Talk:Security/Server Side TLS

From MozillaWiki
Revision as of 15:21, 15 December 2013 by Ulfr (talk | contribs)
Jump to navigation Jump to search

Page protection

This wiki page is protected against changes. Changes must be discussed in this section beforehand. If you have any comments, please leave them here, with your nickname and date.

RC4

Full discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=927045

RC4-based ciphers ought to be completely removed from the list, better attacks are coming like this one: https://www.usenix.org/conference/usenixsecurity13/security-rc4-tls'

by Kroeckx on 15 December 2013‎

The reason to keep RC4 or 3DES is to support windows XP. Maybe 3DES should be kept instead since it it's still considered secure but slow.

by ulfr on 15 December 2013

See the discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=927045. Cryptographic strength is one of many parameters that we have to consider when hosting large scale websites. Speed and resources consumption is another one. While 3DES could, theoretically, replace RC4, the difference in cost makes it tricky to do in practice. We are looking at ways to measure our CPU usage to see if it is feasible at all.

That being said, sites that don't want to support WinXP users can feel free to disable RC4, or swap it with 3DES.

Prioritzation logic and ciphersuite recommendation

The Prioritization logic says to prioritize 128 bit AES over 256 bit, but recommended ciphersuite has DHE-RSA-AES256* prioritized over DHE-RSA-AES128*. Breaking rule #3. Lots of non-forward-secret ciphers are prioritized over DHE-RSA-AES128*, breaking rule #2.

I think the recommended ciphersuite should be fixed to reflect the rules in the priorization logic. Maybe change the recommended cipher suite to the following?


ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

or for people lacking trust in ECC/NIST curves:

DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

answer from ulfr, 20131202

That's a good catch! Thanks for reporting it. I had missed a couple of aes256 above aes128 in the density of the ciphersuite. I updated the page, see the diff at https://wiki.mozilla.org/index.php?title=Security%2FServer_Side_TLS&diff=779260&oldid=768649

However, I am confused by your comment that "Lots of non-forward-secret ciphers are prioritized over DHE-RSA-AES128*, breaking rule #2.". Even before the latest change, only PFS ciphers where listed above DHE-RSA-AES128. Did you mean something different?

Reply to ulfr, 20131209 -- janfrode

> However, I am confused by your comment that "Lots of non-forward-secret ciphers are prioritized over DHE-RSA-AES128*, breaking rule #2.". Even before the latest change, only PFS ciphers where listed above DHE-RSA-AES128. Did you mean something different?

Not sure what I did previously. I now see DHE-RSA-AES128* before all non-PFS ciphers. On RHEL6.5/apache-2.2.15 With the currently suggested cipher suites, I got the following order: 


prio  ciphersuite                protocols                    pfs_keysize
1     DHE-RSA-AES128-GCM-SHA256  SSLv3,TLSv1,TLSv1.1,TLSv1.2
2     DHE-RSA-AES256-GCM-SHA384  SSLv3,TLSv1,TLSv1.1,TLSv1.2
3     DHE-RSA-AES128-SHA256      SSLv3,TLSv1,TLSv1.1,TLSv1.2
4     DHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2
5     DHE-RSA-AES256-SHA256      SSLv3,TLSv1,TLSv1.1,TLSv1.2
6     DHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2
7     AES128-GCM-SHA256          SSLv3,TLSv1,TLSv1.1,TLSv1.2
8     AES256-GCM-SHA384          SSLv3,TLSv1,TLSv1.1,TLSv1.2
9     AES128-SHA256              SSLv3,TLSv1,TLSv1.1,TLSv1.2
10    AES128-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
11    AES256-SHA256              SSLv3,TLSv1,TLSv1.1,TLSv1.2
12    AES256-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
13    RC4-SHA                    SSLv3,TLSv1,TLSv1.1,TLSv1.2
14    DHE-RSA-CAMELLIA256-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2
15    CAMELLIA256-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2
16    DHE-RSA-CAMELLIA128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2
17    CAMELLIA128-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2

This still prefers 256 bit DHE-RSA-AES256-GCM-SHA384 over various 128 bit ciphers. And the DHE-RSA-CAMELLIA* suites should probably be moved above the non-PFS.

And did you really mean to introduce the DHE-DSS-suites in the new list? The qualys ssl servertest says these can't be used for PFS because they're effectivly limited to 1024 bit DSS key.

Retrieved from "https://wiki.allizom.org/index.php?title=Talk:Security/Server_Side_TLS&oldid=791584"