web server without thinking about good and bad EC curves (which
> might be beyond the average part time administrator's knowledge anyway).
>

The consensus of the security community is to move people away from finite
field DH and towards ECDHE, so we're deemphasizing those cipher suites.
Chrome doesn't support them at all. FWIW, in TLS 1.3, group selection and
symmetric cipher are orthogonal so you will be able to use FFDH with any
cipher.

-Ekr




>
> Binarus
>
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to