[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
ianG
iang at iang.org
Fri Jan 3 18:58:19 CET 2014
On 3/01/14 19:24 PM, Julien Vehent wrote:
> On 2014-01-02 18:59, ianG wrote:
>> On 3/01/14 01:06 AM, Julien Vehent wrote:
>>
>>
>>> 3DES isn't broken.
>>
>>
>> No, but it is end of life. 112bit security for the 2key variant, and
>> an 8 byte block makes it just old. If you've got AES there, use it.
>> Who hasn't got it?
>
> See https://wiki.mozilla.org/Security/Server_Side_TLS#RC4_weaknesses
> "Internet Explorer uses the cryptographic library “schannel”, which is
> OS dependent. schannel supports AES in Windows Vista, but not in Windows
> XP."
Right, Windows XP. Which is end of life.
>> Hmmm.. Are the Chinese blocked from stronger crypto?
>
> According to http://www.modern.ie/ie6countdown:
> * 22.2% of China uses IE6
> * 4.9% of users worlwide use IE6
Thanks for that! More end of life. And DJB says it's worse, we've
retrograded to about 50% RC4 usage.
> I believe that our jobs, as security professionals, is to provide the
> best security to everyone.
That is mozilla's mission. It provides its products to everyone. Which
naturally means it cannot and does not provide the 'best security' to
every person, rather it provides the best 'security for everyone'.
Different story -- one moves security up, at the expense of users, the
other keeps users happy, but puts security on a race to the bottom.
> Not only to the people that have a better
> access to technology.
> This is consistent with Mozilla's mission.
Absolutely! I'm well familiar of how the monolith of Mozilla's mission
casts a shadow over security.
BetterCrypto however is seeking ... *better crypto*. And that is a
different goal. Different users, different tradeoffs.
Where the two groups part company is on bad crypto. If IE6 and XP users
have bad crypto, then BetterCrypto is not for them.
> So we won't disable old
> crypto algorithms because the security community admits that they are
> bad. We have to live with them.
Sure. And to some extent I don't disagree -- K6 speaks to ease of use
and availability; it is the number one, dominating law for security.
But the enemy of cryptography is time; what was secure then is not now.
It doesn't take much to deal with it, but unfortunately the powers
that be SSL have fiddled around adding more and not chopping away.
Always because someone wants to keep it around.
This is a rock and a hard place. The rock of upgrading has met the hard
place of legacy users.
Where this goes from here is tension: BetterCrypto and groups like it
will continue to deprecate those ciphers. Users will start to suffer.
Users will complain. Mozilla and browsers and so forth will cop the
brunt of the suffering. Very unfair.
But meanwhile the fix is in. And if there is one thing we do know, the
juggernaut of SSL/IETF/PKIX/CABForum/OpenSSL/NSS/NIST/Sun/ and a dozen
other acronyms I've forgotten ... are not going to push on this front.
They are going to do what they always do: act as if every old cipher is
like a limb, squealing and moaning at the thought that it is going to be
cut off, all the while salivating at the chance to add another cipher
suite, more, moar!
:) prove me wrong! See how long it takes to get any of those groups of
power to announce an end of life for RC4. Or 3DES. Bloody android is
still using MD5, last I heard...
BetterCrypto *has to lead* because everyone else is following each other
in a big circle.
iang
More information about the Ach
mailing list