I present a proposal to remove some vulnerable/deprecated/legacy TLS ciphersuits from Firefox. I am not proposing addition of any new ciphersuits, changing of priority order, protocol removal, or any other changes in functionality.
I have read these proposed IETF drafts and am using them as guidance along with my experience: https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01 https://tools.ietf.org/html/draft-sheffer-tls-bcp-01 These are the default available ciphersuits in Firefox Aurora 28.0a2 on a Windows system: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA 0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 0005 TLS_RSA_WITH_RC4_128_SHA 0004 TLS_RSA_WITH_RC4_128_MD5 Now follows reasoning for removing some of the ciphersuits. Apache/nginx (and possibly many other) configurations that establish Perfect Forward Secrecy (PFS) ciphersuits will always have available a PFS ciphersuit that contains AES. This means that the following ciphersuits can be safely removed, also given their non-usage in real client-server connections: C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA 0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Removing the above ciphersuits also helps avoiding some usage of 3DES (due to its low performance) and RC4 (due to its vulnerability). DSS is obsolete and is not used for real client-server connections, hence the following ciphersuits can be removed: 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA Camellia ciphersuits are little supported, never negotiated cipher, and not as well-tested & reviewed as AES ciphersuits. The following ciphersuits can be removed: 0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA The last remaining 3DES ciphersuit should be removed for performance considerations and its legacy status: 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA The last remaining RC4 ciphersuits should be removed due to their vulnerability: 0005 TLS_RSA_WITH_RC4_128_SHA 0004 TLS_RSA_WITH_RC4_128_MD5 RC4 ciphersuits will likely soon be prohibited anyway if the proposal is accepted https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01 Overall, this means that the following ciphersuits should be removed from the TLS handshake: C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 0005 TLS_RSA_WITH_RC4_128_SHA 0004 TLS_RSA_WITH_RC4_128_MD5 This would bring the ciphersuit list down to: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA The positives of removing the listed ciphersuits: 1) It makes the TLS handshake smaller thus preventing some issues related to long handshake. 2) It protects users from misconfigured server ciphersuit preference order - and thus no vulnerable RC4 ciphersuits will be used. 3) It protects servers from misconfigured server ciphersuit preference order - and thus no performance hit will be incurred due to use of 3DES. 4) It prevents the use of little-reviewed Camellia ciphersuits. 5) It prevents the use of retired DSS. The possible negatives of the removal: 1) Some client-server connections might fail. Suggested mitigation of negatives: If the initial handshake fails, make it a silent failure and retry with a handshake that contains a larger set of ciphersuits. This could also be accompanied with some non-blocking failure similar to how mixed-content warnings are presented to the user - and not show the full padlock icon in the addressbar. Positives of this mitigation: 1) No client-server connections will fail (compared to the current state). Negatives of mitigation: 1) Users are not as well protected against downgrade attacks as they could be - but this is probably the best we can do at the moment. I have especially not heard anything similar to the suggested mitigation of the negatives of decreasing the number of available ciphersuits, so this might perhaps be a new idea how to move forward. If you have any comments against the removal of a particular ciphersuit, please present a publicly accessible non-test webserver that only allows negotiation of the removed ciphersuits (and thus the client-server connection will fail). I believe this proposal should be accepted, the ciphersuits removed, and the mitigation implemented in Firefox nightlies to gain more data on a larger userbase. -- Marlene -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
