Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Kurt Roeckx writes: >After the SLOTH paper, we should think about starting to deprecate TLS 1.0 >and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2. The vulnerabilities shown in the SLOTH paper were based on the fact that implementations still allow MD5 for

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

In terms of getting rid of TLS 1.0 and TLS 1.1 altogether, we're seeing around 3% of connections using TLS 1.0 or TLS 1.1. That's quite high, and it's likely that enterprise deployments are much worse. I started gathering numbers on ServerKeyExchange hashes back in November. The code isn't on

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

On Mon, Jan 11, 2016 at 11:38:25PM +, Andrei Popov wrote: > Yes, per RFC 5246: > " If the client provided a "signature_algorithms" extension, then all >certificates provided by the server MUST be signed by a >hash/signature algorithm pair that appears in that extension." Yes.

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Yes, per RFC 5246: " If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension." Cheers, Andrei -Original Message- From: TLS

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

On Mon, Jan 11, 2016 at 3:09 PM, Peter Gutmann wrote: > Kurt Roeckx writes: > >>After the SLOTH paper, we should think about starting to deprecate TLS 1.0 >>and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2. > > The vulnerabilities shown in

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

On 12 January 2016 at 05:30, Kurt Roeckx wrote: > After the SLOTH paper, we should think about starting to deprecate > TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS > 1.2. Let's be clear about this: TLS 1.0 represents far too high a proportion of our usage

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

David Benjamin writes: >In terms of getting rid of TLS 1.0 and TLS 1.1 altogether, we're seeing >around 3% of connections using TLS 1.0 or TLS 1.1. That's quite high, and it's >likely that enterprise deployments are much worse. Embedded is even worse. I don't have any

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Yes, our telemetry shows the same. The use of TLS 1.2 increases and the use of TLS 1.0 goes down, but it will likely be a while before we can disable TLS 1.0 by default in Windows. Cheers, Andrei -Original Message- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Martin Thomson

Re: [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms)

On Mon, Jan 11, 2016 at 10:42:45PM -0500, Dave Garrett wrote: > No sane person disputes that MD5 needs to be eradicated ASAP. We're keeping > MD5||SHA1 in old TLS for compatibility and we are well aware that needs > to go eventually too. Thus, I suggest we publish an MD5 diediedie standards >

Re: [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms)

On Mon, Jan 11, 2016 at 9:32 PM, Viktor Dukhovni wrote: > > No MD5 function should remain in the relevant codebase; > > In particular the IETF does not get to tell anyone which functions > they get to include in their codebase. So no IETF document saying > such a thing

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Watson Ladd writes: >Do the RFCs require the relevant checks or not? No, they just specify the algorithms and bits on the wire (with a side-order of MTI stuff for interoperability). It's up to implementers to not do stupid things. >That's because real cryptographers

Re: [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms)

On Tue, Jan 12, 2016 at 3:42 AM, Dave Garrett wrote: > On Monday, January 11, 2016 06:13:37 pm Tony Arcieri wrote: >> My understanding is TLS 1.2 specifically was amended to allow MD5 >> signatures even though this was not the case in previous TLS versions, or >> at least

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Watson Ladd writes: >SHA-1 collisions have not yet been found. Marc Stevens has published >algorithms he claims reduce the complexity of finding these collisions to >feasible amounts, but they have not yet been run. However, free-start >collisions have been found, as have

Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

On 12/01/2016 02:03, Watson Ladd wrote: > However, free-start collisions have been found, as have ways to modify > constants in the SHA-1 IV to get collisions. To be clear, the research into maliciously altering SHA-1 to make collisions easier changed the K_i constants added during the rounds,

Re: [TLS] MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms)

On Tuesday, January 12, 2016 12:32:08 am Viktor Dukhovni wrote: > > Also, when I say "prohibited" here, I mean _completely_. > > There is no Internet police, and the IETF does not get to prohibit > the use of MD5, we only get to write protocol standards. Of course, but the IETF can state that

[TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Hi, After the SLOTH paper, we should think about starting to deprecate TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS 1.2. As I understand it, they estimate that both TLS 1.2 with SHA1 and TLS 1.0 and 1.1 with MD5|SHA1 currently require about 2^77 to be broken. They all