AFAIK one of the reasons DHE was dropped was that 1024-bit DHE was common. Java used to hardcode 768-bit DHE. ________________________________________ From: dev-security-policy <dev-security-policy-bounces+yuhongbao_386=hotmail....@lists.mozilla.org> on behalf of [email protected] <[email protected]> Sent: Friday, December 23, 2016 4:41:48 PM To: [email protected] Subject: Re: Firefox 50.1.0 still does not offer any secure SSL / TLS ciphers
Eric, > Yes, I'm quite familiar with this document, which was an input to the CFRG > process which was selecting a new curve (which resulted in X25519 and > X448). As the NIST curves already existed, it really wouldn't be sensible > to document requirements for selecting them. > > As far as the authors of that RFC goes, I agree that they know what they > are talking about, but that's not evidence in favor of your argument. > Specifically: > > - They are all members of the TLS WG, which put P-256 and P-384 into TLS > 1.3 (Sean is the Chair) > - Adam works on BoringSSL at Google and both Chrome and Google support > P-256 (and disfavor DHE) though they prefer X25519 > - Rich works on OpenSSL, which also supports the NIST curves. > > > > Here's what Adam Langley says specifically about P256: > https://www.ietf.org/mail-archive/web/tls/current/msg12967.html > (the quoted section is Mike St Johns). > > "> AFACT, one of the main reasons for looking at Curve25519 (possibly more > > important than performance or security) is that there is a fear that the > US > > Government has placed trapdoors in the current set of curves (NIST P256, > > P384, P521 etc). > > Although some certainly subscribe to that, my main motivation for > moving away from P-{256,384} is that they simply aren't good curves. > They are difficult to implement correctly and have many pitfalls. > Elliptic curve design has advanced significantly since then." > > > I don't think anyone is debating that we should prefer X25519 to P256, and > NSS > does so, but that's far from meaning that the world would be a better place > if we > deprecated P256 in favor of FFDHE. > > You are of course free to continue to believe whatever you like. Well, I am a little bit stubborn by nature, but not when it comes to learning new facts about technical subjects. Thus, I am saying thanks again for illustrating how everything relates. So everybody agrees that we should prefer 25519 over the other curves which are currently in use (which, by the way, is a thing I had learned a while ago when securing my SSH daemons - I just didn't know about FF's support for 25519 before opening this discussion). Given that, the reason why somebody prefers 25519 probably is not that important. Not everyone who believes that there are intentional weaknesses in the NIST curves seems to be a paranoid conspiracy theorist who ignores mathematics, and for sure, nobody who claims the opposite intentionally wants to harm security or to support government. I didn't want to make the impression that the world would be better without elliptic curves. I just still can't understand why FF does not offer DHE with AES-GCM as an alternative. After all, it is supporting DHE with AES-non-GCM, so why not support it with AES-GCM as well? What is the advantage of dropping DHE (which seems to have become the policy)? Solely from looking at the discussion we now had, IMHO it becomes clear that it is nearly impossible for an average part time administrator even to understand that there are different curves, let alone which of them he should chose, and let alone how he could configure his servers. Don't underestimate the fact that you are an expert, but in the real world, most web servers (nearly all in small organizations) are administered in part time by persons who won't understand anything of the stuff we have discussed here, not because they are stupid, but because their actual job is another one, and thus, they are allowed to dedicate only a few hours per month for checking, upgrading and improving security of the web server. So, no, the world wouldn't be better without EC, but it perhaps would be somehow easier if we had DHE as an alternative (as a side note, not being totally inexperienced with Debian, I am failing for a complete working day now in making Apache run with OpenSSL and ECDHE in a way that 25519 is used; I think I will be able to solve this, but I don't know how it will take). But now to something completely different: Merry XMas and a happy new year! Regards, Binarus _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

