Hi Ralf, trying to understand what functionality you are seeking. Should this be: a) only a pinned "announcement" of the supported cipher suites on the server or b) "enforced" on the server?
In case of b) would this mean that the server fails any insecure cipher connection attempts. Best regards, Tobias Ps.: btw. on a personal note: I found that the underlying paradigm we had in browser web servers of "weak encryption would be better than no encryption" from back in the day of weak algorithms due to export regulations in the US is part of or even the root of the problem. IMHO this allows the downgrading attacks. In my view we should on server side shift to a paradigm of "either strong encryption or no encryption at all". On 07/12/13 14:31, Ralf Skyper Kaiser wrote: > Hi, > > To let old browsers connect to a host most hosts will support > weak or broken ciphers for the forseable future. > > A feature to pin the CIPHER SUITE would be desirable. > > It would allow a client to learn a set of 'strong' ciphers available > on client and host side. Any downgrade attack to a weaker cipher > would fail. > > This feature could be optional or mandatory to be configured on the host. > > Please discuss. Opinions welcome. > > regards, > > ralf > > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
