Paul Hoffman wrote this message on Tue, Oct 22, 2013 at 08:26 -0700:
> This was posted last night by Viktor Dukhovni on the cryptography mailing
> list, but is certainly applicable here. Forwarded with Viktor's permission.
>
> ====================
>
> There have been many recent efforts to harden the cryptographic
> security of various systems. I would like to urge anyone considering
> taking steps in that direction to exercise due caution.
>
> Multiple recent attempts at improvement backfire in various ways:
>
> - RedHat has been under pressure for some time to enable EC support
> in their OpenSSL RPM package.
>
> * They finally relented and added EC support ~1 week ago. However,
> they quickly decided to play it safe and enable just the Suite-B
> curves: secp256r1, secp384r1 and no others.
>
> * They neglected to consider that the new libraries now
> happily negotiate EECDH key exchange TLS cipher-suites with
> servers that typically don't know of (or can't act on) the
> client's limitations.
>
> * At the same time newly hardened SMTP servers at gmx.de
> and other sites have "stronger" security by switching to
> secp521r1.
>
> # Result: SMTP TLS handshakes break, and more mail goes out in
> the clear!
>
> # With TLS, no EC is better than crippled EC.
>
> - GnuTLS sets aggressive client-side EDH prime-size lower bound.
>
> * Exim encounters interoperability problems and works-around
> the setting by allowing 1024-bit EDH in SMTP clients while
> using 2048-bit EDH in the server (which generally works for
> SMTP).
>
> * Debian decides to improve security in Exim and raises this
> to 2048-bits, breaking interoperability again.
>
> # Result: Since SMTP TLS is generally opportunistic, when
> TLS handshakes break, more mail is transmitted in the clear!
>
> - Some email administrators disable RC4 (enable only the OpenSSL "HIGH"
> ciphers) in opportunistic TLS. Many extant Microsoft Exchange servers
> support only RC4-SHA1, RC4-MD5 and 3DES (whose implementation is
> breaks post handshake in data transfer).
>
> # Result: TLS handshakes fail, and mail is sent in the clear.
>
> - There's lots of press about CRIME, BEAST, ... and some SMTP
> administrators configure their systems to prefer RC4 and
> avoid CBC ciphersuites.
>
> # The attacks in question are primarily HTTPS attacks,
> cryptanalysis of RC4 may well be the greater threat to SMTP.
Is anyone working on an interop spread sheet? Like limitations and
others... I was looking at sendmail's TLS and realized it did 1024
DH (server) and 512 DH (client), but increasing DH beyond 1024 is a
problem since Java can't handle 1024 bit DH...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
