We're talking about this internally. I'm cautiously optimistic.

/B




On Mon, May 24, 2010 at 12:43 AM, Brian Smith <br...@briansmith.org> wrote:

> I noticed about a week ago that my application stopped working. Now I have
> tested it and it appears that api.twitter.com is now blocking DHE cipher
> suites such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA, whereas previously these
> DHE cipher suites were working perfectly. The DHE cipher suites have a
> distinct security advantage over the non-DHE cipher suites like
> TLS_RSA_WITH_AES_128_CBC_SHA: in the event that Twitter’s RSA private key is
> compromised (via hacking, a warrant, a court order, or other means), all the
> previous traffic encrypted with the non-DHE cipher suites can be decrypted,
> but the previous traffic encrypted with DHE cipher suites cannot be
> decrypted after the fact.
>
>
>
> My questions:
>
>
>
> 1.      Is there any chance the DHE cipher suites can be re-enabled?
>
> 2.      Can you provide any guarantees about which cipher suites will
> always be available?
>
>
>
> openssl s_client -host api.twitter.com -port 443 -tls1 -cipher DHE-RSA-
> AES128-SHA
>
> openssl s_client -host api.twitter.com -port 443 -tls1 -cipher DHE-RSA-
> AES256-SHA
>
> openssl s_client -host api.twitter.com -port 443 -tls1 -cipher AES128-SHA
>
> openssl s_client -host api.twitter.com -port 443 -tls1 -cipher AES256-SHA
>
>
>
> Thanks,
>
> Brian
>

Reply via email to