The above mentioned command shows that export grade ciphers are supported. That doesn't mean they are considered during cipher negotiation or even advertised by the client. But those ciphers are part of certain cipher strings, like ALL, DES, SHA etc. A user/developer not explicitly diabbling export grade ciphers using !EXP in the cipher string argument may advertise those ciphers unintentionally, exposing an app to (yet) future attacks trying to mitigate negotiated cipher strength, like FREAK and Logjam attacks did.
The crux is, end-users have no easy way to monitor cipher negotiation and file bugs against a particular app. Even if one sets-up his own test server to check a particular app, that effort seems wasted, since many apps can benefit from disabling unsafe ciphers in one central piece code - the SSL library. As for the planned 16.04 transition, which updates OpenSSL to a version with export grade ciphers already disabled, I've heard rumours that no decision has been made up until today whether all current devices will take part in the transition to 16.04. If a new attack is made public after support ended for a particular device that is still on 15.04, users cannot use that device for trusted communication anymore. Yes, disabling export grade ciphers is an investment into the future anticipating new attacks. But that future may be tomorrow. I suggest acting now, disabling export grade ciphers for the next OTA and be on the safe(er) side. At least, reasoning of OpenSSL developers seems to be along these lines (see link given in original bug report). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1590163 Title: disable export grade ciphers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1590163/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
