The above mentioned command shows that export grade ciphers are supported. That doesn't mean they are considered during cipher negotiation or even advertised by the client. But those ciphers are part of certain cipher strings, like ALL, DES, SHA etc. A user/developer not explicitly diabbling export grade ciphers using !EXP in the cipher string argument may advertise those ciphers unintentionally, exposing an app to (yet) future attacks trying to mitigate negotiated cipher strength, like FREAK and Logjam attacks did.
The crux is, end-users have no easy way to monitor cipher negotiation and file bugs against a particular app. Even if one sets-up his own test server to check a particular app, that effort seems wasted, since many apps can benefit from disabling unsafe ciphers in one central piece code - the SSL library. As for the planned 16.04 transition, which updates OpenSSL to a version with export grade ciphers already disabled, I've heard rumours that no decision has been made up until today whether all current devices will take part in the transition to 16.04. If a new attack is made public after support ended for a particular device that is still on 15.04, users cannot use that device for trusted communication anymore. Yes, disabling export grade ciphers is an investment into the future anticipating new attacks. But that future may be tomorrow. I suggest acting now, disabling export grade ciphers for the next OTA and be on the safe(er) side. At least, reasoning of OpenSSL developers seems to be along these lines (see link given in original bug report). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1590163 Title: disable export grade ciphers Status in openssl package in Ubuntu: New Bug description: # System device: Aquaris BQ E4.5 OS: Ubuntu 15.04, OTA-11 OpenSSL version: $dpkg --list |grep libssl ii libssl1.0.0:armhf 1.0.1f-1ubuntu11.6 armhf Secure Sockets Layer toolkit - shared libraries # Observed behaviour OpenSSL provides export grade ciphers: $openssl ciphers -v EXP EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export # Expected behaviour No export grade ciphers are provided in binaries. # Rationale Export grade ciphers are insecure. By design. In response to FREAK and Logjam attacks, OpenSSL developers disabled export grade ciphers in OpenSSL v1.0.1m (March 2015), cf. <URL:https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/>. To bypass similar future attacks, deactivation of export grade ciphers should be backported to 15.04. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
