My colleague Julien Vehent and I are in the process of updating the Mozilla Server Side TLS documentation:

One of the topics of conversation was whether or not the Modern TLS configuration should prefer AES-256 over AES-128. Recently, there has been some doubt cast over the security of AES-128, between posts by security researchers like djb, as well as the recent decision by the NSA to recommend AES-256 over AES-128, due to its increased resistance against quantum cryptography:

The general consensus was to bring the conversation to the group prior to updating the standards either way. There hasn't been any claim that AES-128 is actually broken, but the idea behind the Modern guidelines is to stay ahead of the cryptographic research curve. One thing to keep in mind is that the Modern guidelines are intended for modern systems that don't require any kind of backwards compatibility or necessarily need to be friendly towards old, underpowered systems (such older smartphones).

For reference, this is the current state of preference order for the four major browser manufacturers: Firefox: AES-128-GCM > AES-256-CBC > AES-256-CBC (doesn't include AES-256-GCM in list of cipher suites) Chrome: AES-128-GCM > AES-256-CBC > AES-128-CBC (also does not request AES-256-GCM)
Safari: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
Edge: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC

Proposal for Modern:
AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC

If the general agreement is to move Modern to AES-256, it may also be worthwhile considering whether or when we move that recommendation down to the Intermediate level, which is intended for general purpose websites that don't have a need for backwards compatibility with very old clients (such as IE6/Win XP SP2).

dev-tech-crypto mailing list

Reply via email to