Kurt Roeckx writes:
>After the SLOTH paper, we should think about starting to deprecate TLS 1.0
>and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2.
The vulnerabilities shown in the SLOTH paper were based on the fact that
implementations still allow MD5 for
In terms of getting rid of TLS 1.0 and TLS 1.1 altogether, we're seeing
around 3% of connections using TLS 1.0 or TLS 1.1. That's quite high, and
it's likely that enterprise deployments are much worse.
I started gathering numbers on ServerKeyExchange hashes back in November.
The code isn't on
On Mon, Jan 11, 2016 at 11:38:25PM +, Andrei Popov wrote:
> Yes, per RFC 5246:
> " If the client provided a "signature_algorithms" extension, then all
>certificates provided by the server MUST be signed by a
>hash/signature algorithm pair that appears in that extension."
Yes.
Yes, per RFC 5246:
" If the client provided a "signature_algorithms" extension, then all
certificates provided by the server MUST be signed by a
hash/signature algorithm pair that appears in that extension."
Cheers,
Andrei
-Original Message-
From: TLS
On Mon, Jan 11, 2016 at 3:09 PM, Peter Gutmann
wrote:
> Kurt Roeckx writes:
>
>>After the SLOTH paper, we should think about starting to deprecate TLS 1.0
>>and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2.
>
> The vulnerabilities shown in
On 12 January 2016 at 05:30, Kurt Roeckx wrote:
> After the SLOTH paper, we should think about starting to deprecate
> TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS
> 1.2.
Let's be clear about this: TLS 1.0 represents far too high a
proportion of our usage
David Benjamin writes:
>In terms of getting rid of TLS 1.0 and TLS 1.1 altogether, we're seeing
>around 3% of connections using TLS 1.0 or TLS 1.1. That's quite high, and it's
>likely that enterprise deployments are much worse.
Embedded is even worse. I don't have any
Yes, our telemetry shows the same. The use of TLS 1.2 increases and the use of
TLS 1.0 goes down, but it will likely be a while before we can disable TLS 1.0
by default in Windows.
Cheers,
Andrei
-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Martin Thomson
On Mon, Jan 11, 2016 at 10:42:45PM -0500, Dave Garrett wrote:
> No sane person disputes that MD5 needs to be eradicated ASAP. We're keeping
> MD5||SHA1 in old TLS for compatibility and we are well aware that needs
> to go eventually too. Thus, I suggest we publish an MD5 diediedie standards
>
On Mon, Jan 11, 2016 at 9:32 PM, Viktor Dukhovni
wrote:
> > No MD5 function should remain in the relevant codebase;
>
> In particular the IETF does not get to tell anyone which functions
> they get to include in their codebase. So no IETF document saying
> such a thing
Watson Ladd writes:
>Do the RFCs require the relevant checks or not?
No, they just specify the algorithms and bits on the wire (with a side-order
of MTI stuff for interoperability). It's up to implementers to not do stupid
things.
>That's because real cryptographers
On Tue, Jan 12, 2016 at 3:42 AM, Dave Garrett wrote:
> On Monday, January 11, 2016 06:13:37 pm Tony Arcieri wrote:
>> My understanding is TLS 1.2 specifically was amended to allow MD5
>> signatures even though this was not the case in previous TLS versions, or
>> at least
Watson Ladd writes:
>SHA-1 collisions have not yet been found. Marc Stevens has published
>algorithms he claims reduce the complexity of finding these collisions to
>feasible amounts, but they have not yet been run. However, free-start
>collisions have been found, as have
On 12/01/2016 02:03, Watson Ladd wrote:
> However, free-start collisions have been found, as have ways to modify
> constants in the SHA-1 IV to get collisions.
To be clear, the research into maliciously altering SHA-1 to make collisions
easier changed the K_i constants added
during the rounds,
On Tuesday, January 12, 2016 12:32:08 am Viktor Dukhovni wrote:
> > Also, when I say "prohibited" here, I mean _completely_.
>
> There is no Internet police, and the IETF does not get to prohibit
> the use of MD5, we only get to write protocol standards.
Of course, but the IETF can state that
Hi,
After the SLOTH paper, we should think about starting to deprecate
TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS
1.2.
As I understand it, they estimate that both TLS 1.2 with SHA1 and
TLS 1.0 and 1.1 with MD5|SHA1 currently require about 2^77 to be
broken. They all
16 matches
Mail list logo