On Tue, Jul 1, 2014 at 7:15 PM, Julien Pierre <[email protected]> wrote:
> On 7/1/2014 14:05, Brian Smith wrote: > >> I think, in parallel with that, we can figure out why so many sites are >> still using TLS_ECDHE_*_WITH_RC4_* instead of TLS_ECDHE_*_WITH_AES* and >> start the technical evangelism efforts to help them. Cheers, Brian >> > The reason for sites choosing RC4 over AES_CBC might be due to the various > vulnerabilities against CBC mode, at least for sites that support TLS 1.0 . > I think a more useful form of evangelism would be to get sites to stop > accepting SSL 3.0 and TLS 1.0 protocols. > Servers that cannot, for whatever reason, support the AES-GCM cipher suites, should be changed to prefer AES-CBC cipher suites over RC4-based cipher suites at least for TLS 1.1 and later. Most sites are not going to stop accepting SSL 3.0 and/or TLS 1.0 any time soon, because they want to be compatible with Internet Explorer on Windows XP and other software that doesn't support TLS 1.1+. However, in the IETF, there is an effort, spearheaded by our friends at Google, for solving the downgrade problem: http://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 This simple feature, if implemented by the browser and by the server, allows the server to recognize that the browser has tried a non-secure downgrade to a lower version of TLS. Once the server recognizes that, the server can reject the downgraded connection. The net effect is that, assuming modern browsers quickly add support for this mechanism, the server can be ensure that it only uses CBC cipher suites with modern browsers over TLS 1.1 or later and that it never uses RC4-based cipher suites with modern browsers (in conjunction with the "prefer AES-CBC cipher suites over RC4 cipher suites" change I suggest above). However, it is likely that crypto libraries that make the two changes above will also have support for TLS_ECDHE_*_WITH_AES_*_GCM cipher suites too. So, I hope that they also enable TLS_ECDHE_*_WITH_AES_*_GCM at the same time they deploy these changes. FWIW, I filed bugs [1][2] for adding support for draft-ietf-tls-downgrade-scsv-00 to NSS, Gecko, and Firefox. Cheers, Brian [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1036737 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1036735 -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
