This is my recommendation for changes to the supported ciphersuits in Mozilla Firefox. I performed rigorous compatibility testing and everything works as advertized. I used Firefox telemetry data, SSL Pulse data, and my own tests to verify that *not a single* publicly accessible website would get handshake errors compared to today.
Firefox 45esr currently supports these ciphersuits in this ordering: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA I recommend changing it to these in this ordering: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA Reasoning: 1) Too many people put 256bit CBC cipher suits at higher priority than 128bit AEAD cipher suits because they don't know what they are doing. 2) 256bit AES cipher suits have known issues compared to 128bit AES cipher suits. It is not well studied yet how much those issues apply to the cipher suit implementation in TLS. Given that 256bit GCM cipher suits will not be added to Firefox, it is better to disable 256bit AES cipher suits completely. 3) DHE (not ECDHE) cipher suits are far too often implemented incorrectly, most often with default common DH primes, DH parameter reuse, or generally weak bitstrenght (equivalent to 1024bit RSA, which is already considered insecure in Firefox). Hence it's better to remove support for DHE (not ECDHE) cipher suits rather than give false sense of security. 4) Additionally, once chacha20 lands in Firefox, move it to top. If we wanted to be even more strict, we could change the supported cipher suits to these in this order: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 002F TLS_RSA_WITH_AES_128_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA Reasoning: 1) Still *not a single* publicly accessible website gets handshake errors compared to today - because we still have the two backwards compatible cipher suits. (002f and 000a). 2) It puts additional pressure on server operators to support AEAD cipher suits if they want ECDHE ciphersuits. Overall, this once again limits the number of ciphersuits in the wild, and makes it easier to remove supported weak ciphersuits from server applications. Additionally, Firefox 45esr currently supports these signature algorithms in this ordering: SHA256/RSA, SHA384/RSA, SHA512/RSA, SHA1/RSA, SHA256/ECDSA, SHA384/ECDSA, SHA512/ECDSA, SHA1/ECDSA, SHA256/DSA, SHA1/DSA I recommend changing it to these in this ordering: SHA512/ECDSA, SHA512/RSA, SHA384/ECDSA, SHA384/RSA, SHA256/ECDSA, SHA256/RSA, SHA1/ECDSA, SHA1/RSA Reasoning: 1) *not a single* publicly accessible website uses DSA (not ECDSA) signatures anymore. 2) This brings it in line with Chrome. 3) Ordering from strongest to weakest, as opposed to what it is today. Additionally, Firefox 45esr currently supports these elliptic curves in this ordering: secp256r1, secp384r1, secp521r1 I recommend removing support for secp521r1 since it is not supported in the wild, Chrome does not support it, and we should be moving away from secp curves to e.g. x25519. Once again, *not a single* publicly accessible website breaks with this change. Thank you for your consideration. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
