I noticed about a week ago that my application stopped working. Now I have
tested it and it appears that api.twitter.com is now blocking DHE cipher
suites such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA, whereas previously these
DHE cipher suites were working perfectly. The DHE cipher suites have a
distinct security advantage over the non-DHE cipher suites like
TLS_RSA_WITH_AES_128_CBC_SHA: in the event that Twitter's RSA private key is
compromised (via hacking, a warrant, a court order, or other means), all the
previous traffic encrypted with the non-DHE cipher suites can be decrypted,
but the previous traffic encrypted with DHE cipher suites cannot be
decrypted after the fact.

 

My questions:

 

1.      Is there any chance the DHE cipher suites can be re-enabled?

2.      Can you provide any guarantees about which cipher suites will always
be available?

 

openssl s_client -host api.twitter.com -port 443 -tls1 -cipher DHE-RSA-
AES128-SHA

openssl s_client -host api.twitter.com -port 443 -tls1 -cipher DHE-RSA-
AES256-SHA

openssl s_client -host api.twitter.com -port 443 -tls1 -cipher AES128-SHA

openssl s_client -host api.twitter.com -port 443 -tls1 -cipher AES256-SHA

 

Thanks,

Brian

Reply via email to