[Ach] New study on Forward Secrecy

Aaron Zauner azet at azet.org
Wed Dec 31 18:06:16 CET 2014

* christian mock <cm at coretec.at> [31/12/2014 01:25:07] wrote:
> On Tue, Dec 30, 2014 at 06:25:44PM +0100, Aaron Zauner wrote:
> > We should - maybe - think about removing DHE (or, at the very least, not
> > prefer it over ECDHE handshakes anymore) from our current
> I'm against dropping DHE, as the problem is not a flaw in DHE as such,
> but in implementations. That the problem is so wide-spread is again
> attributable to openssl.

Doesn't really matter for us, does it? We are to provide strong
security recommendations. I know that OpenSSL can be an issue and
thanks for the bug report, but I think we should prefer ECDHE for

> Prefering ECDHE would be OK, with the usual caveat about trusting NIST
> curves. 

AFAIK it has been established that the implementation in OpenSSL is
solid (I, personally, cannot comment on that - as this is a part of
OpenSSL code I've never looked into. Maybe should though :/).

> Another issue is that I'd like to have real-world data on client
> library compatibility with bigger DHE key sizes.

Clients usually support ECDHE just fine, so switching over to ECDHE
should work for us. This is again one of the reasons why we should
prefer ECDHE over DHE. My personal opinion. But it seems large CDNs
are doing the same thing, as does the Mozilla TLS server security

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141231/6dfb70e1/attachment.sig>

More information about the Ach mailing list