Kurt, Thanks for your suggestions.
On Sat, Dec 14, 2013 at 12:46 PM, Kurt Roeckx <k...@roeckx.be> wrote: > I think we need to come up with a plan to improve security in the > long run. I think what we would like to see in general is: > - Only SHA256 or better (and so TLS 1.2) > This is gated almost purely on servers actually switching to SHA-2 certs and TLS 1.2. See https://bugzilla.mozilla.org/show_bug.cgi?id=942515, which is related to this. I think it makes sense to revisit this after we figure out exactly what we're doing with SHA-1-based certificates, because it doesn't make sense to plan to go "SHA-2 only" until that happens. So, we're talking about something after 2017. We (the Mozilla community) could help coordinate a push for servers to upgrade, but there's not much actionable we can do now, AFAICT, except for advocate for improvements by servers and fixing any bugs that impair that switchover. - Only 2048 bit public, 128 bit symmetric, 256 bit elliptic, or > better. > Approximately 1.5% of Fx26 full handshakes that use RSA certs use keys smaller than 2048 bits. So, enforcing the 2048 bit limit is not going to be a simple thing to do for a while, even though we want to do it soon. We can enforce the 256 bit limit on ECC now though, because literally everybody seems to be using the P-256 curve. (This actually makes me wonder if the P-384 support even works, since not a single handshake in Firefox 26 used it.) I think that it is a good idea for us to advocate for server admins and server software makers to do the things you suggest, but it is unlikely that browsers will be able to force the issue on all those things by limiting what they accept. Note that the server-side people at Mozilla have put together some recommendations that could benefit from some review: https://wiki.mozilla.org/Security/Server_Side_TLS. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto