Given that Lucky 13 and other CBC attacks are more real (common, practical), Go's decision to lower their priority didn't seem unreasonable.
Collapsing a multi dimensional protocol into an ordering requires some value judgement on how heavily to weigh each component, there isn't a single correct answer. - sean On Fri, Aug 26, 2022, 04:23 'Diana Tuck' via golang-nuts < golang-nuts@googlegroups.com> wrote: > I guess I need to clarify what I was trying to say here - golang 1.17+ > claims that TLS_RSA_WITH_AES_128_GCM_SHA256 is more secure than > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 CBC-SHA256 doesn't have any > countermeasures against Lucky13, but all of the SSL tools: testssl.sh, > SSLLabs, etc. claim the other way around because of ECDHE. > > So in intentionally handling the cipher ordering, it seems like this > change unintentionally made things less secure, at least according to > several other reputable security resources. Who's correct here? > > On Thursday, August 25, 2022 at 1:30:11 PM UTC-7 Diana Tuck wrote: > >> Yes, I'm aware it's intentional, but it causes a lower security grade on >> SSLLabs <https://ssllabs.com/>. >> >> On Thu, Aug 25, 2022 at 1:20 PM 'Sean Liao' via golang-nuts < >> golan...@googlegroups.com> wrote: >> >>> This is intentional, see https://go.dev/issue/45430 >>> >>> - sean >>> >>> On Thu, Aug 25, 2022, 19:07 'Diana Tuck' via golang-nuts < >>> golan...@googlegroups.com> wrote: >>> >>>> Since upgrading to 1.17 in which the cipher order is determined by the >>>> golang lib, clients that previously negotiated with more secure ciphers are >>>> now using less secure ciphers. >>>> >>>> We see that Windows 7 and 8 clients can no longer negotiate using xc027 >>>> and are instead using 0x9c, which is lower in both of their preference >>>> order. >>>> >>>> On 1.16, using testssl.sh, for example: >>>> >>>> IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH >>>> (P-256) >>>> IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH >>>> (P-256) >>>> IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH >>>> (P-256) >>>> IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH >>>> (P-256) >>>> >>>> And since upgrading to 1.17 (and 1.18): >>>> >>>> IE 11 Win 7 TLSv1.2 AES128-GCM-SHA256, No FS >>>> IE 11 Win 8.1 TLSv1.2 AES128-GCM-SHA256, No FS >>>> IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH >>>> (P-256) >>>> IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH >>>> (P-256) >>>> >>>> Win 7 >>>> <https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=95> >>>> and >>>> Win 8.1 >>>> <https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%208.1&key=134> >>>> prefer >>>> 0xc027 over 0x9c, but now both negotiate using 0x9c. >>>> >>>> We could theoretically solve this by removing 0x9c from our supported >>>> cipher suites to force the selection of 0xc027, but unfortunately we >>>> need to keep supporting these older clients. >>>> >>>> I wanted to check here to see if anyone has any suggestions before >>>> filing a bug, because in my opinion, the client cipher suite order >>>> preference should be honored at the very least even if the server >>>> preference is no longer honored. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "golang-nuts" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to golang-nuts...@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/golang-nuts/726cacb3-ddf3-4602-8455-4eae9889f236n%40googlegroups.com >>>> <https://groups.google.com/d/msgid/golang-nuts/726cacb3-ddf3-4602-8455-4eae9889f236n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> >> You received this message because you are subscribed to a topic in the >>> Google Groups "golang-nuts" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/golang-nuts/EqtkbU9nXHE/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> golang-nuts...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/golang-nuts/CAGabyPrJ56%3DPd0Du1ooVd9dx-CA3N%3DNkHN46OaHfFTC7S%2B_x1A%40mail.gmail.com >>> <https://groups.google.com/d/msgid/golang-nuts/CAGabyPrJ56%3DPd0Du1ooVd9dx-CA3N%3DNkHN46OaHfFTC7S%2B_x1A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Thank you, >> >> Diana Tuck >> Software Engineer >> +1 (919) 270-9838 <(919)%20270-9838> >> diana...@elastic.co >> >> <https://www.elastic.co/> >> > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/7384e49b-bf7e-4343-b0a9-fa5503cc9905n%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/7384e49b-bf7e-4343-b0a9-fa5503cc9905n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGabyPrzwbBZqXb70fMOaSrv5562G6uTXviMRimE_aRbMNkBdg%40mail.gmail.com.